PII Redaction at the Gateway Layer for Regulated Industries

Sensitive Information Disclosure is ranked LLM02:2025 in the OWASP Top 10 for LLM Applications, and the risk surface keeps expanding as AI agents access more organizational data. Personally identifiable information enters LLM pipelines through user prompts, RAG context, tool outputs, and conversation history. Without a systematic enforcement point, that data flows to third-party model providers, appears in their telemetry, and may be retained beyond the periods your data processing agreements allow. Bifrost, the open-source AI gateway built in Go by Maxim AI, addresses this by enforcing PII redaction at the gateway layer, so every request inherits the same controls regardless of which model or provider serves it.

This post covers the architecture for gateway-level PII redaction, the specific capabilities Bifrost brings to regulated industries, and how teams in healthcare, financial services, and other compliance-sensitive sectors can implement it.

Why Application-Layer Redaction Fails at Scale

The most common approach to PII protection is to build redaction logic into each application that calls an LLM. Individual teams write their own detection patterns, apply their own filters, and produce their own validation evidence. That approach has a structural problem: every new model integration, every new internal service, and every new team that adopts AI creates a new surface that requires its own implementation. Policy changes have to be propagated manually. Coverage is uneven by design.

The result is fragmented enforcement, inconsistent audit trails, and no central point to verify that every request across the organization met the same standard. For regulated industries, that is not a defensible compliance posture. HIPAA requires demonstrable controls on protected health information. GDPR Article 5 requires that personal data be limited to what is strictly necessary. Auditors need evidence, not intent.

Gateway-level redaction solves the structural problem by moving enforcement out of application code and into the infrastructure layer that all LLM traffic passes through. Every application inherits the same policies automatically. Policy changes deploy once and take effect across every connected service.

How Bifrost Implements PII Redaction at the Gateway Layer

Bifrost's guardrails system operates on a two-tier architecture: Rules define when and what to validate using CEL (Common Expression Language) expressions; Profiles define how validation runs and which provider executes it. A single rule can link to multiple profiles for layered protection. Profiles are reusable and can be applied across as many rules as needed.

Validation runs inline on every matching request. Inputs (prompts, context) are scanned before reaching the model. Outputs (completions, tool returns) are scanned before reaching the client. The gateway returns one of three outcomes:

• HTTP 200: content passed; validation metadata included in the response
• HTTP 446: content blocked; violation details and severity returned for logging
• HTTP 246: content modified; PII redacted rather than blocked, with redaction counts in the response

This response-code design gives downstream applications explicit signals to act on, rather than silently passing through modified content.

Supported Guardrail Providers for PII Detection

Bifrost integrates with multiple external guardrail providers, each with different capability profiles. Teams can use a single provider or compose multiple profiles into a single rule for defense-in-depth.

AWS Bedrock Guardrails

AWS Bedrock Guardrails is the strongest option for PII detection. It detects and redacts 50+ entity types covering personal identifiers, financial information, contact details, medical records, and device identifiers. It is also the only provider in Bifrost's current integrations with image content analysis, making it the right choice for multimodal agent workflows. For teams already in the AWS ecosystem, IAM-based authentication integrates cleanly with existing access control. Configuration covers 13 AWS regions, enabling data residency alignment for workloads subject to geographic data localization requirements.

Custom Regex (Native, In-Process)

Bifrost includes a native Custom Regex provider that runs in-process without calling an external service. It ships with a built-in PII Detection template covering common patterns (email addresses, US Social Security numbers, credit card numbers, phone numbers), and accepts organization-specific patterns to extend or replace it. Because the regex runs locally, it adds minimal latency and keeps data entirely within the deployment perimeter, making it the right first layer for teams in air-gapped or in-VPC environments.

Patronus AI

Patronus AI provides context-aware PII detection alongside hallucination scoring and toxicity screening. It supports multi-turn analysis, which matters for agentic workflows where sensitive data may appear across several conversation turns rather than in a single prompt. For high-stakes applications in legal, clinical, or financial settings where output accuracy is as much a compliance concern as data exposure, Patronus offers a combined evaluation profile.

GraySwan Cygnal

GraySwan Cygnal supports natural language rule definition, allowing teams to express policies in plain text (for example, "do not allow personally identifiable information in responses") without writing detection patterns. It assigns a continuous violation score between 0 and 1 rather than binary pass/fail, enabling graduated responses. GraySwan is particularly useful for teams that need to enforce brand-specific or legal-team-defined policies that do not map cleanly to entity types or regex patterns.

For a full capability matrix across providers, see the guardrails documentation.

CEL-Based Rules: Scoped, Conditional Enforcement

CEL expressions give teams precise control over when a guardrail runs. Rules can target specific request properties including model family, route, virtual key, or message role. This prevents guardrail overhead from applying to traffic where it adds no value, and ensures that high-risk endpoints receive the most thorough validation.

