Background: Prompts Are the New Sensitive Data Entry Point
When enterprises integrate large language models into customer service, knowledge bases, contract review, insurance consultation, code assistants, or internal operations systems, prompts themselves become a new sensitive data entry point. Users may paste names, phone numbers, ID numbers, addresses, order IDs, medical records, contract clauses, internal system fields, customer profiles, and business approval comments directly into the dialog box. If engineering teams focus only on model accuracy, response latency, and call costs, they can easily overlook a more fundamental issue: who actually sees these prompts and responses when they enter the model, logging system, troubleshooting platform, evaluation dataset, cache layer, and vendor boundary? How long are they stored? Can they be deleted? Will they be reused?
This is why “the vendor promises not to use business data for model training” cannot be equated with “the system has completed data privacy governance”:
- OpenAI’s enterprise privacy documentation states that business data is not used for model training by default. API inputs and outputs may typically be retained for up to 30 days for service provision and abuse identification. Eligible scenarios can apply for Zero Data Retention.
- Azure’s documentation explicitly states that prompts, completions, embeddings, and training data are not provided to other customers or model providers, nor are they used to train generative AI foundation models without permission.
- Google Cloud’s Gemini Enterprise Agent Platform documentation further lists specific scenarios that must be addressed to achieve zero data retention, including prompt logging, grounding, request-response logging, and in-memory caching.
In other words, Prompt Data Privacy is not a matter of simply saying “it won’t be used for training.” It is a production engineering problem centered around data minimization, redaction, retention, access, auditing, and deletion.
Core Principles
1. Treat Prompts as a Data Asset, Not a Temporary String
In traditional web systems, user input typically goes through form validation, access control, log redaction, and database permission systems. However, many LLM applications in early prototypes directly concatenate user input into the prompt and then send it to the model API. This approach is fast in the demo phase but carries high risk in production.
A more reasonable abstraction is to decompose a single model call into several data objects:
| Data Object | Description | Sensitivity |
|---|---|---|
| Raw Prompt | Original user input | Highest |
| Normalized Prompt | Request after templating, formatting, and context assembly | High |
| Sanitized Prompt | Model input after redaction, replacement, trimming, or policy filtering | Medium |
| Model Response | Model output, which may echo or generate sensitive content | Medium-High |
| Audit Metadata | Call metadata (tenant, model, policy version, redaction hit types, etc.) | Low-Medium |
Production systems should strive to minimize the lifecycle of the Raw Prompt. What truly crosses boundaries should be the Sanitized Prompt and Audit Metadata.
2. PII Detection Is Not a Single Regex, but Multi-Layered Recognition
PII detection typically requires combining three types of capabilities:
- Deterministic Rules: Emails, phone numbers, ID numbers, bank cards, URL tokens, API keys, order IDs. Suitable for identification using regex, checksums, prefix/suffix rules, and business field whitelists.
- Named Entity Recognition (NER): Person names, addresses, organization names, place names, medical institutions, license plates, medical record numbers. More effective for natural language but prone to false positives and false negatives.
- Context-Dependent Judgment: The same “John Smith” in “Customer John Smith’s ID number is…” is typically PII, but in “John Smith is a literary figure,” it may not need redaction. The same order ID may be necessary context in a post-sale query but may only need a format placeholder in a general Q&A.
Presidio positions itself as a tool for identifying and anonymizing sensitive entities in text and images, supporting predefined and custom PII recognizers that combine NER, regex, rule logic, checksums, and context. However, it also explicitly warns that automated detection mechanisms cannot guarantee finding all sensitive information and still require other systems and protective measures.
3. Redaction Is Not Just Deletion, but Also Pseudonymization and Reversible Mapping
Many teams initially understand privacy governance as “replace all sensitive fields with [REDACTED].” This is often feasible in logging systems but can break task semantics in model interactions.
For example, a user asks:
Write an SMS for me, notify Li Ming, order A202607031029 has been approved, the bank card ending in 9832 will receive a refund within 3 business days.
