Personal information in prompt
Personal information or sensitive personal information that is included as a part of a prompt that is sent to the model.
ENTITY
2 - AI
INTENT
2 - Unintentional
TIMING
2 - Post-deployment
Risk ID
mit1294
Domain lineage
2. Privacy & Security
2.1 > Compromise of privacy by leaking or correctly inferring sensitive information
Mitigation strategy
1. Implement a mandatory data sanitization and redaction layer, such as an AI Gateway or Prompt Firewall, configured with advanced pattern matching and machine learning models to automatically detect, tokenize, or fully redact Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) from user inputs prior to model ingestion. 2. Establish and enforce explicit AI governance policies and continuous user education programs to prohibit the voluntary or accidental insertion of confidential or proprietary data into prompts, thereby addressing the human factor of accidental data exposure and ensuring regulatory compliance. 3. Deploy Data Loss Prevention (DLP) controls across organizational endpoints and network egress points to monitor and enforce the blocking of unauthorized transmission of classified data into unapproved or third-party Large Language Model (LLM) services.