PII Detection & Redaction
AxonFlow provides built-in detection and redaction of Personally Identifiable Information (PII) in LLM interactions. The system uses a hybrid approach combining fast regex-based pattern matching with intelligent validation to minimize false positives while maintaining sub-millisecond latency.
Supported PII Types
| Type | Severity | Example | Validation |
|---|---|---|---|
| SSN | Critical | 123-45-6789 | Area/group/serial rules |
| Credit Card | Critical | 4532-0151-1283-0366 | Luhn algorithm |
| Medium | [email protected] | RFC 5322 format | |
| Phone | Medium | (555) 123-4567 | Format + context |
| IP Address | Medium | 192.168.1.100 | IPv4 validation |
| IBAN | Critical | DE89370400440532013000 | MOD 97 checksum |
| Passport | High | AB1234567 | Format + context |
| Date of Birth | High | 01/15/1990 | Context-dependent |
| Bank Account | Critical | 021000021-123456789 | ABA routing checksum |
How It Works
Two-Layer Detection
- Agent Layer (Static Engine): Fast regex-based detection (<1ms) that flags potential PII for downstream processing
- Orchestrator Layer (Enhanced Detector): Deep validation with Luhn, MOD 97, and context-aware confidence scoring
False Positive Prevention
The enhanced detector uses context analysis to reduce false positives:
Input: "Order number: 123-45-6789"
→ Context contains "order" → Low confidence (not flagged as SSN)
Input: "Customer SSN: 123-45-6789"
→ Context contains "SSN" → High confidence (flagged as SSN)
Configuration
Gateway Mode
PII detection is automatically enabled in Gateway Mode's pre-check and audit endpoints:
# Pre-check detects PII in prompts
curl -X POST https://api.example.com/api/policy/pre-check \
-H "Content-Type: application/json" \
-H "X-Client-Secret: your-secret" \
-d '{
"prompt": "Customer SSN: 123-45-6789",
"context": {}
}'
Response includes PII warnings:
{
"approved": true,
"policies": ["ssn_detection"],
"context_id": "ctx_abc123"
}
SDK Usage
Python
from axonflow import AxonFlow
client = AxonFlow(client_secret="your-secret")
# Pre-check with PII detection
result = await client.get_policy_approved_context(
prompt="Customer SSN: 123-45-6789",
context={"user_id": "user123"}
)
if "ssn_detection" in result.policies:
print("Warning: SSN detected in prompt")
TypeScript
import { AxonFlow } from 'axonflow';
const client = new AxonFlow({ clientSecret: 'your-secret' });
const result = await client.getPolicyApprovedContext({
prompt: 'Customer SSN: 123-45-6789',
context: { userId: 'user123' }
});
if (result.policies.includes('ssn_detection')) {
console.log('Warning: SSN detected in prompt');
}
Go
import "github.com/getaxonflow/axonflow-sdk-go"
client := axonflow.NewClient(axonflow.Config{
ClientSecret: "your-secret",
})
result, err := client.GetPolicyApprovedContext(ctx, axonflow.PreCheckRequest{
Prompt: "Customer SSN: 123-45-6789",
Context: map[string]interface{}{"userId": "user123"},
})
for _, policy := range result.Policies {
if policy == "ssn_detection" {
log.Println("Warning: SSN detected in prompt")
}
}
Redaction Strategies
When PII is detected, AxonFlow applies redaction based on user permissions:
| Strategy | PII Types | Result |
|---|---|---|
| Masking | SSN, Credit Card, Phone | XXX-XX-6789, ****-****-****-0366 |
| Hashing | [HASHED_16] | |
| Full Redaction | Unknown types | [REDACTED] |
Permission-Based Access
| Permission | Visible PII Types |
|---|---|
view_full_pii | All PII types |
view_basic_pii | Email, Phone only |
view_financial | Credit Card, Bank Account |
| Admin role | All (wildcard) |
Performance
| Operation | Latency | Notes |
|---|---|---|
| Single type detection | ~1μs | Type-specific check |
| Full detection (no PII) | ~17μs | All patterns |
| Full detection (with PII) | ~25μs | With validation |
| Long text (10KB) | ~1.4ms | Comprehensive scan |
Compliance
AxonFlow's PII detection helps with compliance requirements:
| Regulation | Supported PII Types |
|---|---|
| PCI-DSS | Credit card numbers, bank accounts |
| HIPAA | SSN, DOB, medical identifiers |
| GDPR | Email, phone, address, IP |
| CCPA | SSN, driver's license |
Best Practices
- Enable validation for financial data (credit cards, bank accounts)
- Use context to reduce false positives
- Set appropriate permissions based on user roles
- Log PII detection events for audit trails
- Test with realistic data to tune confidence thresholds