Stop Hoarding Prompts: A Pragmatic Guide to AI Privacy & Governance
Why this matters this week
If you’re running production AI systems, you’re probably sitting on an unacknowledged liability: unbounded prompt and output logs.
In the last 60 days I’ve seen:
- A mid-size SaaS vendor quietly halt an AI feature because legal discovered they were retaining full customer tickets and prompts indefinitely in an observability tool.
- A fintech company’s SOC2 auditor flag their “AI playground” as a shadow system with no access controls, no data retention policy, and no audit logs.
- A healthcare-adjacent startup realize their “red-teaming transcripts” contained PHI, with no clear deletion path or DLP controls.
None of these teams were reckless. They were shipping fast and assumed “we’ll clean up governance later.” Later is now.
Why this is spiking:
- Vendors are tightening their own privacy and model governance contracts and starting to push DPAs and subprocessor disclosures back on you.
- Customers are adding AI-specific questions to security questionnaires (data retention, training use, model risk, “who can see my prompts?”).
- Regulators and internal auditors are asking how AI usage fits into existing SOC2/ISO 27001 controls and data classification schemes.
If your AI story can’t be explained in the same language as the rest of your security program—retention policies, audit trails, access controls, privacy boundaries—you’re building operational risk, not just tech debt.
What’s actually changed (not the press release)
Three material shifts that affect how you should think about AI privacy and governance this quarter:
-
AI usage is no longer “experimental” in the eyes of auditors
- Internal tools, copilots, and customer-facing AI features are being treated as production systems.
- SOC2/ISO auditors now routinely ask:
- Where is model input/output stored?
- Who can access those logs?
- How long are they retained?
- Are they in scope for incident response and access reviews?
- “It’s just an LLM feature” is no longer accepted as a reason to skip normal controls.
-
Prompt logs are now recognised as high-risk data
- Prompts often contain:
- PII (names, emails, phone numbers)
- Credentials/API keys pasted in desperation
- Contracts, deal terms, internal strategy docs
- Source snippets from repos that were never meant to leave the VPC
- Many teams had quietly been shipping prompts to:
- Third-party logging/observability tools
- Centralised data lakes used for analytics
- “AI analytics” SaaS tools with weak isolation models
- Prompts often contain:
-
Policy-as-code expectations are moving into the AI stack
- The same infra teams who encoded network and IAM policies as code now expect:
- Data residency and routing policies for AI requests
- Configurable redaction and classification rules
- Declarative retention and deletion schedules
- Hand-maintained “LLM config documents” don’t cut it when you have:
- Multiple models (internal + external)
- Multiple products using them
- Cross-region deployments
- The same infra teams who encoded network and IAM policies as code now expect:
In short: the governance bar for AI is being raised to match the rest of your production estate. If your AI system can’t explain “who has access to what, for how long, and why” you’re behind.
How it works (simple mental model)
Use this mental model: AI governance is just your existing data governance, applied to two extra surfaces:
- Inference layer – where prompts and responses flow
- Model lifecycle layer – where models are trained, tuned, cached, and versioned
You already manage:
- Data classification (public, internal, confidential, restricted)
- Access control (who can touch what)
- Retention (how long you keep it)
- Auditability (who did what, when, with which system)
Apply those to AI like this:
1. Classification: “What class of data is allowed to hit this model?”
Define, per use case:
- Allowed data classes (e.g., “internal + confidential, no restricted/regulated data”)
- Disallowed examples (credentials, PHI, payment data, etc.)
Mechanically, that looks like:
- Input filters: detect and block/obfuscate disallowed content before it hits the model.
- Output filters: ensure the model doesn’t echo or synthesize restricted data in unsafe channels.
2. Flow control: “Where is the data actually going?”
Map the path:
- Client → Gateway → Pre-processing → Model (internal or vendor) → Post-processing → Logs/analytics
For each hop, define:
- Network location (VPC, region, vendor)
- Identity context (service account, user)
- Encryption and masking at rest/in transit
This gives you a data flow diagram you can show to security and auditors.
3. Retention: “What gets stored, where, and for how long?”
Decide for each artefact:
- Raw prompts/responses
- Structured events (userid, feature flag, latency, modelid)
- Training/finetuning datasets
- Caches and embeddings
Then set:
- Retention duration (e.g., 7 days, 30 days, 1 year)
- Storage location (S3 bucket X, region Y)
- Deletion mechanism (lifecycle policy, scheduled job, manual process unsupported)
4. Accountability: “Who can see or change what?”
Treat AI systems like any sensitive microservice:
- RBAC for:
- Prompt log access
- Config changes (e.g., switching models, toggling logging)
- Training data curation
- Audit logs for:
- Admin actions (config changes, access grants)
- Data usage for sensitive classes
This is where policy-as-code fits: encode the above as versioned, testable config, not tribal knowledge.
