Back to blog
pii detection ai pii detection llm detect pii in prompts compliance security

PII Detection in LLM Applications: A Complete Guide

Learn how to detect and handle PII in AI prompts—detection methods, redaction, GDPR/CCPA implications, and building a PII detection pipeline.

Users paste personal data into AI prompts without thinking: emails, phone numbers, addresses, even social security numbers. That data flows to third-party LLM providers, creating compliance risks and potential breaches. PII detection in LLM applications is the practice of identifying and handling personally identifiable information before it leaves your infrastructure. This guide covers detection methods, handling strategies, regulatory implications, and how to build a production-ready pipeline.

The PII Problem in AI

When you integrate an LLM API, you're creating a data pipeline: user input → your backend → OpenAI, Anthropic, or another provider. Users don't always treat the chat box like a form—they paste support tickets, customer emails, and documents that contain personal data. The model doesn't need that data to answer the question; it's incidental. But once sent, it's in the provider's logs and training data (depending on their policy).

**Risks:**

  • ** Compliance:** GDPR, CCPA, and HIPAA require controls over personal data. Sending PII to third parties without a lawful basis or DPA creates liability.
  • **Breach:** If the provider is compromised, your users' PII is exposed.
  • **Training:** Some providers use API data for model improvement. Even with opt-out, you've lost control.

PII detection lets you intercept and handle this data before it reaches the provider.

Types of PII in AI Contexts

Direct Identifiers

Uniquely identify an individual:

  • **Email addresses:** `user@example.com`
  • **Phone numbers:** US format `(555) 123-4567`, international formats
  • **Social Security Numbers:** `123-45-6789`
  • **Credit card numbers:** 13–19 digit patterns with Luhn validation
  • **Passport numbers, driver's license numbers**

These are the easiest to detect with pattern matching. Regex works well for structured formats.

Quasi-Identifiers

Identify individuals when combined:

  • **Names:** First and last names (harder to detect—many false positives)
  • **Dates of birth:** `1990-01-15`
  • **Physical addresses:** Street, city, ZIP
  • **IP addresses:** Though often not PII alone, they can be in certain contexts

These require more sophisticated detection—regex for dates and addresses, NER or ML for names.

Sensitive Attributes

Health, financial, or other sensitive data:

  • **Medical record numbers**
  • **Bank account numbers**
  • **Genetic data**
  • **Biometric identifiers**

Industry-specific patterns and compliance requirements (e.g., HIPAA) apply.

Detection Methods

Regex and Pattern Matching

**Pros:** Fast, deterministic, no external dependencies. Works well for structured PII (emails, SSNs, credit cards, phone numbers).

**Cons:** Doesn't handle unstructured text ("my number is five five five one two three four"), variations (international phone formats), or context-dependent PII.

Example patterns:

Email: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
US Phone: \b\d{3}[-.]?\d{3}[-.]?\d{4}\b
SSN: \b\d{3}-\d{2}-\d{4}\b
Credit card: \b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b

Use word boundaries (`\b`) to avoid partial matches. Validate credit cards with Luhn algorithm to reduce false positives.

Named Entity Recognition (NER)

**Pros:** Handles unstructured text, detects names and organizations that regex misses.

**Cons:** Adds latency (model inference), requires ML infrastructure, can have false positives (e.g., "Jordan" as a person vs. a brand).

NER models (e.g., spaCy, Hugging Face) tag tokens as PERSON, EMAIL, PHONE, etc. Useful for prompts with free-form narrative.

Hybrid Approaches

Combine regex for high-confidence patterns (SSN, email) with NER for names and addresses. Run regex first (fast); use NER only when regex doesn't find anything but the prompt looks sensitive. Balances speed and recall.

Handling Detected PII

Block

Reject the request entirely. Safest for compliance but disrupts user experience. Use when PII is strictly prohibited (e.g., healthcare, financial services).

Redact

Replace PII with placeholders: `[EMAIL]`, `[PHONE]`, `[SSN]`. The prompt still flows to the model, but without the actual data. Preserves utility for many use cases (e.g., "What should I reply to [EMAIL]?") while protecting the user.

Warn

Log the detection but allow the request. Use for low-sensitivity PII or when you're building awareness. Not sufficient for strict compliance—auditors will ask why you allowed it.

