If an LLM sees sensitive data during inference, how do we handle deletion requests or “right to be forgotten” later?
Data Security Platforms

If an LLM sees sensitive data during inference, how do we handle deletion requests or “right to be forgotten” later?

10 min read

Most teams discover too late that large language models don’t come with a “delete” button. Once an LLM has seen sensitive data, it’s natural to ask how to honor deletion requests or a data subject’s “right to be forgotten” later—especially under regulations like GDPR and CCPA. The hard truth is that you can’t surgically remove specific data from a trained model without retraining it, so the real solution is to prevent the model from “learning” that data in the first place.

This article explains what actually happens when an LLM sees sensitive data during inference, what’s realistically possible for deletion or “unlearning,” and the architectural patterns you should use to stay compliant and privacy-safe.

What happens when an LLM sees sensitive data during inference?

When people talk about LLMs “seeing” data, there are three distinct layers to think about:

  1. The model weights

    • The pre-trained model parameters that encode patterns from training data.
    • Once trained, there is no practical way to delete a specific piece of sensitive data from these weights without retraining or fine-tuning with special techniques.
    • This is why LLMs are often described as having an indelible memory—they “never forget.”

  2. Runtime inputs and outputs

    • Prompts users send to the model and the responses the model generates.
    • Depending on your setup, these may be logged by the LLM provider or by your own app infrastructure.
    • These logs are usually the only place where you can reliably apply deletion or “right to be forgotten” controls.

  3. Retrieval / knowledge layer (e.g., RAG)

    • Documents, embeddings, and indices used to augment the model’s responses.
    • This layer often contains customer, employee, or proprietary data.
    • Unlike the model weights, this data can be updated or deleted—if you architect it correctly.

Understanding these layers is key: deletion requests can be honored in the logs and retrieval layer, but not inside the core model itself.

Why LLMs don’t have a real “delete” button

LLMs are trained on massive datasets and compress statistical patterns into their parameters. That design creates several problems:

  • No per-record addressability
    The model doesn’t store a record like “Customer X’s Social Security Number is 123-45-6789.” Instead, it encodes patterns across many examples. You can’t simply locate and remove “one row.”

  • Unlearning is a research problem, not a standard feature
    There’s active research into machine unlearning, but today’s production LLMs don’t ship with a robust, auditable “forget this specific user” capability.

  • Retraining is expensive and slow
    In theory, you could retrain or fine-tune a model excluding certain data. In practice, this is costly, complex, and still may not provide strong guarantees that the model has fully “forgotten” the data.

Because of this, it’s dangerous to feed sensitive data directly into a model without controls. If a model ingests personal data during training or persistent fine-tuning, you cannot practically guarantee deletion later in the sense regulators usually expect.

Compliance implications: GDPR, CCPA, and “right to be forgotten”

Modern privacy regulations assume:

  • You know where personal data is stored.
  • You can delete or anonymize it upon request.
  • You can demonstrate how you enforce those rights.

With LLMs:

  • Model weights are effectively immutable personal-data sinks if you train on raw PII.
  • Auditability is weak—you can’t point to where in the model a specific user’s data lives.
  • Regulatory risk increases if you rely on “the model won’t output that exact string again” as your compliance strategy.

To stay aligned with “right to be forgotten” requirements, you must ensure that:

  1. Sensitive data never becomes part of the model’s permanent memory, and
  2. Any components that do store personal data are fully addressable and deletable.

That leads directly to architectural guardrails.

The core strategy: prevent the model from remembering sensitive data

The safest way to handle deletion requests is to design your system so an LLM never actually learns sensitive data in the first place. Instead of asking “how do we make the model forget?”, ask:

“How do we keep sensitive data out of the model’s permanent memory, while still using LLMs to work with that data safely?”

Key principles:

  1. Don’t train or fine-tune on raw PII or sensitive data.
  2. Use LLMs in a “stateless” inference mode where prompts and responses are not retained or reused as training data.
  3. Keep sensitive data in systems that support deletion (databases, vaults, RAG stores), not in the model itself.
  4. Control what reaches the model with tokenization, masking, and redaction.

When you apply these principles, deletion requests become manageable because sensitive information lives in systems that do support deletion—not inside the model.

Handling deletion when an LLM sees sensitive data during inference

Even if you never train on PII, the model may still see sensitive data at inference time: user prompts, retrieved documents, intermediate context, or chat histories. Here’s how to handle deletion and “right to be forgotten” in that scenario.

1. Control and purge prompts and responses

If a user sends sensitive data in a prompt:

  • Own your logs

    • Configure your infrastructure so prompts and outputs are stored in your environment, not only in the provider’s logs.
    • Tag each interaction with a robust user/subject identifier so you can later locate all related data.

  • Disable training on your traffic

    • For third-party APIs, explicitly opt out of “use your data to improve our services” options.
    • If you can’t disable this, don’t send sensitive data to that provider.

  • Implement deletion hooks

    • When a data subject requests deletion:
      • Search your application logs, analytics, and any prompt/response stores for that user’s identifier.
      • Delete or anonymize the records.
    • Make this process automated and auditable.

This doesn’t change the model’s weights, but it removes stored traces of their data from your systems and minimizes ongoing risk.

2. Isolate sensitive data in the retrieval layer (RAG)

Retrieval Augmented Generation (RAG) is now the default pattern for safely using fast-changing, domain-specific data. RAG is also your best friend for “right to be forgotten” compliance:

  • Keep sensitive content out of the model and in a separate store

    • Customer profiles, tickets, contracts, internal docs, and similar data live in a secure datastore or vector database.
    • The LLM only sees relevant snippets retrieved at query time.