Where teams get burned (failure modes + anti-patterns)
Failure mode 1: “We’ll log everything and sort it out later”
Pattern:
- All prompts and responses go into:
- Central log pipeline (e.g., app logs)
- Queryable dashboards used by dozens/hundreds of staff
Risks:
- Sensitive data shows up in tools that were never meant to hold it.
- “Temporary” retention becomes de facto “forever” because nobody owns deletion.
- You can’t answer “who can see customer prompts?”
Anti-pattern variant: prompt dumps emailed or copied into shared docs/slack for “debugging.”
Failure mode 2: Shadow AI tools outside security scope
Pattern:
- “Internal AI playground” stood up by a team:
- No SSO / weak auth
- Used across departments (sales, support, eng)
- No logging or central governance
Risks:
- Sensitive customer or employee data leaves approved systems.
- No central record for audits.
- No consistent data processing agreement coverage with vendors.
This is often discovered during SOC2 readouts or by an annoyed security engineer, not proactively.
Failure mode 3: Training/finetuning with unvetted data
Pattern:
- Team collects “helpful conversations,” logs, or support tickets.
- Uses them to finetune or retrain a model with minimal filtering.
Risks:
- PHI, payment details, or confidential IP embedded into training data.
- Model can inadvertently regurgitate regulated or customer-owned data to other tenants.
- No practical right-to-be-forgotten or erasure path.
Example: one B2B company discovered that their “support bot” could answer questions about old, supposedly deleted customer accounts because those interactions lived on in training data.
Failure mode 4: No model risk taxonomy
Pattern:
- All AI use cases treated the same from a governance perspective.
Risks:
- High-risk use cases (e.g., compliance advice, financial recommendations, HR-related outputs) lack:
- Human-in-the-loop review
- Additional logging and approvals
- Tighter retention/audit
Without a model risk taxonomy, product and infra teams have no shared language for “this use case must satisfy stricter controls.”
Failure mode 5: Governance by PDF, not by code
Pattern:
- There’s a nice “AI policy” document.
- Actual systems are configured by hand, per environment.
- No tests, no drift detection.
Risks:
- Staging and prod diverge.
- Emergency hotfixes bypass policy.
- Nobody can show that the documented controls actually exist in running systems.
Practical playbook (what to do in the next 7 days)
You can’t fix everything in a week, but you can move from “unknown risk” to “known plan.”
Day 1–2: Inventory & classification
-
Inventory AI touchpoints
List, concretely:
- Customer-facing AI features
- Internal tools/copilots
- “Playgrounds” and experiments with external vendors
- Data pipelines using models (classification, extraction, etc.)
-
Classify per use case
For each:
- What data classes are processed? (PII, PHI, credentials, product telemetry, source?)
- Is data tenant-scoped or cross-tenant?
- Is this high, medium, or low risk by business impact?
Output: a one-page table you can share with security and legal.
Day 3: Map data flows & retention
For the top 3–5 highest-risk use cases:
-
Draw a data flow diagram
Include:
- Sources (web app, CRM, internal tools)
- Services (gateways, pre/post processors, models, vector DBs)
- Destinations (logs, analytics, training sets)
-
Annotate retention
For each storage location:
- What is stored? (raw prompts, redacted prompts, metrics only?)
- How long? (and where is that configured?)
- Who can access it?
You’ll almost certainly discover at least one unbounded or undocumented retention path.
Day 4: Implement a minimal policy-as-code layer
Pick one enforcement surface to start:
-
Routing & data policy config
Represent, in config (YAML/JSON/whatever is standard for you):
- Allowed data classes for each endpoint
- Model choices (internal vs vendor, region)
- Logging mode:
- FULL: prompts + outputs
- METADATAONLY: userid, latency, model_id, no content
- OFF: nothing
-
Wire this config into your gateway or service
- Fail closed if configuration is missing.
- Add tests that assert:
- High-risk endpoints never use FULL logging.
- Regulated data sources route only to compliant models/regions.
This becomes the nucleus of policy-as-code for AI.
Day 5: Turn off or reduce logging where it’s not essential
Focus on quick wins:
- For low-risk use cases:
- Switch to METADATA_ONLY logging by default.
- Allow temporary FULL logging only via a short-lived, auditable flag
