Every prompt your team sends to a language model is a potential data-exfiltration event. According to Cyberhaven’s 2026 AI Adoption & Risk Report, 39.7% of all enterprise AI interactions involve sensitive data — and much of it flows through unmanaged personal accounts (58.2% for Claude, 32.3% for ChatGPT) that bypass corporate controls entirely. Once that data lands in a prompt, it can be stored in provider logs, surfaced in another session, or used as evidence in a regulatory finding. PII redaction for LLMs — detecting and stripping personal data before it reaches the model — is the control that closes this gap, and the cleanest place to enforce it is a gateway in front of every provider, like OrcaRouter.
Quick take: You can’t trust users (or agents) to keep PII out of prompts, so you intercept it. Detect with regex + NER, then either mask it (irreversible, anonymized, out of GDPR scope) or tokenize it (reversible, pseudonymized, still regulated). Do it at the gateway boundary — before the prompt leaves your perimeter and before the provider logs it — so one policy covers every model and every team.
Redact inside your perimeter; only clean text crosses to the provider. Re-identify on the way back. Source: HyperionHQ (vendor-reported).
Why redact PII before it reaches an LLM
A model API is just another third party. Send it a customer’s name, SSN, or medical history in a prompt and you’ve shared regulated data with an external processor — and likely with its logs. By default, OpenAI retains API data for 30 days for abuse monitoring, and Anthropic reduced standard API log retention from 30 days to 7 days in September 2025. Zero-data-retention exists but requires a negotiated enterprise agreement — it is not the default on pay-as-you-go plans. Redaction is what lets you use any provider without that data ever leaving your control.
The compliance drivers: GDPR, HIPAA, CCPA
Three regimes turn “nice to have” into “required”:
GDPR. Personal data sent to an LLM is processing under EU law. Cumulative GDPR fines have exceeded €5.88 billion since 2018. Crucially, the regulation treats redaction outcomes differently — more on that below.
HIPAA. Protected health information (PHI) in a prompt to a provider without a Business Associate Agreement is a reportable disclosure. Guidance for regulated industries is that redaction logic should run inside your own VPC so unredacted PHI never touches the public internet.
CCPA / state laws. California and a growing list of US states give consumers rights over personal information; uncontrolled prompt sharing undermines deletion and disclosure obligations.
What counts as PII
PII isn’t just names and Social Security numbers. Modern detectors cover a wide taxonomy — the open-source GLiNER2-PII model alone spans 42 entity types across seven categories: personal, contact, governmental, financial, digital identity, credentials, and dates. In an LLM context, “sensitive” also includes API keys, internal code names, and proprietary source code — which makes up a large share of what employees paste into chatbots.
Detection finds it; masking removes it permanently; tokenization removes it reversibly. Source: Grepture.
The four techniques
Detection. You can’t redact what you can’t find. Deterministic regex is fast and exact for structured data (cards, SSNs, emails, keys), but it misses unstructured mentions. Named entity recognition (NER) models add context for names, locations, and organizations. The catch is accuracy variance: a DeBERTa model fine-tuned on a fixed entity set scores F1 0.976, but when PIIBench tested eight systems across 10 datasets with 48 entity types, even OpenAI’s Privacy Filter fell from 0.96 to as low as 0.18 on out-of-distribution data. Lesson: combine regex + NER, and don’t trust a single headline F1.
Masking (irreversible). Replace the value with a placeholder — John Doe → [NAME], 555-12-3456 → [SSN]. The original is gone. Done well, this produces anonymized data, which GDPR no longer regulates because it can’t be linked back to a person.
Tokenization (reversible). Swap PII for a token and keep the mapping in a secure vault, so you can restore the original later. Under GDPR Article 4(5) this is pseudonymization — a recommended safeguard, but the data remains personal data and stays in scope.
Re-identification. For tokenized flows, the gateway maps tokens back to originals on the response path so users see correct output. Keep the vault’s time-to-live short to limit exposure.
Reversible vs irreversible: the key trade-off
| Masking (irreversible) | Tokenization (reversible) | |
| GDPR status | Anonymized — out of scope | Pseudonymized — still personal data |
| Can restore original? | No | Yes, via secure vault |
| Output utility | Lower (model never sees real values) | Higher (response can be re-identified) |
| Best for | Logging, analytics, training data | Live user-facing flows, support agents |
Redaction at the gateway boundary
Where you redact matters as much as how. Put it in each application and the logic drifts, gets skipped in a new microservice, and produces no unified audit trail. Put it at a gateway in front of every model and you get one policy enforced uniformly across every service, with a centralized record of what was redacted, by which tier, and when.
The cost is latency, because input guardrails run synchronously before the request. Benchmarks put regex at under 2ms, an NER model around 35ms, and an external PII API at ~180ms added to time-to-first-token — which is why on-gateway small models (sub-50ms, near-99% precision in vendor testing) usually beat calling a remote redaction service. This is exactly the model-agnostic control point an AI gateway provides: OrcaRouter’s PII Shield enforces redaction pre-billing across 200+ models, so you implement it once instead of per app.
The bottom line
PII redaction for LLMs is no longer optional housekeeping — when 39.7% of AI prompts carry sensitive data and providers retain logs by default, it’s the difference between using any model freely and risking a GDPR or HIPAA disclosure. Detect with layered regex + NER, choose masking or tokenization based on whether you need the data back, and enforce it at the gateway boundary so the rule is uniform, audited, and applied before anything leaves your perimeter.
Frequently asked questions
What is PII redaction for LLMs? It’s detecting and removing personal data — names, IDs, financial and health data, secrets — from prompts before they reach a language model, so regulated data never enters the provider’s systems or logs.
Do I have to redact PII before sending it to OpenAI or Anthropic? If the data is regulated and you lack a suitable agreement, yes. Both retain API data by default (OpenAI 30 days; Anthropic 7 days), and zero-data-retention requires an enterprise contract.
What’s the difference between masking and tokenization? Masking is irreversible (the value is gone, producing anonymized data outside GDPR scope); tokenization is reversible via a vault, so the data stays pseudonymized and still regulated.
How accurate is PII detection? It varies wildly by domain. Top models reach F1 ~0.97 on fixed entity sets but drop sharply on out-of-distribution data, so layer regex with NER rather than relying on one detector.
Where should redaction run? At a gateway in front of every model, ideally inside your VPC — it gives uniform policy and a central audit trail without re-implementing logic per application.
