By Stuart Dee
For much of the past decade, storing personally identifiable information within a large language model was regarded as something no responsible organisation should attempt. Early models functioned as vast statistical engines, absorbing information without distinction and retaining it in ways that could not easily be explained or controlled. They lacked any awareness of a user’s role, location or authority. They applied no purpose limitations, and offered no clear mechanism for deletion once information had been incorporated. The verdict, broadly shared across the governance and architecture community, was straightforward: LLMs and PII simply did not belong together.
That verdict is overdue for revision.
The model is no longer asked to police itself. It operates within a protective environment that applies policy before sensitive information enters, monitors behaviour during processing, and checks every output before it leaves.
A combination of architectural innovation and maturing data governance practice has fundamentally changed what is possible. Rather than expecting the model to manage its own behaviour around sensitive data, enterprises now position it within a purpose-built protective environment. Policy is applied before the model sees sensitive information. Behaviour is monitored throughout processing. Every output is examined before it reaches the user. That shift, from hoping models behave well to engineering environments in which they cannot behave badly, has transformed the landscape.
The foundations: entitlement-led governance
The critical enabler is a fine-grained, policy-led entitlement layer positioned between the model and the user. Every item of personal information is classified and wrapped in rules governing who may see it, where it may be processed and for what purpose it may be used. Those rules accompany the data at every stage of its journey. When a user supplies PII, the entitlement system determines in real time whether the model is permitted to receive it. Where the user is not entitled, sensitive material is masked or substituted before the model ever processes it. When the model generates a response, the output is checked again to ensure no personal detail reaches an unauthorised audience.
This separation of responsibilities aligns naturally with modern governance principles. The model does what it does best, which is generating insight. The entitlement engine ensures that private information remains private. The result is an AI system that behaves less like an unbounded text generator and more like a controlled, accountable information service.
Encryption throughout the pipeline
A further enhancement is the application of encryption that persists throughout the model pipeline, not merely at rest or in transit. Historically, encryption offered no protection during active processing, because information sat in plain view inside memory and computation layers the moment it was being used. New techniques now allow sensitive data to remain encrypted even as the model operates on it. The model works with encrypted representations that preserve analytical meaning without exposing raw values to any human operator or internal component.
This provides an additional and meaningful guarantee of confidentiality. Even if an internal subsystem were compromised, or an output intercepted prematurely, the underlying information would remain unintelligible. Encryption and entitlement controls operate at different layers, cryptographic and organisational respectively, and together they form a defence in depth that addresses both security and compliance obligations simultaneously.
What becomes possible
With governance and encryption in place, a range of capabilities that previously sat firmly out of reach becomes accessible. Personalisation improves dramatically. Digital assistants can understand individuals rather than generic user types, recall previous interactions, recognise patterns across a person’s history and respond with advice that is genuinely informed and relevant. Operational processes that require careful examination of personal histories, including claims handling, complaints analysis, HR support and customer remediation, can be accelerated without compromising privacy. The model can summarise relevant information, identify omissions, detect inconsistencies and prepare initial responses, while the governance layer ensures each user sees precisely what they are entitled to view.
Knowledge work becomes more efficient. Instead of navigating multiple disconnected systems, staff can ask an intelligent assistant for the information needed to perform their tasks. The assistant retrieves it strictly in accordance with each person’s access rights, becoming a centralised, entitlement-aware interface to organisational knowledge. Automation gains both power and reliability. Activities that depend on personal data, such as eligibility checks, regulatory submissions, identity verification, document preparation and case summarisation, can be handled by the model, with the governance layer ensuring every automated decision respects data protection obligations.
Risk management benefits too. Governed access to personal histories allows models to identify behaviours that may indicate fraud, vulnerability or operational risk, with analysts receiving exactly the insight they are permitted to access and nothing beyond it. Compliance processes become more manageable: subject access requests, rectification and erasure tasks can be supported by models that understand where relevant information resides and how to summarise it accurately, providing auditors with the clear lineage and traceability they require.
What was once dismissed as an unacceptable risk has become, with the right controls in place, a feasible and genuinely valuable part of enterprise AI strategy.
A rational and responsible path forward
The architectural community has spent years, rightly, urging caution about placing sensitive information inside AI systems. That caution was proportionate to the tools available at the time. The tools available now are materially different. Entitlement-led governance, encrypted processing and rigorous output control together create an environment in which PII can be processed by an LLM without abandoning the organisation’s obligations to individuals, regulators or its own risk appetite.
This is not an argument for abandoning rigour. It is an argument for updating our assessment of what rigour requires. Organisations that continue to treat LLMs as inherently incompatible with personal data will increasingly find themselves at a disadvantage relative to peers who have taken the time to understand and implement the controls that make safe operation possible. The question is no longer whether storing PII in the model environment can be done safely. The question is whether your organisation has the architecture in place to do it well.