If all sensitive fields are crudely deleted, the model will only see:
Write an SMS for me, notify [NAME], order [ORDER_ID] has been approved, the bank card ending in [CARD] will receive a refund within 3 business days.
This approach is suitable for generating templates but not for directly generating the final notification text. A better approach is to choose based on the scenario:
| Strategy | Description | Use Case |
|---|---|---|
| Mask | Retain only the last few digits or partial information, e.g., 138****9021 | Log display, customer service interface |
| Tokenize | Replace with stable placeholders, e.g., PERSON_1, ORDER_1 | Need to maintain entity consistency |
| Surrogate | Replace with fake values of the same type, e.g., fictional names, fictional addresses in the same city | Need to preserve task semantics |
| Encrypt Mapping | Store an encrypted mapping of “placeholder → original value” locally | Need reversible recovery |
| Block | Directly reject or route to an internal model | Keys, passwords, full ID numbers, medical privacy |
A recent paper, SurrogateShield, also discusses that pure placeholder redaction reduces semantic coherence, while type-consistent surrogate substitution can preserve more task semantics without sending real PII to third-party endpoints. This highlights an important engineering direction: privacy protection is not a binary choice between “retain the original text” and “delete everything.”
Engineering Implementation
1. Establish a Prompt Privacy Boundary
A minimally viable architecture can be decomposed as follows:
Client / App → Prompt Intake → PII Detector → Privacy Policy Engine
→ Prompt Transformer → Model Provider → Response Scanner
→ Audit Logger → Retention Worker
The key boundary is Prompt Transformer to Model Provider. Before this boundary, the system can handle the Raw Prompt. After crossing this boundary, only the Sanitized Prompt should be sent.
2. Define Policies, Don’t Hardcode Rules
It is recommended to make privacy policies versioned configurations. Example:
policy_id: prompt-privacy-v1
scope:
tenant: default
app: customer-support-agent
input_rules:
EMAIL_ADDRESS: mask
PHONE_NUMBER: mask
CREDIT_CARD: block
API_KEY: block
PERSON: tokenize
LOCATION: tokenize
ORDER_ID: keep_partial
output_rules:
CREDIT_CARD: block
API_KEY: block
PERSON: allow_if_from_input_mapping
retention:
raw_prompt: none
sanitized_prompt: 7d
response: 7d
audit_metadata: 180d
logging:
store_raw_prompt: false
store_sanitized_prompt: true
store_detector_spans: false
store_entity_types: true
approval:
require_security_review: true
Such configurations should at least record policy_id, version, effective_time, owner, reviewer, and rollback_policy_id. When a problem occurs in production, the team must be able to know which version of the redaction policy was used for a specific model call.
3. Perform Both Pre-Call Interception and Post-Call Review
Input redaction alone is insufficient. Model output can present three types of problems:
- Echoing sensitive fields from user input.
- Bringing sensitive fields from tool results into the response.
- Generating seemingly reasonable but non-disclosable personal or internal information.
Therefore, it is recommended to perform at least two scans:
from typing import Dict, Any
BLOCK_TYPES = {"API_KEY", "CREDIT_CARD", "PASSWORD"}
MASK_TYPES = {"EMAIL_ADDRESS", "PHONE_NUMBER"}
TOKENIZE_TYPES = {"PERSON", "LOCATION", "ORDER_ID"}
def sanitize_prompt(raw_text: str, detector, vault) -> Dict[str, Any]:
findings = detector.analyze(raw_text)
transformed = raw_text
mapping = {}
for item in sorted(findings, key=lambda x: x.start, reverse=True):
value = raw_text[item.start:item.end]
if item.entity_type in BLOCK_TYPES:
raise ValueError(f"Blocked sensitive entity: {item.entity_type}")
if item.entity_type in MASK_TYPES:
replacement = mask_value(value)
elif item.entity_type in TOKENIZE_TYPES:
replacement = vault.create_token(item.entity_type, value)
mapping[replacement] = vault.mapping_id(replacement)
else:
replacement = "[REDACTED]"
transformed = (
transformed[:item.start] + replacement + transformed[item.end:]
)
return {
"sanitized_prompt": transformed,
"entity_types": sorted({x.entity_type for x in findings}),
"mapping_ids": mapping,
}
def scan_response(response_text: str, detector) -> str:
findings = detector.analyze(response_text)
for item in findings:
if item.entity_type in BLOCK_TYPES:
raise ValueError("Model response contains blocked sensitive data")
return response_text
This code is meant to illustrate the structure and does not represent a production-ready solution for all PII scenarios. A production implementation must also handle multi-language support, business dictionaries, overlapping entities, false positives, streaming output, tool calls, and user authorization.
