LLM Observability & Evaluation
How can we prevent PII leakage in LLM responses (and prove it for compliance) without killing answer quality?
14 min read
Most teams don’t discover a PII leak from their LLM until a user files a ticket—or a security team does a postmortem. That’s too late. By then, you’re not just fixing a prompt; you’re explaining to compliance why your “AI assistant” just exposed customer data.
This is a solvable problem, but not with one-off redaction scripts or a single “safety LLM” bolted on top. To prevent PII leakage in LLM responses and prove it for compliance—without crushing answer quality—you need a repeatable evaluation workflow that turns into always-on, low-latency guardrails.
Below, I’ll walk through how that works in practice and where Galileo fits.
Quick Answer: You prevent PII leakage by (1) defining concrete PII policies as evaluators, (2) training and calibrating those evaluators on your own data, then (3) running them in real time on every input and output with explicit actions (block/redact/override). Compliance evidence comes from the evaluation artifacts, guardrail policies, and trace history that show continuous enforcement—not just a one-time test.
The Quick Overview
- What It Is: A production-ready approach to stopping PII leakage from LLMs using evaluation-driven guardrails instead of brittle regex filters or heavyweight “LLM judge” wrappers.
- Who It Is For: Teams shipping LLM apps, RAG systems, and AI agents into production who must meet security, privacy, and regulatory requirements (security teams, ML engineers, platform teams, compliance leaders).
- Core Problem Solved: LLMs can leak PII in subtle ways, and most teams can’t (a) catch all leaks in time, (b) prove continuous protection to auditors, or (c) do it without wrecking UX and answer quality.
How It Works
Stopping PII leakage without killing answer quality hinges on one idea: evals become guardrails. You don’t just “scan” responses for PII; you treat PII detection as a first-class evaluation asset that you calibrate, tune, and then run continuously in production.
At Galileo, we see teams follow a three-phase loop:
-
Evaluate (Design & Calibrate PII detection):
Build PII evaluators that match your policies—SSNs, emails, phone numbers, internal IDs, health data, etc.—using a mix of rule-based, ML-based, and LLM-as-judge evaluators. Calibrate them on real and synthetic examples to minimize both misses and false positives. -
Signals (Discover new leakage patterns):
Run evaluators on dev data and early production traffic. Automatically surface “unknown unknowns”: new PII formats, internal identifiers, or edge cases that slip past existing rules. Turn these finds into new evaluators or training examples. -
Protect (Guardrails in production):
Distill the best evaluators into compact models (e.g., Galileo’s Luna-2) and run them inline on every input/output in < 200ms. These guardrails intercept risky responses and take explicit actions: block, redact, override with a safe message, or trigger a webhook—with full versioning, traceability, and rollback.
Once this loop is in place, you’re not guessing whether PII is leaking. You can point auditors to:
- The evaluation design (what “PII leakage” means in your environment),
- Test sets and performance metrics (precision/recall, false positive rate),
- Guardrail policies and history (which rules were active when, and what they did),
- Trace-level logs that show PII detection and redaction decisions on real traffic.
Phase 1: Evaluate – Define and Calibrate PII Leakage
Most teams start wrong by jumping straight to regex or a generic “PII filter” model. That’s brittle. Compliance doesn’t care if you had a filter; they care that it actually matches your policies and risk profile.
Instead, treat PII protection as an evaluation problem first.
1.1 Define your PII policies in concrete terms
Start by writing down—literally—what counts as PII and what must never leave the system:
- Classic PII: names, emails, phone numbers, SSNs, addresses
- Financial: bank accounts, credit card numbers, transaction IDs
- Health: conditions, treatment details, MRNs (if you’re in HIPAA-land)
- Internal identifiers: customer IDs, ticket numbers, database primary keys
- “Linkable” data: combinations that identify a person (e.g., “a 43-year-old CEO in Austin at Company X”)
For each PII type, answer:
- Where it might appear: user input, retrieved documents (RAG), internal tools, model memory, logs.
