Production AI Institute — vendor-neutral certification for AI practitioners
Verify a credentialFor organisationsContact
ReferencePSF v1.1 · April 2026

PSF-Compliant
Stack Recipes

Pre-validated companion tooling for every major agent framework — mapped to all eight PSF domains. If you're deploying LangGraph, here's the full stack. If you're deploying CrewAI, here's what you need to add. Each recipe identifies the gaps your framework leaves open and the specific tools that close them.

LangChain / LangGraph

Full PSF assessment →

The most complete managed observability ecosystem. Add data protection and security layers.

Domain
Recommended tool
Implementation note
D1 · Input Governance
Guardrails AI
Wrap chain input with detect_prompt_injection validator. For RAG, add contextual isolation in the chain prompt template.
D2 · Output Validation
Guardrails AI + Pydantic
Output validators in Guardrails AI. Use with_structured_output() for schema-enforced responses.
D3 · Data Protection
Microsoft Presidio
Run Presidio on inputs before embedding. Implement chunk-level metadata for vector store deletion.
D4 · Observability
LangSmith
Native integration. Configure trace retention policy. Add custom evaluators for quality scoring.
D5 · Deployment Safety
LangServe + standard infra
LangServe provides the serving layer. Add canary routing via your load balancer. Implement circuit breakers with tenacity.
D6 · Human Oversight
LangGraph interrupt() nodes
Define interrupt conditions at high-consequence graph edges. Route to review queue via LangSmith or custom interface.
D7 · Security
HashiCorp Vault / AWS Secrets Manager
Externalise all API keys. Add rate limiting at the LangServe layer. Implement input size limits.
D8 · Vendor Resilience
LangChain model abstraction
Use ChatOpenAI, ChatAnthropic etc. via the standard interface. Version-pin langchain and langchain-openai in requirements.txt.

Highest gap count of any framework — needs the most companion tooling. Do not skip D5 or D6.

Domain
Recommended tool
Implementation note
D1 · Input Governance
NeMo Guardrails + Presidio
NeMo rails on crew.kickoff() input. Validate each task input before delegation. Presidio on user-provided content.
D2 · Output Validation
Guardrails AI
Wrap task outputs in Guardrails validators before passing to downstream agents or users.
D3 · Data Protection
Presidio + explicit data minimisation
PII-scan content before it enters crew context. Minimise what each agent actually needs to see.
D4 · Observability
Langfuse (recommended) or LangSmith
Langfuse provides multi-agent distributed tracing. Configure parent-child spans to correlate the full crew execution.
D5 · Deployment Safety
Custom deployment + circuit breakers
No native serving layer. Wrap crew.kickoff() in a FastAPI endpoint with circuit breakers, timeouts, and fallback modes. This is the critical gap to close.
D6 · Human Oversight
Task-level approval gates (custom)
Do not rely on crew-level oversight alone. Implement approval at individual task level for any task that takes real-world action. See D6 guide.
D7 · Security
Vault / Secrets Manager + tool scoping
Externalise all credentials. Critically: scope each agent's tools to minimum required. Avoid assigning all tools to all agents.
D8 · Vendor Resilience
CrewAI LLM abstraction
CrewAI supports multiple LLM providers. Abstract behind a config layer so you can switch providers without code changes.

Best human oversight model. Weakest deployment story — the primary gap to close.

Domain
Recommended tool
Implementation note
D1 · Input Governance
Guardrails AI + validate_input()
Override UserProxyAgent.get_human_input() to run validation before messages enter the conversation.
D2 · Output Validation
Guardrails AI on AssistantAgent output
Intercept assistant messages via message_transform. Apply output validators before they reach downstream agents.
D3 · Data Protection
Presidio on conversation context
Scan conversation history before persistence. Implement per-session data retention policies.
D4 · Observability
Langfuse or Arize Phoenix
Neither integrates natively with AutoGen. Use AutoGen callback hooks to emit spans to your observability platform.
D5 · Deployment Safety
FastAPI wrapper + Docker + canary routing
Wrap conversation initiation in a FastAPI endpoint. Use Docker for process isolation (mirrors the code execution sandbox pattern). This is the primary gap to close.
D6 · Human Oversight
UserProxyAgent (native)
AutoGen's standout strength. Configure human_input_mode appropriately for your autonomy level. 'ALWAYS' for L0-L1; 'TERMINATE' for L2; 'NEVER' only with robust D4 monitoring for L3.
D7 · Security
Docker code execution + Vault
Docker container is already provided for code execution — extend the isolation model to the conversation process itself. Externalise all API keys.
D8 · Vendor Resilience
AutoGen LLM config list
AutoGen supports config_list with multiple providers and automatic fallback. Implement this from the start, not as an afterthought.