4. Audit Logs Should Record “Enough for Troubleshooting,” Not “All Original Text”
Many privacy incidents are not caused by the model itself, but by logging systems, analytics systems, customer service tickets, A/B testing platforms, or exception stacks that save the original text.
It is recommended to split logs into two categories:
Long-Term Retainable Metadata:
{
"request_id": "req_20260703_0001",
"tenant_id": "tenant_a",
"app_id": "support_agent",
"model": "gpt-5.5",
"policy_id": "prompt-privacy-v1",
"entity_types": ["PERSON", "PHONE_NUMBER"],
"action_summary": {"mask": 1, "tokenize": 1, "block": 0},
"prompt_hash": "sha256:...",
"response_hash": "sha256:...",
"status": "success",
"created_at": "2026-07-03T02:58:37-04:00"
}
Short-Term, Controlled, Deletable Troubleshooting Materials: Sanitized prompt, model response, pre- and post-redaction diff. These should have separate retention policies, access approvals, export controls, and deletion tasks.
The following locations should especially NOT have the Raw Prompt logged by default:
- HTTP access log query/body dump
- SDK debug log
- Request payload in exception stacks
- APM trace attributes
- Prompt playground history
- Automatic sampling for offline evaluation datasets
- Copy-pasted content in ticketing systems
5. Vendor Strategies Should Be a Capability Matrix
Data strategies vary across different model providers and product types. It is not enough to just look at a single “not used for training” statement. It is recommended to maintain a capability matrix:
| Provider | Product | Training Use | Retention | Abuse Monitoring | Request Logging | Data Residency | ZDR Support | Notes |
|---|---|---|---|---|---|---|---|---|
| OpenAI | API | Default No | Up to 30d typical | Yes | Feature dependent | Project/location options | Eligible endpoints | Verify endpoint eligibility |
| Azure | Foundry Models | No without permission | Service/feature dependent | Yes | Feature dependent | Azure region | Contractual/config dependent | OpenAI provider cannot access Azure-hosted prompts |
| Gemini Enterprise Agent Platform | No without permission | Scenario dependent | Prompt logging may apply | Disabled by default | Location dependent | Requires actions/exceptions | Grounding features may retain data |
This matrix should be part of architecture reviews and procurement reviews, not just legal documentation. For engineering teams, it is more important to translate it into runtime policies: certain tenants can only use ZDR-compatible endpoints, certain business lines must disable request-response logging, and certain scenarios must use private deployments or local models.
Applicable Scenarios
This approach is suitable for the following scenarios:
- High-sensitivity businesses like customer service, post-sale support, claims, finance, healthcare, and education.
- Multi-tenant SaaS where different customers have different data retention requirements.
- Internal enterprise knowledge assistants that access contracts, customer data, tickets, emails, or code repositories.
- Agents that call external tools like CRM, ERP, ticketing, payment, or search.
- Teams that need to sample online requests for evaluation datasets but cannot directly save raw user input.
- Companies that use multiple model providers simultaneously, each with different data retention and logging policies.
For public content generation, low-sensitivity marketing copy, or completely anonymous input, this system can be simplified, but it is still recommended to retain basic redaction and log minimization.
