On this page
It is 2am and the model is off-script
The demo went perfectly. You typed a question, the model answered like a senior colleague, the room nodded, and the feature shipped. Three weeks later it is 2am and your phone is buzzing. A user pasted a screenshot into your support chat: your friendly assistant has cheerfully recommended a competitor, leaked a chunk of someone else's order history, and signed off with a joke that will not read well on social media. Nothing crashed. No exception was thrown. The system did exactly what it was told, it just should not have been told that.
This is the gap nobody mentions in the demo. Shipping an LLM call is easy. Running an LLM feature, one that stays safe, stays good, and stays debuggable as prompts change and the model drifts under you, is a different discipline. That discipline is LLMOps: the operational practices that turn a clever prompt into software you can sleep through the night with.
Who this is for
Engineers who have a working LLM prototype and now have to make it production-grade. You know how to call an API and write a prompt. You have not yet been paged because the model said something it should not have. This article is the playbook for the layer between "it works on my machine" and "it is safe in front of users."
LLMOps is DevOps for non-deterministic software
LLMOps is the practice of treating prompts, models, and their outputs as production artifacts, versioned, observed, guarded, and continuously evaluated, exactly because the software underneath is non-deterministic.
Here is the mental model. Traditional software is a machine: same input, same output, every time. You test it once and trust it forever. An LLM feature is more like a very capable, very literal new hire who occasionally has a bad day. You cannot unit-test a personality. What you can do is give them a written playbook (a versioned prompt), put a reviewer on the door for anything that goes in and out (guardrails), record every conversation so you can review what happened (tracing), and quietly score a sample of their work each week to catch the day their quality slips (drift monitoring).
If you have done DevOps and observability, you have the instincts. The twist is that your unit of work is probabilistic, so "correct" is a distribution rather than a checkmark, and that changes how you version, test, monitor, and roll back. Everything below is one of those five concerns, translated.
The picture: an LLMOps pipeline
Every production LLM request runs a gauntlet. It is not "user text in, model text out", there is a checkpoint before the model and a checkpoint after it, and everything that happens in between is recorded for later review and scoring.
A request passes an input guardrail, hits a versioned prompt and the model, then an output guardrail before the response. Every hop is traced; a sampled copy feeds the eval loop.
- 1
Request arrives
Raw user input enters the pipeline. Treat it as untrusted, it may contain PII, a prompt injection payload, or something that violates your policy.
- 2
Input guardrail
Before a single token reaches the model: strip or block PII, scan for jailbreak and injection patterns, and reject inputs that fail policy. Fail fast and cheap, before you pay for inference.
- 3
Versioned prompt
The cleaned input is rendered into a prompt template pinned to a specific version (e.g. support-agent@v7). The version is part of the deploy, not a string buried in a function.
- 4
Model call
The composed prompt hits the LLM. This hop is wrapped in a trace span that records model id, prompt version, token counts, latency, and cost.
- 5
Output guardrail
The raw completion is validated before anyone sees it: enforce schema, redact leaked PII, check for policy violations, and refuse or repair if it fails.
- 6
Response + feedback
The safe output returns to the user. A sampled, traced copy flows to the eval loop, where it is scored over time so you can see quality drift before your users do.
Five ops concerns, translated
The fastest way to internalize LLMOps is to map it onto the operations you already run. Same five concerns, versioning, testing, monitoring, rollback, security, with an LLM-shaped answer for each.
| Concern | Traditional ops | LLMOps equivalent |
|---|---|---|
| Versioning | Tagged code releases in Git | Prompts and model ids pinned and versioned per deploy |
| Testing | Deterministic unit and integration tests | Eval suites scoring outputs against a graded dataset |
| Monitoring | Latency, error rate, throughput | Quality scores, refusal rate, token cost, drift over time |
| Rollback | Redeploy the previous build | Re-pin the previous prompt version or model snapshot |
| Security | AuthN/Z, input validation, WAF | Guardrails: PII handling, jailbreak and injection defense, output validation |
Non-determinism breaks the green checkmark
Your eval suite will not return a clean pass/fail like a unit test does. It returns scores on a sample, and those scores have variance. Gate on thresholds and trends ("faithfulness must stay above 0.85, and not drop more than 5 points week over week"), not on exact equality. Read [Evaluating LLM Applications](/blog/evaluating-llm-applications) for how to build the graded dataset and judges this depends on.