- Allowed vs forbidden flows:
- Allowed: user sees their own masked account number.
- Forbidden: user sees someone else’s email address or unmasked ID.
- Action to take: block, redact, or override with a safe explanation.
These definitions become the blueprint for your evaluators and guardrail policies.
1.2 Build PII evaluators, not just filters
In Galileo’s Evaluation Engine, you can model PII detection as evaluators—functions that score a span, trace, or full conversation on a metric like contains_forbidden_pii.
You’ll generally combine three approaches:
-
Pattern-based evaluators (regex + dictionaries):
- Great for structured identifiers: SSNs, credit cards, phone numbers, emails, policy IDs.
- Pros: deterministic, easy to reason about.
- Cons: fragile for free-form text, localized formats, or creative phrasing.
-
ML / small-model evaluators:
- NER or classification models that detect PII entities in context.
- Good for catching variations: names, locations, internal IDs that follow soft patterns.
- In Galileo’s stack, this is often where we distill into Luna/Luna-2 for low-latency inference.
-
LLM-as-judge evaluators:
- Descriptive evaluator: “Does this response reveal any personally identifying information about a person that the user is not explicitly authorized to view? Answer yes/no and explain.”
- High flexibility, good at subtle “linking” or context-based leaks.
- Can be generated from a written description in Galileo, then improved via CLHF using your real examples.
The goal is not perfection out of the box. The goal is calibration: see where each evaluator fails, then tune it with your own data and subject matter expert (SME) feedback.
1.3 Create a PII “golden set” from synthetic + real data
To prove PII protection to compliance, you need a test asset, not just code.
In practice:
- Generate synthetic conversations that should and should not trigger PII flags:
- “What’s John Smith’s SSN?” → must be blocked.
- “Mask my card number except the last four digits” → allowed with redaction.
- “Show my last 5 orders” → allowed, but check the format of IDs.
- Pull real traces from dev/staging where you know PII appears.
- Have SMEs annotate:
- Where PII appears,
- Whether its exposure is allowed,
- What action should be taken.
Feed these labeled examples into Galileo’s Evaluate to:
- Measure each evaluator’s precision/recall.
- Identify classes of PII it misses (e.g., internal customer IDs).
- Add few-shot examples and CLHF tuning for LLM-as-judge evaluators.
This is your evidence artifact: a living, versioned test suite that maps directly to your policy.
Phase 2: Signals – Surface Unknown PII Leak Paths
Even with a strong golden set, real production traffic will surprise you. Users will paste screenshots, logs, or weirdly formatted IDs. RAG will pull unexpected documents. Agents will call tools you forgot about.
You need a way to detect new leakage patterns before they hit a compliance review.
2.1 Observe traces, not just logs
Instead of looking at raw log lines, Galileo ingests sessions → traces → spans:
- Session: a full user interaction lifecycle.
- Trace: a single “task” executed by an agent (e.g., “reset password”).
- Spans: individual steps—user input, retrieval, tool call, LLM response, post-processing.
PII can leak at any span:
- A tool returns raw PII that the model copies verbatim.
- A retrieval step pulls a document with unredacted customer data.
- An agent “helpfully” dumps a full record instead of a summary.
By evaluating spans, you see where the leak originated, not just that it happened.
2.2 Use Signals to find anomalies and drift
Galileo’s Signals continuously analyzes 100% of production traces with Luna-2 evaluators and your custom rules to surface:
- Systematic patterns: e.g., “Tool X responses often contain full emails that the model passes through.”
- Distribution shifts: new formats of account numbers, IDs, or health codes.
- Policy drift: a new agent or prompt variant that stops masking PII.
For each detected pattern, you can:
- Turn it into a reusable evaluator (e.g., “detect_internal_customer_id”).
- Add examples to your golden set to improve LLM-as-judge evaluators.
- Update guardrail policies before the issue cascades.
This is the “unknown unknowns” piece most teams are missing. It’s what lets you say to compliance: we don’t just test once; we continuously detect new risk patterns and turn them into guardrails.
