How to Build PII Detection and Redaction Pipelines for LLMs

  • Home
  • How to Build PII Detection and Redaction Pipelines for LLMs
How to Build PII Detection and Redaction Pipelines for LLMs

You are building a chatbot that helps users manage their finances. A user types: "My credit card number is 4111-1111-1111-1111, can I buy this laptop?" Your Large Language Model (LLM) answers perfectly. But somewhere in the background, that credit card number was sent to an external API, logged in your server traces, or potentially stored in training data. That is a privacy breach waiting to happen.

As of 2026, sending raw Personally Identifiable Information (PII) to third-party LLM providers is no longer just a risk-it is a compliance violation under regulations like GDPR, CCPA, and HIPAA. The solution isn't to stop using AI; it is to build a robust PII detection and redaction pipeline. This infrastructure sits between your user and the model, scrubbing sensitive data before it leaves your secure environment and checking the output before it reaches the user's screen.

The Core Problem: Why Simple Regex Fails

Many developers start with regular expressions (Regex). It seems logical: find patterns that look like email addresses, phone numbers, or Social Security Numbers, and replace them with asterisks. While Regex is fast, it is brittle. It misses context. If a user says, "My name is John Doe," Regex might not flag "John Doe" as a person unless you have a specific list of names. More importantly, it struggles with ambiguous data. Is "123 Main St" an address or just a random string of numbers and letters?

In production environments, relying solely on Regex results in a recall rate of only about 65%. This means 35% of sensitive information slips through undetected. For a financial app or healthcare platform, leaking one in three pieces of sensitive data is unacceptable. You need a system that understands context, not just patterns.

Architecting the Hybrid Pipeline

The most effective architecture for 2026 uses a hybrid approach. This combines the speed of pattern matching with the intelligence of Natural Language Processing (NLP). Think of it as a two-stage filter:

  1. Fast Pass (Regex): The system first scans for well-structured data like emails, credit cards, and IP addresses. This catches the obvious stuff with near-zero latency.
  2. Deep Scan (NER): Anything that passes the first stage goes to a Named Entity Recognition (NER) model. These models, often built on libraries like spaCy or Microsoft Presidio, analyze the sentence structure to identify people, organizations, locations, and custom entities based on context.

This tiered strategy boosts recall rates to 96% or higher. In a real-world implementation, this means only 4% of sensitive data escapes redaction-a massive improvement over regex-only baselines. The key is decoupling these components. You don't want your heavy NLP model slowing down every simple query. Instead, use a microservices architecture where a lightweight Go-based processor intercepts telemetry and communicates via gRPC with a Python-based detection service. This allows you to scale the heavy lifting independently from the request handling.

Key Tools and Libraries

You do not need to build your NER models from scratch. Several mature tools dominate the landscape today.

Comparison of PII Detection Tools
Tool Type Best Use Case Pros Cons
Microsoft Presidio Open Source Library Customizable enterprise pipelines Highly configurable, supports batch processing, active community Requires managing dependencies, setup complexity
spaCy NLP Framework General entity recognition Fast, efficient, great for English Less out-of-the-box PII support than Presidio
Amazon Comprehend Cloud Service AWS-native applications Managed service, integrates with SageMaker Vendor lock-in, cost per request
PRvL Models Fine-tuned LLM Complex semantic redaction Understands context deeply, high accuracy Higher latency, computational cost

Microsoft Presidio is the industry standard for open-source PII detection. It offers customizable pattern libraries and context-aware recognition. Many teams use Presidio for batch processing large datasets via PySpark, while using lighter solutions for real-time edge cases. If you are on AWS, Amazon SageMaker Data Wrangler integrates Amazon Comprehend to automatically redact PII during data preparation, keeping your ML workflows compliant without extra code.

Diagram showing a two-stage PII detection pipeline filtering text.

Implementing the Flow: Input and Output

Your pipeline must work both ways. Protecting the input prevents data leakage to the LLM provider. Protecting the output prevents the model from hallucinating or revealing sensitive data it might have inferred.

Step 1: Intercept Input When a user sends a prompt, your API Gateway routes it to the PII Detector. The detector checks a cache for previously seen patterns (to save compute), runs the Regex filter, and then applies NER analysis. If PII is found, it replaces the sensitive text with placeholders like <NAME>, <EMAIL>, or <PHONE>. The sanitized prompt is then sent to the LLM.

Step 2: Process with LLM The LLM generates a response based on the sanitized input. Because it never saw the actual credit card number or home address, it cannot leak it directly.

Step 3: Validate Output Before sending the response back to the user, run the LLM's output through the same detection pipeline. Sometimes, models generate examples that contain fake but realistic-looking PII, or they might repeat parts of the prompt if not carefully instructed. The output validator ensures no new sensitive data was created. Finally, if your application needs to display the original data (e.g., confirming a booking for "John Doe"), you can restore the placeholders with the original values securely within your local system, never exposing them to the external model.

