Why architecture matters here

LLM DLP failures come in two flavors. Too permissive: PII lands in prompts, gets logged, and a subject access request finds it. Too strict: every prompt gets redacted; users cannot ask real questions.

The architecture matters because you need both directions. Layered scanning (regex first, ML second) balances cost and coverage. Redaction with a reversible map preserves context. Feedback loops close on false positives.

Understanding the pieces means you can tune each layer independently and hit both goals.

Advertisement

The architecture: every piece explained

The top strip is the input path. Input prompt arrives with user text and context. Pre-scan classifier combines regex (SSN, credit card) with an ML PII detector (names, addresses, medical). Policy engine decides per finding based on class and jurisdiction. Redaction + block replaces sensitive spans with tokens or refuses the request.

The middle row is the model + output path. Model call uses the sanitized prompt. Output scan checks the response for leaks (rare cases where sensitive data was recalled from context or training). De-anonymize map holds reversible tokens so post-processing can restore user-provided values in the final response without exposing them to the model. Escalation triggers on high-severity findings — alert, block, and audit.

The bottom rows are learning and governance. Audit + evidence stores the full record for auditors. User feedback captures false positives so classifiers and policies can be tuned. Governance keeps policies in code, tested, versioned, and rolled out in stages.

LLM DLP — input + output scanning with policy, redaction, and auditkeep sensitive data out of prompts and responsesInput promptuser + contextPre-scan classifierregex + ML PII detectorPolicy engineper-class + jurisdictionRedaction + blockaction per findingModel callsanitized promptOutput scanleaks + secretsDe-anonymize mapreversible tokensEscalationhigh-severity block + alertAudit + evidencefull record for auditorsUser feedbackfalse positives + tuningGovernance — policy in code + tests + versioned rolloutsanitizeverifyrestoreescalaterecordlooploopgoverngovern
LLM DLP pipeline from input scan to audit.
Advertisement

End-to-end flow

End-to-end: a support agent pastes a customer email including SSN and address into the LLM assistant. Pre-scan detects the SSN via regex and the address via ML. Policy engine decides SSN = redact and log; address = redact and preserve mapping for post-process. Model receives "customer {{SSN}} at {{ADDR}} reported...". Model responds with a suggested reply that references {{ADDR}}. De-anonymize map restores {{ADDR}} to the real address for the human agent. SSN stays redacted throughout. Audit trail captures the redaction events. A weekly review of user feedback finds several false positives on legitimate product IDs matching the SSN regex; the regex is tightened.