Common Misconceptions
Misconception 1: If the Vendor Doesn’t Train on Data, There’s No Privacy Issue
Not using data for training only covers one risk point. Prompts can still enter temporary retention, abuse monitoring, debugging systems, logging systems, internal corporate audits, legal holds, or downstream tool calls. The real governance goal is to control the data lifecycle, not just confirm the training use case.
Misconception 2: Higher PII Detection Recall Is Always Better
Excessively high recall can lead to a large number of false positives, causing the model input to be overly corrupted. Production systems need to set policies that balance privacy risk and task usability. For example, keys, passwords, and full ID numbers should be blocked with high intensity, while common names and locations need to be judged in conjunction with business context.
Misconception 3: After Redaction, Data Can Be Stored Indefinitely
Redaction is not the same as anonymization, and it certainly does not mean permanent storage. Placeholders, hashes, partial masks, and pseudonymization mappings all have the potential to be correlated and reversed. Even if you are storing a sanitized prompt, you should have retention periods, access controls, and deletion processes.
Misconception 4: Only Input Needs Protection, Not Output
Model output can echo input, or it can bring out sensitive content from tool results, retrieval results, or historical context. Response scanning, streaming output interception, and tool result redaction should all be part of the same policy system.
Go-Live Checklist
Data Entry Points
- Have you identified all fields entering the LLM: user input, system prompt, RAG context, tool results, file content, image OCR, speech transcription?
- Do you distinguish between Raw Prompt, Sanitized Prompt, Response, and Audit Metadata?
- Is printing the raw request body in debug logs prohibited?
Redaction Strategy
- Does it cover emails, phone numbers, ID numbers, bank cards, addresses, names, order IDs, API keys, passwords, and internal IDs?
- Does it support business-customizable recognizers?
- Is the policy configurable by tenant, application, model, and data type?
- Is there a mechanism for policy versioning, approval, canary deployment, and rollback?
Vendor Boundary
- Have you confirmed the model provider’s data training, retention, abuse monitoring, request logging, and data residency policies?
- Have you identified which endpoints support Zero Data Retention or similar capabilities?
- Have you separately evaluated stateful features like grounding, file upload, batch, assistant/thread, vector store, and caching?
Logging and Auditing
- Is metadata saved by default instead of the original text?
- Is there a short-term retention policy for the sanitized prompt?
- Is there an approval process and expiration time for accessing original text for troubleshooting?
- Does it support deleting or tracing data by request_id?
Evaluation and Regression
- Have you prepared a PII detection test set?
- Are false positives, false negatives, and answer quality degradation measured separately?
- Have you replayed real redacted samples or synthetic samples before going live?
- Are you monitoring PII hit rate, block rate, policy rejection rate, manual appeal rate, and recovery failure rate?
Summary
Prompt Data Privacy is not a “set it and forget it” security feature. It is a set of engineering practices that run through the entire lifecycle of an LLM application. Its core lies in:
- Defining Boundaries: Clarify the lifecycle of the Raw Prompt, making the Sanitized Prompt and Audit Metadata the primary entities that cross boundaries.
- Layered Detection: Combine deterministic rules, NER, and context-dependent judgment, rather than relying on a single regex.
- Scenario-Based Redaction: Choose between deletion, masking, pseudonymization, surrogate substitution, and encrypted mapping, rather than a one-size-fits-all approach.
- Policy Versioning: Make redaction rules traceable, approvable, and rollback-able.
- Log Minimization: Save only metadata by default, with original text troubleshooting going through controlled channels.
- Vendor Alignment: Turn vendor data policies into runtime constraints, not just legal documentation.
References
- OpenAI Enterprise Privacy
- Microsoft Azure Foundry Models: Data, privacy, and security
- Google Cloud Gemini Enterprise Agent Platform and zero data retention
- NIST AI Risk Management Framework
- Presidio Documentation
- Presidio Analyzer
- SurrogateShield: Beyond Redaction for High-Utility, Privacy-Preserving LLM Interactions