Performance Trade-offs: Speed vs. Accuracy

There is no free lunch in engineering. Adding a PII pipeline introduces latency. Regex adds milliseconds. NER models add seconds. Fine-tuned LLMs for redaction add even more time and cost.

For high-volume, real-time chat applications, you must optimize for speed. Use a lightweight NER model or restrict deep scanning to high-risk fields only. For batch processing jobs, such as analyzing customer support tickets overnight, you can afford the heavier computational cost of fine-tuned models like those from the PRvL project. These models offer superior semantic understanding, ensuring that nuance isn't lost when redacting complex sentences.

Consider using asynchronous sanitization functions. Instead of blocking the user interface while the PII check runs, submit the request to a queue. However, for conversational AI, synchronous processing is usually required to maintain the illusion of instant interaction. In this case, caching detection results for repeated phrases can significantly reduce average latency.

Shield protecting multilingual data with compliance symbols in background.

Compliance and Regulatory Context

Why go through all this trouble? Regulations. The General Data Protection Regulation (GDPR) in Europe requires data minimization-collecting and processing only what is necessary. The California Consumer Privacy Act (CCPA) gives users rights over their personal data. Industry-specific rules like HIPAA (healthcare) and PCI-DSS (payments) mandate strict controls on how sensitive data is handled.

Using third-party LLMs introduces a unique risk: your data might be used to train their models. Even if the provider promises not to, logging systems and audit trails can inadvertently store sensitive prompts. A robust redaction pipeline ensures that by the time data leaves your controlled environment, it is anonymous. This creates a clear boundary between your proprietary data and public AI services, satisfying auditors and protecting your users.

Handling Multilingual Data

If your application serves a global audience, language support becomes a critical factor. Most major PII detection libraries, including Presidio and spaCy, are heavily optimized for English. Detection accuracy for non-English languages can drop significantly due to differences in grammar, naming conventions, and character sets.

For multilingual applications, you should implement a language identification step before PII detection. Route English text to your primary pipeline and other languages to specialized models or translation-based workflows. Be aware that translating text to detect PII and then translating back introduces its own risks and latency. Currently, many organizations accept a slightly higher false-negative rate for non-English content while investing in better multilingual NER models.

Deployment and Automation

Managing these pipelines manually is error-prone. Use automation tools to standardize deployment. The OpenTelemetry Collector Builder (OCB) allows you to compile custom collector binaries with embedded PII redaction processors. This means your observability stack itself can scrub sensitive data from logs and traces before they reach your monitoring dashboard.

Define your redaction policies in declarative configuration files. Specify which attributes to scan (e.g., `llm.prompt`, `user.email`), which patterns to apply, and where to send the sanitized data. This separation of policy from code makes it easier for security teams to update rules without redeploying the entire application.

What is the difference between PII detection and redaction?

Detection is the process of identifying sensitive information within text using patterns or AI models. Redaction is the action of masking, removing, or replacing that identified information with placeholders (like <NAME>) to protect privacy. Detection comes first; redaction follows immediately after.

Is Regex enough for PII protection in LLMs?

No. Regex is good for structured data like email addresses and credit card numbers, but it fails to capture contextual PII like names, addresses, or medical conditions mentioned in natural language. Relying only on Regex leaves up to 35% of sensitive data exposed. A hybrid approach with Named Entity Recognition (NER) is recommended for production systems.

How does Microsoft Presidio work?

Microsoft Presidio is an open-source library that provides pre-built analyzers and recognizers for common PII types. It uses a combination of regular expressions, context-aware NER models, and custom logic to detect entities. It also includes an anonymizer engine that can replace detected entities with various strategies, such as replacement, encryption, or hashing.

Do I need to redact LLM outputs?

Yes. While input redaction prevents sending sensitive data to the model, output redaction protects against the model generating sensitive information. LLMs can sometimes hallucinate private details or repeat parts of the prompt if not carefully constrained. Scanning outputs ensures complete end-to-end privacy.

What is the impact of PII pipelines on latency?

PII pipelines add latency. Regex adds minimal delay (milliseconds), while NER models can add seconds depending on the size of the text and the model complexity. To mitigate this, use hybrid architectures, cache results for repeated inputs, and consider asynchronous processing for non-real-time tasks. Fine-tuned LLM-based redactors offer higher accuracy but at a significant cost in speed and compute resources.

Can I use cloud services for PII detection?

Yes. Services like Amazon Comprehend (AWS) and Azure AI Language provide managed PII detection capabilities. These are convenient because they handle scaling and updates, but they may introduce vendor lock-in and additional costs per request. They are best suited for organizations already deeply integrated into those cloud ecosystems.