Every prompt your application sends is a place personal data can leak — into a provider’s logs, your own traces, or a model’s context it should never have seen. The fix is not to avoid LLMs. It is to put a redaction layer between your data and the model, so the model only ever sees what it strictly needs.
Detect, mask, restore
The core pattern has three steps and a token map that never leaves your perimeter:
- Detect entities (names, emails, card numbers) with a recogniser before the prompt is built.
- Replace each with a stable placeholder token and store the mapping server-side.
- After the model responds, swap placeholders back into the final output for the user.
The model reasons over [PERSON_1] and [EMAIL_1], never the real values — so even your logs and the provider’s logs stay clean while the user still sees a fully personalised reply.

Choosing a recogniser
- Pattern-based: regex for structured data like cards and phone numbers — fast and exact.
- Model-based: a named-entity model for names and addresses that patterns miss.
- Hybrid: both, with the pattern layer as a guaranteed backstop under the model.
Hybrid is the right default for anything regulated. The model catches the messy, free-text cases; the regex layer guarantees the structured ones never slip through even if the model has an off day.
Redaction is not a feature you bolt on at the end. It is the boundary your whole pipeline is built around.
Don’t forget the output
Models can echo or infer sensitive details that were never in the prompt. Scan generated text on the way out as well as on the way in, and keep the token map in a short-lived, access-controlled store — never in the prompt history or a long-lived cache.
Pitfalls that cause leaks
- Putting the token map in the prompt itself — it defeats the entire pattern.
- Logging the un-redacted input "just for debugging" — that log is now in scope for compliance.
- Skipping output scanning, so an inferred phone number slips through unredacted.
Get the boundary right once and every feature built on top inherits it. That is the difference between an AI roadmap your security team blocks and one they sign off on.



