tas
Blog/Security
Security2026-03-20· 4 min read

Your LLM Is Leaking PII. Here's Why Most Teams Don't Know.

When developers pass context to LLMs, they routinely include names, emails, API keys, and tokens. The Privacy Proxy in ClawOps was built to close this gap automatically.

The Context Window Problem

Large language models are stateless. To give an agent useful context past conversation history, system state, user data developers pass that context in the prompt. This is how RAG works. This is how most agent frameworks work.

The problem: context frequently contains personally identifiable information.

A customer support agent that retrieves conversation history pulls names and email addresses into the prompt. A developer agent that reads a config file might pull API keys. A data analyst agent that queries a database might receive rows containing health or financial records.

All of that goes in the context window. And all of that goes to the model provider OpenAI, Anthropic, Google, whichever endpoint you are using.

Why Developers Miss It

The data flow is not obvious. The developer writes code that retrieves context and constructs a prompt. The LLM client sends the prompt to the API. The developer does not see the raw HTTP request. They see the response.

The PII is in transit and in the provider's logs, and most developers never audited the prompt payload.

What the Privacy Proxy Does

The [Privacy Proxy](/platform#clawops) sits between every TAS agent and every outbound LLM call. It inspects the prompt payload before it leaves your infrastructure and applies a detection and redaction pipeline:

  • Named entity recognition for person names, organizations, locations
  • Regex patterns for email addresses, phone numbers, postal codes
  • Token pattern detection for API keys, JWTs, bearer tokens
  • Custom pattern rules configurable per deployment

    • Detected PII is redacted or replaced with synthetic placeholders before the request leaves the perimeter. The model receives the sanitized prompt. The response comes back. The original context is restored for the agent's use.

    The process is transparent to the agent. The agent sees its full context. The model never does.

    This Is a Compliance Requirement

    Under GDPR and similar privacy regulations, sending personal data to a third-party processor without appropriate data processing agreements and controls is a violation. The fact that it is happening inside an automated pipeline does not change the legal analysis.

    A Privacy Proxy is not a nice-to-have for AI infrastructure handling personal data. It is a compliance requirement.

    The question is whether you built it before or after the breach.

    d
    dhvr
    Founder, Tech Automation Services · ISO 27001 & 42001 Ready
    More from Tech Automation Services
    Security · 6 min read

    Why Post-Quantum Security Can't Wait Until 2030

    Most platforms say post-quantum is on the roadmap. We shipped it. Here's why harvest-now-decrypt-later attacks make waiting catastrophically expensive.

    Platform · 5 min read

    Human-in-the-Loop Is Not a Constraint. It's the Product.

    The race to fully autonomous AI agents misses the point for regulated industries. Here's why accountability and human approval gates are features, not friction.