Wrapping a call with tracing and a guardrail
Here is the smallest version of the pipeline that is still real: one LLM call, wrapped so that it is traced end to end and so that nothing leaves without passing an output guardrail. Notice the prompt is pinned to a version, the whole call is inside a trace span, and the output is validated before it is returned, a failed check raises rather than silently shipping a bad answer.
import re
import time
import uuid
from prompts import get_prompt # returns (text, version)
from client import call_model # thin wrapper over your provider SDK
from tracing import tracer # OpenTelemetry-style tracer
PII_PATTERN = re.compile(r"\b\d{3}-\d{2}-\d{4}\b") # naive SSN example
class GuardrailError(Exception):
"""Raised when an output fails validation so it never reaches the user."""
def output_guardrail(text: str) -> str:
# 1. Refuse if the model leaked something it should not have.
if PII_PATTERN.search(text):
raise GuardrailError("output contained PII")
# 2. Enforce a minimum-quality contract (e.g. non-empty, bounded length).
if not text.strip() or len(text) > 4000:
raise GuardrailError("output failed length/format policy")
return text
def answer(user_input: str) -> str:
prompt_text, prompt_version = get_prompt("support-agent")
request_id = str(uuid.uuid4())
with tracer.start_as_current_span("llm.answer") as span:
span.set_attribute("request.id", request_id)
span.set_attribute("prompt.version", prompt_version)
composed = prompt_text.format(question=user_input)
start = time.perf_counter()
result = call_model(composed) # -> {text, model, tokens}
latency_ms = (time.perf_counter() - start) * 1000
# Observability: the data you will wish you had at 2am.
span.set_attribute("model.id", result["model"])
span.set_attribute("model.tokens", result["tokens"])
span.set_attribute("latency.ms", round(latency_ms, 1))
try:
safe = output_guardrail(result["text"])
span.set_attribute("guardrail.passed", True)
return safe
except GuardrailError as exc:
# Do not ship the unsafe output. Fall back, and record why.
span.set_attribute("guardrail.passed", False)
span.set_attribute("guardrail.reason", str(exc))
return "Sorry, I cannot help with that right now."
That fallback at the end is the unglamorous hero of production LLM work. When the guardrail trips, or when the model times out, or the provider returns a 500, you return a safe, boring response and log the reason, instead of leaking the failure to the user. A real system layers fallbacks: retry, then a cheaper backup model, then a canned safe answer. The point is that the user never sees the raw failure, and you always see the trace.
Do not build guardrails entirely from regex
The PII regex above is a teaching stub. In production, combine deterministic checks (schema validation, allowlists, format contracts) with a dedicated classifier or a small judge model for fuzzy concerns like toxicity, jailbreak intent, and topic policy. Cheap deterministic checks first, expensive model-based checks only when needed.
Common mistakes that page you at 2am
- Unversioned prompts. The prompt lives as a string literal in a function, someone tweaks it to fix one edge case, and now you cannot tell which deploy produced last week's bad answers, or roll back to the version that was fine. Pin every prompt to a version and ship the version with the deploy.
- No tracing. When a user reports a bad answer and you have no record of the exact prompt, model, tokens, and output for that request, you are debugging blind. You cannot reproduce what you did not capture. Trace every call.
- No guardrails. Trusting the model to police its own input and output is how PII leaks, prompt injections succeed, and off-policy text reaches users. Validate what goes in and what comes out, assume both are hostile.
- No drift monitoring. Quality does not fail loudly. The model provider silently updates a snapshot, your data distribution shifts, an upstream prompt changes, and your answers get a little worse every week until someone notices on Twitter. Score a sample continuously and alert on the trend.
- Treating eval as a one-time gate. Passing evals before launch tells you nothing about month three. The eval loop has to run continuously on production traffic, not once in CI.
Takeaways
LLMOps in nine lines
- Shipping an LLM call is easy; running an LLM feature safely is a discipline, LLMOps.
- It is DevOps and observability for non-deterministic software: version, test, monitor, roll back, secure.
- Every request runs a gauntlet: input guardrail → versioned prompt → model → output guardrail → response.
- Version prompts and model ids per deploy so you can pin, diff, and roll back.
- Trace every call, prompt version, model id, tokens, latency, cost, or you will debug blind.
- Guardrails validate input and output: PII, jailbreak and injection defense, schema and policy.
- Always have a fallback: retry, backup model, then a safe canned answer. Never leak the failure.
- Gate on thresholds and trends, not exact equality, quality is a distribution, not a checkmark.
- Monitor drift continuously on sampled production traffic; quality fails quietly.
Where to go next
LLMOps stands on two skills you can deepen right now. The guardrails and prompts you version are only as good as the prompts themselves, and the drift you monitor is only measurable if you can score quality at all.
- Build the scoring foundation that drift monitoring and eval gates depend on: Evaluating LLM Applications.
- Write prompts worth versioning in the first place: Prompt Engineering Fundamentals.
- See where this fits in the broader role and what to learn next: the AI Engineer career path.
Start small: pick your one live LLM feature, pin its prompt to a version, wrap the call in a trace, and add a single output guardrail. That is the minimum that lets you debug the next 2am page instead of guessing through it.
Want to go deeper?
This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.