0
0
0
dark
0
0
0
Hand-Picked Top-Read Stories
Trending Tags
4 minute read
No comments

Stop AI From Seeing What It Shouldn’t: A Practical Guide to PII Safety

Amanda Milligan
November 16, 2025
Total
0
Shares
0
0
0

TL;DR
AI features are great, but if you feed them personal data, things can go wrong very quickly. Before your app talks to an AI model, make sure it is not accidentally sending PII.

We all know what PII is

PII stands for Personally Identifiable Information. It is anything that can directly or indirectly identify a person.

Names, emails, phone numbers, home addresses, government IDs, bank details, biometrics the list goes on.

We deal with it every day while building products. Nothing new here.

The real problem starts when we mix PII with AI features.
The challenge isn’t that PII exists. The challenge is that AI systems eagerly consume whatever data we send them… even when they shouldn’t.

How PIIs can get exposed to the AI (directly or accidentally)

There are many situations where PII slips into the AI layer without anyone meaning to do it. A few examples:

  • Intelligent search
    A user searches for something like “John Smith account balance 4367” and the search system forwards the full prompt to an LLM behind the scenes.

  • Data analytics
    We feed big datasets into an AI model to extract insights and forget that those tables contain names, emails and other personal info.

  • Fraud or risk detection
    AI models often use IDs, location and behavioral history to detect fraud. Sometimes the pipeline ends up passing the raw data to an LLM.

  • Chatbots and customer support
    Users often share private information like account numbers or home addresses in messages and those messages get forwarded to an AI agent to generate answers.

  • Document or content summarization
    Users upload resumes, invoices, medical reports or contracts, and the AI summarizer sees everything inside those documents.

In all of these cases the team never intends to expose PII. But it happens because the AI layer simply receives whatever data comes its way.
And importantly: this risk applies during both training and inference (every time your app calls an AI API).

The risk of exposing PII to AI

Here is why this gets scary fast:

  • AI does not forget
    If a model sees PII during training or input, it might surface it later. For example, someone asks the model for sample bank fraud data and the output ends up containing a real email or phone number that it once saw.

  • Legal trouble
    Regulations like GDPR and CCPA are very strict about how personal data is processed. If your AI feature handles PII without the right controls, you can get into real legal and financial trouble.

  • Data exposure
    Even if the model behaves correctly, logs, prompts, intermediate storage, training data and prompt history can leak personal information to the wrong place.

  • User trust
    Once users think their private data was used in a way they did not agree to, trust is gone. Sometimes permanently.

How to prevent it

Here are practical ways to stop PII from reaching your AI model:

  1. Safest option: do not send PII to AI
    If the task does not need personal info, strip it out. Replace names with IDs, or anonymize the entire dataset before doing any AI processing. This is often impractical though.

  2. Mask, redact or remove PII
    If the data items are much simpler (for example, Indian phone numbers only), regex can sometimes be enough. But if the scenario is open-ended, tools like Presidio or NER-based models help detect names, emails, phone numbers and other identifiers before sending the text or dataset to the AI model.

You can mask values (e.g. joh***@gmail.com), replace them with placeholders, or delete them completely.

Here’s a quick code example using Presidio: 

from presidio_analyzer import AnalyzerEngine
from presidio_anonymizer import AnonymizerEngine
from presidio_analyzer.nlp_engine import SpacyNlpEngine

# --- Initialize Presidio ---
nlp_engine = SpacyNlpEngine(models={"en": "en_core_web_lg"})
analyzer = AnalyzerEngine(nlp_engine=nlp_engine, supported_languages=["en"])
anonymizer = AnonymizerEngine()

# --- Input text ---
text = "My name is John Doe, my email is john.doe@example.com and my phone number is +1-202-555-0170."

# --- Detect PII ---
results = analyzer.analyze(text=text, language="en")

# --- Mask PII ---
anonymized = anonymizer.anonymize(
    text=text,
    analyzer_results=results,
    anonymizers={"DEFAULT": {"type": "mask"}}
)

print("Original:", text)
print("Anonymized:", anonymized.text)

Upon execution: 

Original: My name is John Doe, my email is john.doe@example.com and my phone number is +1-202-555-0170.
Anonymized: My name is **********, my email is ********************** and my phone number is *******************

Once masking or redaction is in place, the next step is to ensure the AI only receives the minimum amount of information it needs.

  1. Data minimization
    Only send the data that is absolutely necessary. Most AI features do not need full user profiles.

  2. Add guardrails to AI inputs and outputs
    Scan incoming user prompts for PII and block or redact them.
    Also scan AI responses to make sure the model is not trying to output PII back to the user.

  3. Secure logs and storage
    If you store prompts, chat messages or training data that might contain PII, add access controls and deletion policies.

How the industry handles it

Big AI platforms are already aware of this problem and are adding safety layers.

For example, OpenAI Agent Builder has built-in guardrails that detect and redact PII from both inputs and outputs.

It combines rule-based techniques and AI detection to catch things like names, addresses, emails and financial details before the model sees them or before the model tries to return them.

There are also popular open source tools such as Microsoft Presidio, which many companies use to scan and mask PII before running analytics or AI workloads.

The pattern is the same across the industry:
Detect PII early, remove or protect it, then use AI.

These systems are not perfect, but they reflect one clear lesson: privacy cleanup must happen before the AI sees the data, not after.

Conclusion

If you are an entrepreneur, a developer or someone excited about adding AI features to your product, here is the simple takeaway:

Make your app smarter, but do not make it reckless.
Handle PII before the data reaches the AI layer.

It is always easier to prevent a privacy issue than to fix one after damage has been done.

References

  1. Microsoft Presidio – Data Protection and De-identification SDK
    https://microsoft.github.io/presidio/
    (Microsoft GitHub)

  2. “Implementing Text PII Anonymization” – Arize AI blog
    https://arize.com/blog/pii-removal-microsoft-presidio-chatbot/
    (Arize AI)

  3. “Enhancing the De-identification of Personally Identifiable Information in Educational Data”
    Y. Shen et al., Jan 2025
    https://arxiv.org/abs/2501.09765
    (arXiv)

  4. “Proactive Privacy Amnesia for Large Language Models: Safeguarding PII with Negligible Impact on Model Utility”
    Martin Kuo et al., Feb 2025
    https://arxiv.org/abs/2502.17591
    (arXiv)

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Five Questions on Quality

November 16, 2025
Related Posts