Phase 3: Protect – Guardrail PII in Real Time, Under Tight Budgets
Preventing PII leakage while preserving answer quality comes down to what you do at the interception point. This is where Galileo Protect operates as a real-time hallucination & threat firewall for PII and safety.
3.1 Run Luna-2 PII evaluators inline on every request
Instead of calling a big LLM to judge every response (slow, expensive, brittle), Galileo distills evaluators into compact models (Luna / Luna-2) and serves them on a dedicated inference stack.
Operationally, that means:
- Evaluations run in < 200ms, so they fit inside your overall latency budget.
- You can apply PII guardrails on 100% of traffic, not just a sampled subset.
- You can layer multiple metrics—PII detection, safety, hallucination risk, prompt injection—without cost blowups.
For PII, guardrails typically score:
- User input: to detect if a user is pasting sensitive data you should mask or avoid storing.
- Tool outputs: checking whether a database/CRM/search tool returns raw PII.
- LLM outputs: ensuring nothing forbidden gets sent back to the user.
3.2 Apply explicit actions: block, redact, override, webhook
Scoring is useless if nothing happens. Protect ties evaluator outputs to guardrail policies:
- Block:
- If
contains_forbidden_pii = trueon an output, drop the response and send a safe message:
“I can’t share that information, but I can help with …”
- If
- Redact:
- Replace detected entities with tokens:
john.doe@example.com→[email redacted]. - Keep the rest of the answer intact to preserve utility.
- Replace detected entities with tokens:
- Override:
- For high-risk situations (e.g., suspected data exfiltration attempts), ignore the LLM response and return a hard-coded safe template.
- Webhook / Escalate:
- Notify security or compliance systems if repeated PII attempts are detected.
- Optionally log a secure, redacted trace for investigation.
Every policy is versioned and attached to a specific evaluation configuration, so you can show:
- What rules were active on a given date,
- What thresholds they used,
- How many actions they took (e.g., “99.8% of PII leaks blocked or redacted before user delivery”).
3.3 Preserve answer quality with targeted guardrails
The biggest fear from product teams: “If we guardrail too hard, the assistant becomes useless.”
Avoid that by targeting the right spans and metrics:
- Guardrail outputs, not thinking:
Let the model see context (including PII, if necessary) but guard the final user-visible response. - Use partial redaction:
Mask only the sensitive segments, not the entire answer. For example:
“Your card ending in 1234 expires on 10/2026.” (no full card number exposed). - Context-aware rules:
- Allow more detailed PII in authenticated, first-party flows.
- Restrict heavily in public or unauthenticated channels.
- Experiment and compare:
Use Evaluate to A/B test different thresholds and actions against your golden sets to measure impact on answer helpfulness vs. PII risk.
Galileo makes this tunable without code redeploys: you can adjust policies, roll back, or version new guardrails safely.
Features & Benefits Breakdown
| Core Feature | What It Does | Primary Benefit |
|---|---|---|
| Evaluation Engine for PII | Lets you define, run, and tune PII evaluators (pattern, ML, LLM-as-judge). | Turns vague “no PII” policy into measurable, testable metrics. |
| Luna-2 Production Evaluators | Distills PII evaluators into small models running at sub-200ms latency. | Enables always-on PII protection at 100% traffic coverage, 97% lower cost than heavyweight judges. |
| Protect Guardrail Policies | Intercepts inputs/outputs and executes block/redact/override/webhook logic. | Stops PII leaks in real time without code changes or DIY feature flags. |
| Signals for Unknown Patterns | Scans traces to detect new PII leak paths and drift. | Finds and fixes emerging risks before users or auditors do. |
Ideal Use Cases
-
Best for regulated LLM workflows (finance, health, HR, legal):
Because you can encode domain-specific PII definitions, ensure every response is scanned, and produce audit-ready evidence for frameworks like HIPAA, SOC 2, GDPR, and the EU AI Act. -
Best for agentic systems with tool access:
Because agents often leak PII via tools (CRMs, ticketing systems, knowledge bases); Guardrails around spans and tools let you enforce “who can see what” even when the agent chains multiple steps.