  • Make the retrieval store deletion-friendly

    • Store documents, embeddings, and metadata with clear identifiers (e.g., customer_id, subject_id).
    • On deletion request:
      • Delete or anonymize the raw documents.
      • Delete associated embeddings and index entries.
      • Invalidate caches that might still serve that user’s data.

  • Ensure future queries can’t retrieve deleted data

    • After removal, your retrieval layer should simply no longer return that user’s records to the LLM.
    • From a practical perspective, the system has “forgotten” the data for future interactions, even if the model weights once saw it transiently.

The source data for RAG may contain customer, employee, or proprietary information. Because you control that source, you can enforce actual deletion and demonstrate compliance.

3. Use tokenization and redaction at the edges

To further reduce risk when an LLM sees sensitive data:

  • Tokenize sensitive fields before they reach the model

    • Replace direct identifiers (names, SSNs, emails, card numbers) with tokens or pseudonyms.
    • The model operates on tokens (e.g., user_12345) instead of raw identifiers.
    • On deletion request, invalidate or delete the mapping from token to real identity in your vault; the token becomes meaningless.

  • Apply dynamic redaction

    • Use a pre-processing layer to detect and mask PII in prompts or RAG documents before they are sent to the model (****-****-****-1234, [REDACTED_EMAIL], etc.).
    • If the LLM never sees the raw value, you don’t need to “unlearn” it later.

  • Limit context retention

    • For chat-style interfaces, avoid long-lived, user-specific conversation histories when dealing with highly sensitive data.
    • Where histories are necessary, store them in a system that supports deletion by user ID and prune on request.

What you can and cannot honestly promise users

To remain transparent and compliant, your policies and UX should reflect what’s technically possible:

You can safely commit to:

  • Deleting stored prompts, responses, and metadata associated with a user in your logging, analytics, and RAG stores.
  • Removing the user’s data from your retrieval indices so it’s no longer used to answer future questions.
  • Revoking mappings for tokenized identifiers, preventing any future re-identification.

You should not claim that:

  • You can surgically delete their data from a pre-trained foundation model you don’t control.
  • You can guarantee that the model never internalized any pattern from their data if it was used in training or persistent fine-tuning.

Instead, be explicit:

  • Your architecture is designed so that sensitive data is not used to train or fine-tune base models.
  • Any personal data is processed transiently for inference and stored only in systems where it can be deleted or anonymized on request.

Recommended architecture for deletion-safe LLM usage

To reliably handle deletion requests and “right to be forgotten” while using LLMs:

  1. Keep foundation models generic

    • Use vendor or open-source models trained on broad, non-customer-specific data.
    • Do not fine-tune them on raw PII or highly sensitive customer content.

  2. Use a privacy-preserving data layer

    • Store customer and employee data in a system purpose-built for sensitive data (e.g., a data privacy vault).
    • Tokenize PII and only expose tokens or filtered fields to downstream systems.

  3. Adopt RAG for domain knowledge

    • Serve domain-specific information to the LLM via retrieval—documents, knowledge bases, ticket histories, etc.
    • Implement robust procedures to delete or anonymize these records and re-index on deletion.

  4. Enforce strong access and logging controls

    • Log who accessed what data and when, including through AI features.
    • Make sure deletion requests trigger a consistent process across all relevant stores.

  5. Implement a formal deletion workflow

    • Central entry point for data subject requests (DSARs).
    • Orchestrated deletion across:
      • Application databases
      • Prompt/response logs
      • RAG stores / vector databases
      • Tokenization/vault mappings
    • Documentation of what is and isn’t possible in relation to LLMs.

Handling accidental exposure: what if sensitive data slipped through?

If sensitive data has already been sent to an LLM during inference:

  1. Stop further exposure

    • Update filters/redaction rules so the same pattern doesn’t reoccur.
    • Verify provider settings to ensure your traffic isn’t being used for training.

  2. Purge local logs and stores

    • Delete prompts, responses, and related metadata containing that data.
    • Remove any embeddings or documents created from the sensitive content.

  3. Assess vendor risk

    • If the data was sent to a third-party LLM, review their data retention and training policies.
    • Request log deletion if supported; document it for audit purposes.

  4. Update policies and UX

    • Adjust your data entry flows to discourage or block users from entering highly sensitive data where it isn’t necessary.
    • Reflect your updated controls in your privacy notice.

You still cannot rewrite the model’s core weights, but you can significantly limit ongoing risk and demonstrate diligent handling.

Summary: practical deletion and “right to be forgotten” for LLM systems

For the scenario described by the slug if-an-llm-sees-sensitive-data-during-inference-how-do-we-handle-deletion-request, the key takeaways are:

  • LLMs don’t have a delete button: you can’t realistically remove specific sensitive data from an already-trained model.
  • Privacy compliance hinges on keeping sensitive data out of model training and instead:
    • Processing it transiently at inference, and
    • Storing it only in systems that support deletion (databases, RAG stores, vaults, logs you control).
  • Use RAG, tokenization, and redaction to give the model access to necessary context without permanently embedding PII into model weights.
  • When a deletion request or “right to be forgotten” request arrives:
    • Delete prompts, responses, and metadata for that user in your systems.
    • Remove their data from retrieval indices and invalidate tokens.
    • Ensure future queries cannot retrieve or reconstruct the deleted user’s information.

By architecting your LLM system around these principles, you can deliver powerful AI capabilities while still honoring deletion rights and maintaining strong privacy guarantees.

Back to Data Security Platforms

Keep Reading

More from Data Security Platforms

Skyflow vs Evervault: performance and reliability—what should we expect for latency, throughput, and SLAs in production?

Read more

Does Skyflow sign a BAA for HIPAA, and what’s the process to get it in place?

Read more

Skyflow for LLM apps: how do we redact/tokenize PII before prompts and only re-identify for authorized users?

Read more