Protecting Personally Identifiable Information (PII) has become a critical requirement for enterprises deploying AI applications. With regulations like GDPR, CCPA, and HIPAA imposing strict penalties for data breaches, organizations need robust mechanisms to prevent PII from being exposed through AI systems. This guide provides a comprehensive walkthrough of implementing PII protection using Portkey’s guardrail capabilities.

Why PII Guardrails Matter for Your AI Applications

  • Regulatory Compliance: Meet requirements for GDPR, CCPA, HIPAA, and other data protection regulations
  • Data Breach Prevention: Stop sensitive information from leaking through AI responses
  • Customer Trust: Demonstrate commitment to privacy and data protection
  • Cost Optimization: Avoid regulatory fines and reputational damage
  • Operational Excellence: Automate PII detection and redaction at scale

Overview of Portkey’s PII Protection Options

Portkey offers multiple approaches to PII protection:

1. Portkey Native PII Detection

  • Comprehensive PII detection using advanced ML models
  • Detects and redacts: names, emails, phones, addresses, SSNs, credit cards, IP addresses
  • Simple configuration with immediate results
  • Available on Production and Enterprise plans

2. AWS Bedrock Guardrails Integration

  • Enterprise-grade PII detection from AWS
  • Supports custom PII patterns via regex
  • Currently focuses on SSN redaction by default

Learn about AWS Bedrock Guardrails

3. Partner PII Solutions

Pangea

Advanced PII detection and redaction

Patronus AI

Enterprise PII for business documents

Azure PII

Microsoft’s PII detection service

How PII Transformation Works

When PII is detected in a request, Portkey transforms it before sending to the LLM:
Shows original request with PII and transformed request with placeholders
The transformation process:
  • Original: Contains actual PII like names, emails, SSNs
  • Final (Transformed): PII replaced with numbered placeholders
  • Status: Shows if transformation occurred

Setting Up Portkey’s Native PII Detection

Step 1: Create a PII Detection Guardrail

  1. Navigate to GuardrailsCreate
  2. Search for “Detect PII” under PRO guardrails
  3. Select PII categories to detect:
    • Phone Numbers: Mobile and landline numbers
    • Email Addresses: Personal and corporate emails
    • Location Information: Addresses, cities, coordinates
    • IP Addresses: IPv4 and IPv6 addresses
    • Social Security Numbers: US SSN format
    • Names: First names, last names, full names
    • Credit Card Information: Card numbers

Step 2: Enable PII Redaction

Toggle the Redact PII option to automatically replace detected PII with placeholders.

Step 3: Configure Guardrail Actions

Set up how your guardrail should behave:
  • Async: Run checks without blocking (default: TRUE)
  • Deny: Block requests with PII (default: FALSE)
  • On Success/Failure: Send feedback for monitoring

Step 4: Add to Config and Use

Once you save your guardrail, you’ll get a Guardrail ID. Add it to your config: 
{
  "input_guardrails": ["gr-pii-detection-xxx"]
}
The examples below demonstrate input guardrails only. You can also apply PII detection to outputs by adding guardrails to output_guardrails.

Real-World Examples: Portkey vs Bedrock

Let’s see how Portkey and AWS Bedrock handle the same PII-containing requests: 
from portkey_ai import Portkey

# Initialize Portkey with PII protection
portkey = Portkey(
    api_key="PORTKEY_API_KEY",
    config="pc-pii-protection"
)

Email Address Detection

Original Query: 
Please update my email from [email protected] to [email protected]
Transformed Input:
Please update my email from [EMAIL_ADDRESS_1] to [EMAIL_ADDRESS_2]
What Portkey Detected:

Phone Number Detection

Original Query: 
My phone number is (555) 123-4567, and my alternate is +1-800-555-0123
Transformed Input:
My phone number is [PHONE_NUMBER_1], and my alternate is [PHONE_NUMBER_2]
What Portkey Detected:
  • PHONE_NUMBER_1: (555) 123-4567
  • PHONE_NUMBER_2: +1-800-555-0123

Social Security Number Protection

Original Query: 
I need to update my tax information. My SSN is 123-45-6789
Transformed Input:
I need to update my tax information. My SSN is [SSN_1]
What Portkey Detected:
  • SSN_1: 123-45-6789

