PII redaction is the process of automatically detecting and removing — or replacing — personally identifiable information in text, images, audio, or other content before that content is shared, stored, or sent to a third party. In an AI context, PII redaction usually happens in the moment between when a user types a prompt and when that prompt is transmitted to a large language model (LLM) such as ChatGPT, Claude, or Gemini.

This guide explains what PII redaction is, why it matters specifically for AI workflows, how the modern techniques work, and how to choose between them.

What counts as PII?

Personally identifiable information is any data that can be used, alone or in combination, to identify a specific person. The U.S. National Institute of Standards and Technology (NIST) and most international privacy regulations break PII into two practical buckets:

Direct identifiers: information that names a person on its own — full name, government ID, passport number, email address, phone number, biometric template.
Indirect identifiers: information that identifies a person when combined with other data — date of birth, ZIP code, employer, IP address, device fingerprint, rare medical condition.

Different regimes use different vocabulary. PHI (protected health information) under HIPAA is a regulated subset of PII tied to health care; NPI (nonpublic personal information) under GLBA is the financial-services equivalent; personal data under GDPR is broader still and includes anything "relating to an identified or identifiable natural person."

For AI redaction purposes, treat all of these as "sensitive entities" and design the system to recognize them.

Why PII redaction matters in AI workflows

Three forces converge to make redaction essential for AI:

Prompts cross a trust boundary. Once text is sent to an LLM provider, the user no longer controls retention, access, or downstream use. Redaction keeps the sensitive bits on the user's device.
Regulations apply at the point of disclosure. HIPAA, GDPR, CPRA, and similar laws treat sending regulated data to a processor as a controlled event. Redaction reduces or eliminates the controlled disclosure.
AI outputs amplify exposure. Once PII appears in a prompt, it tends to appear in the response, then in the screen-share, then in the meeting recording, then in the saved transcript. Redaction at the source breaks the chain early.

In practice, a well-designed redaction layer turns "I can't use AI for this task" into "I can use AI safely for this task," which is the difference between a tool that gets quietly avoided and one that is genuinely productive.

The four main redaction techniques

Not all redaction is equal. The technique you choose changes how much utility the AI keeps and how reversible the operation is.

1. Removal

The sensitive value is deleted. "Patient John Smith was admitted on June 4" becomes "Patient was admitted on June 4."

Strength: Maximum privacy; the data is simply gone.
Weakness: The model loses context. It cannot follow up with "what about John specifically?" because John no longer exists in the prompt.

2. Masking with a placeholder

The sensitive value is replaced with a generic label. The example becomes "Patient [NAME] was admitted on [DATE]."

Strength: Preserves structure; the model still understands that there is a name and a date.
Weakness: Identical labels for distinct entities collapse them. Two patients become "[NAME] and [NAME]," and the model cannot tell them apart.

3. Pseudonymization (synthetic substitution)

Each sensitive value is replaced with a realistic but fake one. "John Smith" becomes "Mira Patel"; "555-12-3456" becomes "555-99-7842."

Strength: The model sees a full, coherent document; it can reason about distinct entities and produce useful drafts.
Weakness: Without a mapping, the user cannot reliably restore the originals in the response.

4. Reversible tokenization

Each sensitive value is replaced with an opaque token, and a local mapping links each token back to its original. "John Smith" becomes "<token-name-1>"; the mapping is stored only on the user's device.

Strength: Best of both worlds — the original never leaves the device, but the user can see the response with real names restored.
Weakness: Requires a client-side component to manage the mapping; without one, the response is full of opaque tokens.

Most modern AI privacy tools, including Sonomos, default to reversible tokenization or pseudonymization because they preserve the most utility while keeping the source data local.

How modern PII detection actually works

Detecting PII reliably is harder than it looks. A simple regular expression catches obvious patterns — Social Security numbers, credit cards, email addresses — but misses anything contextual. Effective redaction stacks three layers:

Pattern matching. Regex and rule-based detectors handle structured data: card numbers (with Luhn check), IBANs, government IDs, dates, phone numbers.
Named-entity recognition (NER). Lightweight machine-learning models classify spans of text as person, organization, location, medical term, or other entity types.
Context rules. Heuristics that boost or suppress confidence based on surrounding tokens — "Dr. Smith" is almost certainly a person; "Smith & Wesson" almost certainly is not.

The detection runs locally — on the device, in the browser — for the same reason redaction does: sending text to a cloud detector to find out whether it contains PII also sends the text outside the trust boundary.

What "local-first" PII redaction means

Local-first means the detection model and the substitution logic both run on the user's device. The implications are concrete:

No network round trip is required to redact a prompt; latency stays under a frame.
No vendor in the middle has access to the unmasked text — including the redaction vendor.
Offline capability is preserved; redaction works on a plane or behind a corporate proxy.
Auditability is straightforward: the only outbound traffic is the already-redacted prompt to the AI provider.

For browser-based AI tools, "local-first" usually means a browser extension that intercepts the prompt in the page's DOM, runs detection in WebAssembly or a small JavaScript model, applies tokenization, and submits the safe version.

Frequently asked questions

What is the difference between PII redaction and data anonymization?

Redaction is an operation on a specific document or prompt: this name, in this paragraph, becomes a token. Anonymization is a property of a dataset: after processing, no individual can be re-identified, even by combining records. Redaction is a building block; anonymization is a goal that may require additional steps such as k-anonymity, l-diversity, or differential privacy.

Does PII redaction make a workflow HIPAA compliant?

Redaction reduces the disclosure of PHI but is not, by itself, sufficient for HIPAA compliance. Compliance requires policies, training, business associate agreements where applicable, and technical safeguards across the workflow. That said, redacting PHI before it ever reaches an AI provider materially shrinks the BAA surface and removes one of the most common modes of accidental disclosure.

Can AI redact its own input?

Asking an LLM to redact a prompt before processing it is self-defeating: the unmasked prompt has already been sent. Effective redaction must happen before the request leaves the user's device, in a component the LLM never sees.

What about images, audio, and video?

The same principles extend, but the techniques differ. Image redaction uses computer vision to detect faces, license plates, and on-screen text. Audio redaction uses speech-to-text plus the same NER stack, then bleeps or substitutes the audio segment. Video combines both. As of 2026, the strongest local-first tools focus on text — the dominant input format for chat-style AI — and integrate with cloud services for media when needed.

Is reversible tokenization safe?

It is safe only if the mapping never leaves the user's device. A tool that stores the mapping in the cloud — even encrypted — has reintroduced the exact trust boundary it was supposed to remove. Look for tools that document where the mapping lives and confirm with a network inspector that no unmasked data is transmitted.

How do I evaluate a PII redaction tool?

Three quick tests:

Open the developer tools network panel and watch what is transmitted as you type. The unmasked prompt should never appear.
Read the privacy policy. It should specify zero retention of prompt content and identify exactly what telemetry, if any, is collected.
Check the entity coverage. A good tool documents which categories it detects (names, IDs, financial accounts, medical terms) and lets you add custom patterns for organization-specific data.

Putting it together

PII redaction is the operational layer that lets professionals use AI without trading away privacy. The mechanics matter — removal versus masking versus pseudonymization versus reversible tokenization — because each technique has different trade-offs between privacy and utility. The deployment matters even more: a redaction tool that runs in the cloud is just another processor of your data; one that runs locally is a genuine boundary.

If you take only one thing from this guide: in 2026, the right place for PII redaction is the user's device, before the first byte of a sensitive prompt leaves the browser. Everything else is a compromise.

What Is PII Redaction? A Plain-English Guide for AI Users