Try Bifrost Enterprise free for 14 days. Request access

PII Filtering and Compliance at the AI Gateway Layer

PII Filtering and Compliance at the AI Gateway Layer
How to implement PII filtering and compliance controls at the AI gateway layer using Bifrost, the open-source AI gateway built for enterprise compliance requirements.

AI applications that process user input send prompts containing potentially sensitive data, including personally identifiable information (PII), credentials, and proprietary business content, to external LLM providers. Without a gateway-level content inspection layer, organizations have no mechanism to intercept or redact sensitive data before it leaves their network. Bifrost, the open-source AI gateway built in Go by Maxim AI, applies PII filtering, secrets detection, and compliance guardrails at the infrastructure layer without requiring changes to application code. This guide explains how to implement those controls in practice.

Why PII Filtering Belongs at the Gateway Layer

Implementing PII filtering at the gateway layer rather than inside individual applications provides three structural advantages for security and compliance teams.

A single enforcement point. A gateway-level filter covers all AI traffic from all applications in the organization, without requiring each application team to implement its own filtering logic. A team deploying a new AI feature does not need to build PII detection from scratch; the control is already in the path.

Immediate policy updates. When a new sensitive data pattern is identified or a compliance requirement changes, updating the filter at the gateway applies it immediately across every consumer, with no application redeployments or code changes needed.

Centralized audit coverage. Compliance audit logs that capture every filtered and unfiltered AI request in one place are far easier to produce from a gateway than by aggregating per-application logs. Every request identity, every guardrail action, every provider call appears in the same immutable record.

These properties make the gateway the most effective place to enforce PII filtering at scale, particularly for organizations running multiple AI-powered applications across teams or business units.

Types of Sensitive Data That Reach LLM Providers

Without a content inspection layer, the following categories of sensitive data routinely appear in prompts sent to external LLM providers:

  • PII: Names, postal addresses, phone numbers, email addresses, Social Security Numbers, dates of birth, and other information regulated under GDPR, CCPA, and similar data protection frameworks.
  • Credentials and secrets: API keys, authentication tokens, passwords, and private keys embedded in prompts or code snippets submitted to coding assistants.
  • Protected health information (PHI) under HIPAA: Patient names, medical record numbers, diagnostic information, insurance identifiers, and other information covered by the HIPAA Privacy Rule.
  • Financial data: Payment card numbers, bank account numbers, routing numbers, and transaction details regulated under PCI DSS.
  • Proprietary code and business logic: Source code, internal system architectures, business strategies, and trade secrets submitted to coding agents and general-purpose AI assistants.

Each category carries different regulatory and business risk profiles. A gateway-layer approach allows organizations to apply different filtering profiles to different categories, matched to the compliance obligations of each application.

PII Filtering and Guardrail Controls in Bifrost

The guardrail system in Bifrost provides layered content inspection through a combination of native controls and third-party provider integrations. All guardrails apply to both inputs (prompts) and outputs (responses), at real-time inference speed.

Native Secrets Detection

Secrets detection in Bifrost is backed by Gitleaks, the open-source secret scanning engine. It identifies API keys, authentication tokens, private keys, and common credential patterns across all major providers and services. Secrets appearing in prompts are caught before the request is forwarded to any LLM provider. Detection runs in-process with minimal latency overhead.

Custom Regex Guardrails with Built-In PII Templates

Custom regex guardrails allow organizations to define their own content patterns for detection and action. Bifrost includes a built-in PII detection template covering common PII patterns including names, SSNs, email addresses, and phone numbers. Teams extend this template with organization-specific patterns: internal identifier formats, proprietary naming conventions, domain-specific sensitive terms.

Custom regex rules are configured once as reusable profiles and attached to virtual keys or applied globally. They run in-process, adding negligible latency.

Third-Party Guardrail Provider Integrations

For organizations with existing content safety infrastructure or more advanced inspection needs, Bifrost integrates with the following external guardrail providers:

  • AWS Bedrock Guardrails: Enterprise content filtering combined with PII detection using AWS Comprehend, covering multiple entity types out of the box.
  • Azure Content Safety: Multi-category content moderation with severity-based thresholds for harmful content.
  • Google Model Armor: Google Cloud policy enforcement covering prompt injection, content safety, and sensitive data protection.
  • CrowdStrike AIDR: Inline AI threat detection with audit visibility and policy-based redaction.
  • GraySwan Cygnal: AI safety monitoring using natural language rule definitions.
  • Patronus AI: LLM security evaluation including hallucination detection and safety assessment.

Guardrail Actions on Match

When a guardrail rule matches content in a prompt or response, Bifrost supports three actions:

  1. Block: Reject the request before it is forwarded to the provider. The requesting application receives an error indicating the content policy violation.
  2. Redact: Replace the matched content with a placeholder and forward the modified request to the provider. The original content never reaches the model or the provider's infrastructure.
  3. Log and allow: Record the match in the audit log but allow the request to proceed. This mode is useful for establishing detection baselines before enforcing blocking.