Credit Card Information

Original Query: 
I used my card ending in 4532, full number is 4532-1234-5678-9012
Transformed Input:
I used my card ending in [CREDIT_CARD_1], full number is [CREDIT_CARD_2]
What Portkey Detected:
  • CREDIT_CARD_1: 4532
  • CREDIT_CARD_2: 4532-1234-5678-9012

Name Detection

Original Query: 
John Smith from accounting needs access. His manager Jane Doe approved it.
Transformed Input:
[NAME_1] from accounting needs access. His manager [NAME_2] approved it.
What Portkey Detected:
  • NAME_1: John Smith
  • NAME_2: Jane Doe

Address Detection

Original Query: 
Deliver to 123 Main Street, Apt 4B, New York, NY 10001
Transformed Input:
Deliver to [LOCATION_ADDRESS_1]
What Portkey Detected:
  • LOCATION_ADDRESS_1: 123 Main Street, Apt 4B, New York, NY 10001

IP Address Detection

Original Query: 
My computer IP is 192.168.1.100 and I'm connecting to server at 10.0.0.1
Transformed Input:
My computer IP is [IP_ADDRESS_1] and I'm connecting to server at [IP_ADDRESS_2]
What Portkey Detected:
  • IP_ADDRESS_1: 192.168.1.100
  • IP_ADDRESS_2: 10.0.0.1

Complex Real-World Scenarios

Financial Services Example

Original Query: 
Hi, I'm John Smith. My account number is 123456789.
Please update my email from [email protected] to [email protected].
My SSN for verification is 123-45-6789 and my phone is (555) 123-4567.
I recently used my credit card ending in 4532 for a transaction.
Transformed Input:
Hi, I'm [NAME_1]. My account number is 123456789.
Please update my email from [EMAIL_ADDRESS_1] to [EMAIL_ADDRESS_2].
My SSN for verification is [SSN_1] and my phone is [PHONE_NUMBER_1].
I recently used my credit card ending in [CREDIT_CARD_1] for a transaction.
Detected PII:
  • Names, emails, SSN, phone, credit card all redacted
  • Account number not redacted (not in default PII categories)

HR System Example

Original Query: 
Employee Jane Doe (ID: EMP00123) has requested a salary adjustment.
Her current address is 456 Oak Street, Boston, MA 02101.
Contact her at [email protected] or (617) 555-0123.
Her SSN on file is 987-65-4321 for tax purposes.
Transformed Input:
Employee [NAME_1] (ID: EMP00123) has requested a salary adjustment.
Her current address is [LOCATION_ADDRESS_1].
Contact her at [EMAIL_ADDRESS_1] or [PHONE_NUMBER_1].
Her SSN on file is [SSN_1] for tax purposes.
Comprehensive Protection: All PII types detected and redacted
Original Query: 
Case: Smith vs. Johnson
Plaintiff John Smith, residing at 789 Legal Ave, Law City, CA 90210,
email: [email protected], phone: (310) 555-1234,
SSN: 111-22-3333 (for court records).
IP address from incident: 192.168.1.50
Transformed Input:
Case: [NAME_1] vs. [NAME_2]
Plaintiff [NAME_3], residing at [LOCATION_ADDRESS_1],
email: [EMAIL_ADDRESS_1], phone: [PHONE_NUMBER_1],
SSN: [SSN_1] (for court records).
IP address from incident: [IP_ADDRESS_1]
Complete Redaction: All PII elements protected
AWS Bedrock can be configured to detect additional PII types. The examples above show the default behavior. Check the Bedrock documentation for custom configuration options.

Monitoring PII Detection

Viewing Results in Portkey Logs

Navigate to your Portkey logs to see:
  1. Guardrail Status: Shows if PII detection succeeded
  2. Transformation Details: View original vs transformed requests
  3. Detected Entities: List of all PII found
Example log entry: 
Guardrails
✓ pii - 1 successful
No PII (when no PII detected)

Understanding Response Codes

  • 200: Request successful (PII redacted if found)
  • 246: PII detected but request continued (Deny = false)
  • 446: Request blocked due to PII (Deny = true)

Next Steps

  1. Create Your First Guardrail: Start with email and phone detection
  2. Test with Sample Data: Verify detection accuracy
  3. Monitor in Production: Track performance and accuracy
  4. Expand Coverage: Add more PII types as needed
  5. Explore Partner Solutions: For specialized requirements
For support, join the Portkey community.