Example patterns:

# Apply PII detection only to user-originated messages
request.messages.exists(m, m.role == "user")

# Apply stricter validation to production endpoints
request.path.startsWith("/v1/chat") && request.model.startsWith("gpt-4")

# Apply to any message over a character threshold (more likely to contain free-form PII)
request.messages.filter(m, m.role == "user").map(m, m.content.size()).sum() > 500

Rules attach to requests through request headers or inline configuration. A virtual key with a guardrail rule attached enforces that rule on every request that uses that key, across any application that holds it. This is how virtual key governance and guardrails compose: the same key that controls which models a team can access also enforces the redaction policy those requests must pass through.

Defense-in-Depth Configuration

For regulated industries, a single provider is rarely sufficient. Healthcare organizations may need PHI detection (Bedrock) plus prompt injection prevention (Azure) plus output accuracy validation (Patronus) on the same patient-facing endpoint. Financial services teams may need SSN and account number detection (Bedrock or Custom Regex) plus jailbreak prevention (Azure Prompt Shield) for customer service workflows.

Bifrost supports this by allowing multiple profiles to be linked to a single rule. The gateway executes them in sequence and aggregates results. A violation in any profile triggers the configured action (block or redact) for that rule. The guardrails resource page covers the supported provider combinations and recommended configurations for common regulated-industry use cases.

An example defense-in-depth profile composition for a healthcare chatbot might look like:

{
  "guardrail_rules": [{
    "name": "PHI Protection - Patient-Facing Endpoint",
    "cel_expression": "request.messages.exists(m, m.role == \\"user\\")",
    "apply_to": "both",
    "sampling_rate": 100,
    "provider_config_ids": [1, 2, 3]
  }],
  "guardrail_providers": [
    { "id": 1, "provider_name": "regex", "policy_name": "PHI Patterns" },
    { "id": 2, "provider_name": "bedrock", "policy_name": "PHI Detection" },
    { "id": 3, "provider_name": "patronus-ai", "policy_name": "Output Accuracy" }
  ]
}

Audit Logs: Turning Redaction Events into Compliance Evidence

PII redaction is only defensible if teams can produce evidence of what happened. Bifrost's audit logging captures every guardrail evaluation, blocked request, and redaction event as an immutable record. Each log entry includes the identity (virtual key), provider, model, detection type, violation severity, and the action taken.

Audit logs can be exported to SIEM systems, data lakes, and long-term archives to satisfy SOC 2 Type II, HIPAA, GDPR, and ISO 27001 evidence requirements. Native OpenTelemetry integration sends traces to Datadog, Grafana, and Honeycomb, so compliance teams and security operations teams work from the same telemetry without separate instrumentation.

Immutability is enforced at the storage layer using cryptographic hashing, which prevents tampering with detection records after the fact. This matters specifically for HIPAA audits and GDPR data processing evidence, where demonstrating that controls were in place and operating requires records that cannot be retroactively altered.

Deployment Architecture for Regulated Environments

Bifrost Enterprise supports in-VPC and on-premises deployment, keeping request bodies, detection events, and audit logs entirely within the customer's network perimeter. No sensitive data leaves the organization's infrastructure. For healthcare teams running HIPAA-compliant AI infrastructure or financial services teams subject to data residency requirements, this deployment architecture is a prerequisite, not an optional enhancement.

For financial services and banking use cases, the combination of in-VPC deployment, custom regex patterns for financial identifiers, Bedrock-powered PII detection, and immutable audit logs covers the controls required for most internal AI governance frameworks without requiring custom engineering.

Secrets detection runs as a separate native provider, catching API keys, tokens, private keys, and credentials in prompts and completions before they leave the perimeter. Secrets Detection uses Gitleaks-backed pattern matching and runs in-process with no external service dependency. This covers a distinct risk from PII: developers and agents interacting with internal tooling may inadvertently include credentials in prompts, and model completions may reflect them back in context.

What to Configure First

Teams new to gateway-level PII redaction typically start with three steps:

• Define a Custom Regex profile with the PII types most relevant to the application (SSNs, email addresses, account numbers, health plan IDs). This runs in-process with no external dependency and establishes a baseline detection layer.
• Add a Bedrock or Patronus profile for entity types that require ML-based detection rather than pattern matching (clinical notes, free-form personal narratives, multi-entity text where regex false positive rates are high).
• Configure audit log export to the organization's existing SIEM before deploying to production. Evidence capture should be live before any patient, customer, or employee data passes through the gateway.

The full guardrails configuration reference covers profile setup, CEL expression patterns, and response handling for each action type.

Conclusion

Application-layer PII redaction distributes enforcement responsibility across every team that builds an AI feature. Gateway-layer PII redaction centralizes it, making consistent protection a function of infrastructure rather than individual team discipline. For regulated industries where compliance posture is audited rather than assumed, the gateway is the right place to enforce data protection controls.

Bifrost combines native in-process regex detection, multi-provider ML-based PII scanning, CEL-based conditional rules, and immutable audit trails into a unified guardrails layer that applies consistently across every model and provider your organization uses. To see how Bifrost can support your compliance requirements, book a demo with the Bifrost team.