Each action is configurable per guardrail rule, allowing teams to apply blocking to high-risk categories while logging others for review.

Building a Compliance Audit Trail for AI Requests

Audit logs in Bifrost are immutable and capture every AI request passing through the gateway. Each log entry includes:

  • Timestamp and request identifier
  • Requesting identity (virtual key)
  • Target provider and model
  • Prompt content (or a hash in environments where prompt storage raises its own compliance concerns)
  • Response content
  • Guardrail rules evaluated, matches found, and actions taken

These logs support the compliance frameworks most relevant to enterprise AI deployments: SOC 2 Type II evidence, HIPAA audit requirements, ISO 27001 audit logging controls, and GDPR records of processing. The log format is designed for long-term retention and SIEM integration.

Log exports automate delivery of audit data to external storage and analysis systems including Amazon S3, Google Cloud Storage, and BigQuery. This enables long-term retention policies, integration with existing security information and event management platforms, and cross-system correlation for incident investigation.

The Bifrost governance resource hub provides additional detail on how audit logging fits into a complete governance architecture.

Per-Consumer Compliance Controls via Virtual Keys

Virtual keys are the primary mechanism for applying differentiated compliance controls across consumer groups. Each virtual key carries its own guardrail profile, budget, rate limits, and model access controls.

This differentiation enables compliance teams to configure appropriate controls for each use case without changing application code:

  • A customer-facing chatbot handling user-submitted text might have strict PII filtering and content moderation, blocking any prompt containing detected personal information.
  • An internal developer tool used by engineers for code generation might have secrets detection enabled but a more permissive content policy suited to technical work.
  • A healthcare application might carry a HIPAA-specific guardrail profile with PHI pattern detection from the built-in PII template supplemented by condition-specific identifiers.
  • A financial services application might have PCI DSS-relevant patterns for card and account number detection configured as redact-on-match rules.

Because these profiles are attached to virtual keys rather than configured inside applications, compliance teams can update the guardrail profile for a consumer group without involving the application engineering team. The next request after an update is evaluated against the new profile.

Compliance for Regulated Industries

The combination of PII filtering, immutable audit logs, and deployment flexibility in Bifrost supports specific compliance frameworks across regulated industries.

HIPAA: PHI detection via custom regex or AWS Bedrock Guardrails catches protected health information before it reaches an external model. Audit logs provide the records required for HIPAA audit trails. In-VPC deployment keeps all AI traffic within the organization's own network boundary, addressing data residency requirements for covered entities and business associates. Healthcare teams can review the Bifrost healthcare AI infrastructure page for deployment guidance specific to healthcare compliance.

SOC 2 Type II: Audit logs provide the evidence base for access control (virtual keys with role-based assignment), data integrity (immutable log records), and security monitoring controls. Log exports to S3 or GCS enable the retention policies required by SOC 2 auditors. The Bifrost Enterprise feature set covers the high-availability and security hardening controls relevant to SOC 2 infrastructure requirements.

ISO 27001: Virtual keys implement access control aligned with ISO 27001 A.9 controls. Guardrail rules implement data classification at the gateway layer. Audit logs support A.12.4 logging and monitoring requirements.

GDPR: PII redaction at the gateway implements data minimization principles by preventing unnecessary transmission of personal data to external processors. Audit logs provide the records required for Article 30 processing activity documentation. In-VPC deployment supports data transfer and localization requirements.

Deploying PII Filtering Without Application Code Changes

Bifrost is a drop-in replacement for existing OpenAI, Anthropic, and LangChain SDKs. Deploying PII filtering at the gateway layer requires changing only the base URL in the existing application configuration; the application code itself does not change.

The change in practice:

# Before: direct provider access
client = OpenAI(api_key="sk-...")

# After: all traffic through Bifrost with PII filtering applied
client = OpenAI(
    base_url="<https://your-bifrost-instance/openai/v1>",
    api_key="your-virtual-key"
)

After this change, every request from the application passes through the Bifrost guardrail stack. PII filtering, secrets detection, and content safety controls apply automatically. The application makes no decisions about content inspection; that responsibility moves to the gateway layer where it can be managed, updated, and audited centrally.

Bifrost supports 20+ providers and 1,000+ models behind this unified API, so organizations running multiple AI providers apply the same guardrail configuration to all of them from a single deployment.

Get Started with AI Gateway Compliance

Implementing PII filtering and compliance controls at the AI gateway layer begins with deploying Bifrost and configuring guardrail profiles for each consumer group. The governance resource page has detailed guidance on virtual key configuration, guardrail profile structure, and how to apply different compliance profiles to different teams or applications.

For organizations with specific compliance requirements in regulated industries, HIPAA-specific PHI detection profiles, SOC 2-aligned audit log retention, and in-VPC deployment configurations are covered in the Bifrost Enterprise documentation.

To see how Bifrost handles PII filtering and compliance at the gateway layer for your organization's specific requirements, book a demo with the Bifrost team.