Best enterprise foundation. Azure integration provides real D4 and D7 strength. D3 is the gap to close.

Domain
Recommended tool
Implementation note
D1 · Input Governance
IFunctionInvocationFilter + Azure Content Safety
Register a kernel filter to validate inputs before function execution. Azure Content Safety handles classification at the Azure layer.
D2 · Output Validation
IPromptRenderFilter + schema enforcement
Post-render filter validates structured output. Use kernel.invoke_prompt() with explicit return type for schema enforcement.
D3 · Data Protection
Presidio + Azure Purview
Presidio for runtime PII detection. Azure Purview for data governance lineage in enterprise deployments. This is Semantic Kernel's primary gap to close.
D4 · Observability
Azure Application Insights (native)
Native OpenTelemetry. Configure ApplicationInsightsExporter. Set sampling rate and retention policy explicitly.
D5 · Deployment Safety
Azure App Service / AKS + deployment slots
Use Azure deployment slots for canary releases. Circuit breakers via Azure API Management or Polly in .NET.
D6 · Human Oversight
Custom review flow + Azure Logic Apps
No native HITL primitive. Use Azure Logic Apps to route high-consequence kernel function calls to human reviewers with full audit trail.
D7 · Security
Entra ID + Azure Key Vault (native)
SK's standout strength. Use managed identities throughout — avoid API key storage. Entra ID for all service-to-service auth.
D8 · Vendor Resilience
AI connector abstraction
SK's connector model is designed for this. Maintain OpenAI and Azure OpenAI connectors simultaneously. Version-pin the SK nuget package.

Strongest deployment foundation of any Python framework. D3 matters more here because RAG handles PII-containing documents.

Domain
Recommended tool
Implementation note
D1 · Input Governance
Custom component + Guardrails AI
Create a PromptInjectionDetector component wrapping Guardrails AI. Insert as pipeline node 0. Haystack's component model makes this clean.
D2 · Output Validation
OutputAdapter + Pydantic schema
Haystack's OutputAdapter with Pydantic schemas provides schema-enforced outputs. Use for all structured extraction pipelines.
D3 · Data Protection
Presidio at ingestion + chunk metadata
Run Presidio before indexing. Store document IDs with every chunk in the vector store for deletion compliance. This is Haystack's primary gap — critical for RAG workloads.
D4 · Observability
OpenTelemetry (native) + deepeval
Haystack emits OTEL spans natively. Add deepeval for quality tracking. Route to Langfuse or Arize for the UI layer.
D5 · Deployment Safety
Hayhooks (native)
Haystack's standout strength. Hayhooks exposes any pipeline as a production REST API. Add canary routing at the load balancer layer.
D6 · Human Oversight
FeedbackNode + custom approval
Haystack has FeedbackNode for feedback collection. For HITL, add a custom HumanApprovalNode that gates pipeline continuation on reviewer action.
D7 · Security
Backend auth + environment secrets
Document store auth is delegated to the backend (Pinecone, Weaviate, etc.). Use each backend's native auth. Haystack reads credentials from environment variables — use Vault or equivalent.
D8 · Vendor Resilience
Haystack component abstraction
YAML-driven component configuration makes provider swaps clean. Maintain multiple model components and switch via pipeline config, not code changes.

Related guides

→ Agent framework comparison matrix→ Observability tools comparison (Langfuse, Arize, Helicone)→ Guardrails tools comparison→ Vector database comparison (PSF D3/D4)
From reading to credential

You understand the gaps.
Get the credential that proves it.

The AIDA examination tests applied PSF knowledge across all eight domains — exactly the gaps and strengths covered in this assessment. 15 minutes. No charge. Ever.

Start AIDA — free →CPAP practitioner credential