Log

Always log detections, regardless of action. You need an audit trail for compliance and incident response.

The Redaction Approach in Detail

Redaction replaces PII with tokens that preserve context. Options:

  • **Generic:** `[REDACTED]` — loses type information
  • **Typed:** `[EMAIL]`, `[PHONE]`, `[SSN]` — model knows the category, useful for "reply to this email" type prompts
  • **Hashed:** `[EMAIL:a1b2c3]` — allows correlation across prompts (e.g., same user) but adds complexity

For most applications, typed placeholders strike the right balance. The model can still reason about "the email" or "the phone number" without seeing the actual value.

**Edge cases:** Partial redaction (e.g., "john***@example.com") can leak information. Full replacement is safer. For names, redacting "John Smith" to `[NAME]` may break context if the prompt refers to "John" later. Document your redaction policy and test with real prompts.

GDPR and CCPA Implications

**GDPR (EU):** Sending personal data to AI providers (especially US-based) requires:

  • **Lawful basis:** Consent, legitimate interest, or other legal ground
  • **Data minimization:** Only send what's necessary
  • **DPA:** Data processing agreement with the provider
  • **Right to erasure:** Ability to delete a user's AI interaction history
  • **Transfer mechanisms:** Standard contractual clauses or adequacy decision for US transfers

PII detection supports data minimization—block or redact so you send less. It also creates an audit trail for what was detected and how it was handled.

**CCPA (California):** Similar principles: disclosure, purpose limitation, right to delete. PII detection helps you avoid collecting unnecessary personal data and supports deletion workflows.

Real-World Examples of PII Leaks in AI Applications

  • **Support chatbots:** Users paste full email threads containing customer PII. Without detection, every email goes to the LLM provider.
  • **Code assistants:** Developers paste code with API keys, but also config files with database connection strings containing usernames and passwords.
  • **Document summarization:** Users upload PDFs with SSNs, medical records, or financial data. The document is sent to the model for summarization.
  • **HR tools:** Employees ask "What's our policy on [employee name]'s leave?" — name and context flow to the provider.

In each case, PII detection (block or redact) would have prevented the leak.

Building a PII Detection Pipeline

  1. **Define scope:** Which PII types matter for your use case? Start with direct identifiers (email, phone, SSN, credit card).

2. **Choose detection method:** Regex for structured PII; add NER if you need name/address detection. Benchmark latency—real-time guardrails need under 50ms overhead.

3. **Define actions:** Block, redact, or warn per PII type. Align with compliance requirements.

4. **Implement:** Inline in the request path (proxy or SDK) so no request bypasses detection.

5. **Log everything:** Every detection, action, and request. Encrypted audit trail for compliance.

6. **Test:** Use synthetic and real (anonymized) prompts. Measure false positive rate—too many blocks frustrate users; too many misses create risk.

7. **Iterate:** Add patterns as you discover new PII types. Tune thresholds based on feedback.

How SignalVault's PII Detection Works

SignalVault provides pattern-based PII detection as a guardrail rule type. Configure patterns (email, phone, SSN, credit card) per application and environment. Each rule has an action: allow, warn, block, or redact. Redaction replaces matches with typed placeholders (`[EMAIL]`, `[PHONE]`, etc.). All evaluations are logged in the encrypted audit trail, so you can demonstrate compliance and debug violations. Rules run inline—every request flows through the guardrail engine before reaching the LLM provider.

Quickstart Guide

Get up and running in under 5 minutes

Guardrail Rules

PII detection, secret scanning, and more

Security

How SignalVault protects your data

Build vs Buy

Why use SignalVault instead of building your own

More from the blog

The Complete Guide to AI Audit Logging

Learn what AI audit logging is, what to log, encryption requirements, retention policies, and how audit logs enable SOC2/GDPR compliance.

How to Make Your AI Application SOC2 Compliant

A practical guide to SOC2 compliance for AI and LLM applications—controls, audit gaps, and how to build a compliance-ready AI stack.

AI Guardrails: What They Are and Why You Need Them

Learn what AI guardrails are, how they differ from content moderation, and how to implement input validation, output filtering, and policy enforcement.

Ready to protect your AI application?

Get started with SignalVault in under 5 minutes.

Get started free Read the docs