AegisPlane
Back to blog
Protect6 min readApril 3, 2025

How to Prevent Sensitive Data Leaks Without Breaking the User Experience

PII detection doesn't have to mean degraded experiences or blocked requests. Here's how to protect sensitive data in AI pipelines while keeping responses useful.

When teams first think about PII protection in AI pipelines, they tend to reach for the most obvious solution: block requests that contain sensitive data. A user mentions an email address or a social security number, the request gets rejected, and the data never reaches the model.

Clean. Simple. And terrible for the user experience.

The right approach isn't to block requests containing PII. It's to protect the data in transit while preserving the experience on both ends.

In 30 seconds

You don't need to choose between security and UX. If you redact before the model and rehydrate after, you can protect PII without breaking the final response.

What you'll get from this article:

  • The correct runtime flow for PII handling
  • What to log without creating legal exposure
  • How to reduce false positives without reducing protection

The problem with naive blocking

Blocking PII-containing requests creates a category of things your AI system simply can't help with, which is often exactly the category where users need help most.

A healthcare AI assistant that can't discuss patient symptoms. A financial AI that can't reference account numbers. A legal AI that can't process documents containing names. These aren't edge cases. They're the core use cases.

The problem isn't that the data is in the request. The problem is that sensitive data shouldn't leave your infrastructure in clear text, and it shouldn't be stored in third-party logs.

Those are solvable problems without blocking the request.

Redaction and rehydration

The pattern that works in production is redact-execute-rehydrate:

User input
  -> Detect PII
  -> Redact with placeholders
  -> Execute model (no real PII)
  -> Rehydrate response
  -> Return to user

Step 1, Detect and redact before execution Before the request reaches any external model, scan it for PII. Replace each detected entity with a structured placeholder: [PERSON_NAME_1], [EMAIL_1], [SSN_1]. Store the mapping between placeholder and real value in a secure, ephemeral store scoped to that request.

The request that leaves your infrastructure contains no real PII. Just placeholders.

Step 2, Execute normally The model receives the redacted request. It processes the placeholders as if they were real values. It generates a response referencing the same placeholders.

Step 3, Rehydrate after execution The model's response comes back with placeholders intact. Before returning it to the user, replace each placeholder with the original value from the mapping.

The user sees a response that references their actual data. The model never saw it. Third-party logs contain only placeholders.

What to detect

A production PII detection layer should cover at minimum:

  • Direct identifiers: Names, email addresses, phone numbers, physical addresses
  • Government identifiers: SSNs, passport numbers, driver's license numbers, tax IDs
  • Financial data: Credit card numbers, bank account numbers, IBANs
  • Health data: Diagnoses, medication names in context, patient IDs
  • Credentials: API keys, passwords, tokens (these are both PII and security risks)

Detection quality matters more than coverage. A system that catches 90% of PII reliably is more useful than one that claims 100% coverage but generates false positives that break legitimate requests.

Tuning for false positives

False positives are the biggest operational problem with PII detection in production. A pattern that's too aggressive will redact things that aren't sensitive, product names, technical terms, common phrases, and produce responses that read as broken.

Good PII detection is configurable per tenant and per context. A financial services tenant needs aggressive financial identifier detection. A general-purpose assistant needs more conservative thresholds.

The right approach is to start conservative and tune based on real traffic. Instrument your detection layer to surface candidates it was uncertain about. Review them. Adjust thresholds. Iterate.

Audit without exposure

One requirement that often gets overlooked: your audit trail needs to record that PII was detected and handled, without storing the PII itself.

This means audit records should log:

  • That PII was detected in the request
  • Which types were found (categories, not values)
  • That redaction occurred
  • The request outcome

What they should not log: the actual sensitive values, even in the audit system.

Minimum recommended log fields:

  • request_id
  • tenant_id
  • pii_detected (true/false)
  • pii_types (for example email, phone, id_number)
  • redaction_applied (true/false)
  • policy_decision (allow / block / review)
  • timestamp

This is particularly important for healthcare (HIPAA) and European users (GDPR), where storing PII in audit systems creates its own compliance obligations.

The difference between "detected" and "redacted"

It's worth being precise about terminology, because the distinction matters operationally.

PII detected means the system found sensitive data in the request. It doesn't say what happened to it.

PII redacted means the system found sensitive data and replaced it with a placeholder before the request was forwarded.

Both generate audit events. But only "redacted" guarantees the data didn't reach the model. Detection without redaction is a monitoring tool. Detection with redaction is protection.

The Checklist

Review your current AI pipeline against these:

  • PII detection runs before requests reach any external model
  • Detected PII is replaced with structured placeholders, not just flagged
  • Placeholder-to-value mappings are ephemeral and request-scoped
  • Model responses are rehydrated before returning to the user
  • Detection thresholds are configurable per tenant
  • Audit records log detection events without storing the actual sensitive values
  • Your system distinguishes between "detected" and "redacted" in logs and metrics

What to do this week

  1. Enable PII redaction in observation mode on real traffic.
  2. Review false positives by type and tune thresholds per tenant.
  3. Move to enforcement only when false-positive ratio is under control.

PII protection doesn't have to cost you the user experience. With the right pipeline, users get responses that reference their data, and that data never leaves your control.

AegisPlane

Ready to apply this to your pipeline?

AegisPlane puts all these controls into production without changing your code.

See a demo← Back to blog