Skip to content

Security Features

Beyond basic anonymization, Redact runs three active security checks on every request: leakage detection, healthcare quasi-identifier analysis, and API key scope enforcement. All findings are recorded in the vault and surfaced in the dashboard security metrics.

Active Leakage Detection

The Problem

LLMs sometimes echo back PII from the input, even after anonymization. This can happen when:

  • The model infers real names from context clues
  • A system prompt outside the anonymized messages contained PII
  • The model was fine-tuned on data that includes the real entity

How It Works

After the LLM responds, Redact scans the raw response text for any real values from the current session's entity map. The entity map holds all pseudonym → real_value pairs built during anonymization.

Entity map:  { "Finley Warren": "Michael Chen", "Cobalt Group": "Goldman Sachs" }

LLM response: "The agreement executed by Michael Chen of Goldman Sachs is valid."
                                              ↑ leaked!     ↑ leaked!

Scrubbed:     "The agreement executed by Finley Warren of Cobalt Group is valid."

Configuration

Leakage scrubbing is enabled by default. To disable it (log only, don't scrub):

Settings → Privacy Controls → Scrub leakage in LLM output, toggle off.

With scrubbing disabled, leaked values are still logged in leaked_entities_count and leakage_detected, but the response is returned as-is.

Real-Time Alerts

Configure a webhook to receive an HTTP callback the moment leakage is detected, rather than discovering it in the vault. See Webhooks for setup and payload format.

What to Do When Leakage Is High

High leakage counts usually indicate one of:

  1. System prompt contains PII, system prompts bypass anonymization. Move PII-bearing instructions into the messages array.
  2. Model trained on your data, consider switching upstream providers or using a policy with stronger person/org stripping.
  3. False positive, the "leaked" value is a common word that happens to match a pseudonym's original. Review the entity map in the Entities section of the vault.

Healthcare K-Anonymity Guard

Background

K-anonymity is a privacy framework that recognizes stripping names is not sufficient for healthcare data. Even without a name, a combination of quasi-identifiers, age, location, and medical condition, can uniquely identify an individual in a small population.

For example: "52-year-old female with lupus in Austin, Texas" may be uniquely identifiable even with no name present.

How Redact Applies It

For requests with doc_class: healthcare, after anonymization Redact scans for the presence of:

  • Age: 35-year-old, aged 40, a 65-year-old patient
  • Location: US city names (50 major cities) or ZIP codes
  • Medical condition: 50+ conditions including diabetes, cancer, hypertension, HIV, Alzheimer's, ADHD, pregnancy, and more

If 2 or more of these three are present in the same message, the record is flagged with quasi_id_risk: true.

What It Does

The flag is a warning, the request still completes. Use it to:

  • Identify documents that need a stricter policy (enable date shifting, location stripping)
  • Trigger manual review before the response is used downstream
  • Report to compliance teams in the PDF audit export

To eliminate quasi-identifier risk, enable Shift Dates in your healthcare policy (removes age/date anchors) and ensure location references are removed by the LLM prompt design.

API Key Scope Enforcement

Per-Key Document Class Restrictions

When you create an API key, you can restrict it to one or more document classes:

Key: "Contract Review Agent Key"
Allowed doc classes: ["legal"]

Any request from this key where the active policy's doc_class is not legal (e.g. healthcare or finance) is rejected before anonymization:

HTTP 403
{
  "error": {
    "message": "API key not scoped for doc_class 'healthcare'. Allowed: legal",
    "type": "permission_denied"
  }
}

The blocked request is still written to the vault with status: blocked and blocked_reason populated. This appears in the Blocked Requests security metric.

Why This Matters

Scope enforcement implements least-privilege for AI agents. A compromised contract review agent cannot be redirected to process patient records or financial data. The scope restriction is enforced server-side, the agent cannot override it.

Security Metrics Reference

Metric Source Meaning
Leakage Detections leakage_detected = true LLM echoed real PII; scrubbed before return
Blocked Requests status = blocked Key scope mismatch
K-Anon Flagged quasi_id_risk = true Healthcare quasi-identifier combination detected