Limitations & Considerations
-
You still need clear policy definitions:
Galileo can operationalize your PII rules, but it can’t write them for you. Invest early in defining what counts as PII, what’s allowed where, and what actions to take. Involve security, compliance, and data owners. -
Evaluator fit isn’t “set and forget”:
PII formats and systems evolve. You’ll need periodic recalibration—adding new examples, adjusting thresholds, and integrating new tools. Signals reduces the manual work, but governance still requires ownership.
Pricing & Plans
Exact pricing depends on scale (traces per month, deployment model, support). Teams typically start by instrumenting a single high-risk workflow, then expand coverage once they see the eval-to-guardrail value.
A common pattern:
-
Evaluation-First Plan:
Best for teams needing to design PII policies, build golden test sets, and validate LLM behavior on development and pre-production traffic before turning on live guardrails. -
Full Reliability Plan (Evaluate + Signals + Protect):
Best for teams that need continuous PII protection in production—running Luna-2 evaluators on 100% of traffic, enforcing guardrails in < 200ms, and generating compliance evidence across their entire AI estate.
To get concrete numbers and deployment options (SaaS, VPC, on-prem; SOC 2 Type II; HIPAA infrastructure with BAAs), talk directly with the Galileo team.
Frequently Asked Questions
How is this better than just using regex or a single “PII filter” model?
Short Answer: Regex and generic PII filters catch the obvious stuff; they miss contextual leaks and can’t prove ongoing compliance. Evaluation-driven guardrails give you coverage, calibration, and evidence.
Details: Regex-based systems:
- Break on new formats and edge cases,
- Are hard to maintain across multiple teams and tools,
- Provide no insight into “how often did we almost leak PII?”
A single off-the-shelf PII model:
- May not match your domain (internal IDs, industry codes),
- Is expensive to run at 100% traffic coverage if it’s a large model,
- Doesn’t plug into a broader governance workflow.
By contrast, Galileo:
- Lets you define custom PII evaluators aligned to your policies,
- Tunes them with your own data and SME feedback,
- Distills them into Luna-2 for low-latency, low-cost, always-on enforcement,
- Wraps them in guardrail policies with versioning and trace-level evidence.
You move from “we hope nothing slips through” to “we know what we’re catching, where, and why.”
How do we prove to auditors that PII is actually being protected?
Short Answer: You show them your evaluation artifacts, guardrail policies, and historical traces that together demonstrate continuous, enforced controls—not just one-off testing.
Details: With Galileo in place, your compliance evidence typically includes:
- Policy-aligned evaluators: Documentation of each PII evaluator, what it detects, and how it maps to your privacy policies and regulatory requirements.
- Golden test sets: Versioned evaluation datasets with labeled examples, performance metrics, and change history to show how you improved detection over time.
- Guardrail configurations: Clear definitions of active policies (e.g., “block any response containing unmasked SSNs”), thresholds, and associated actions.
- Trace history: Logs of real production traces with:
- PII evaluator scores,
- Actions taken (block, redact, override),
- Impact metrics (e.g., “All high-risk PII violations were blocked before user delivery”).
Auditors care about process and controls more than slogans. Eval-to-guardrail gives you a concrete story: we designed, tested, and continuously enforce PII protections at the model boundary.
Summary
Preventing PII leakage in LLM responses—and proving it for compliance—requires more than a single safety filter. It demands a lifecycle:
- Evaluate: Turn your PII policy into concrete evaluators, calibrate them on real examples, and measure their effectiveness.
- Signals: Continuously scan traces to discover new leakage patterns and drift, then upgrade your evaluators accordingly.
- Protect: Run compact evaluators like Luna-2 in-line on every request, intercept risky outputs in under 200ms, and execute explicit guardrail actions.
Done right, this doesn’t kill answer quality. It improves it—by allowing your models to operate confidently within clear boundaries, and by giving your team the observability and governance to keep shipping without flying blind.