Customer data can travel with the prompt.
Names, emails, phone numbers, payment-like values, and account references can be pulled into context. PriviShield can detect common patterns and redact or route them before provider execution where enabled.
PriviShield is Aera’s sensitive-data sanitization layer for AI routes. Where enabled, it sits in the trusted route path to detect common PII, secrets, credential-like material, and unsafe disclosure patterns, then redact, mask, strip, block, or route sensitive cases for consent before provider execution continues.
Sanitize the payload. Preserve the route.
AI routes can carry customer data, credentials, private documents, tool output, retrieved context, and prompt-injection payloads toward a provider call. PriviShield is designed to reduce that exposure before execution continues by detecting sensitive material and applying the configured route action.
Names, emails, phone numbers, payment-like values, and account references can be pulled into context. PriviShield can detect common patterns and redact or route them before provider execution where enabled.
API keys, bearer tokens, credential URLs, private key blocks, and password-like values can leak through tools, logs, retrieval, or pasted context. PriviShield can strip or block high-risk secret exposure in supported paths.
Prompt-injection markers, encoded content, hidden channels, and social-engineering language can change what an agent tries to send or do. PriviShield can flag unsafe disclosure signals before the route continues.
PriviShield is grounded in Aera’s privacy screening package. In supported paths, it can classify common sensitive-data patterns, secret-like material, credential-looking strings, and unsafe prompt signals, then turn those findings into redaction, masking, stripping, blocking, consent, or audit metadata.
Detects common patterns such as email addresses, phone numbers, IP addresses, SSN-style identifiers, and credit-card-like values, then supports redaction or masking where configured.
Detects API keys, bearer tokens, private key blocks, credential URLs, password-like values, and high-entropy secret-like strings so the route can strip, block, or require approval.
Detects prompt-injection indicators, hidden-channel patterns, social-engineering language, and encoded or obfuscated sensitive payloads in supported forms before continuation.
Sensitive content can arrive from user input, tools, workflows, or retrieved context. PriviShield is designed to sanitize the route payload before provider execution where enabled.
Claim common PII and secret-pattern sanitization, not exhaustive detection of every identity, health, tax, document, or credential format.
A finding can become a route action: redact, mask, strip, block, consent, audit metadata, or sanitized hash in supported paths.
PriviShield belongs inside the trusted route path, not beside it as an after-the-fact report. Where wired into the Gateway or router path, it can inspect outbound AI traffic, apply the configured privacy action inline, and let only sanitized or approved material continue toward provider execution.
The route receives prompt text, workflow state, tool output, or retrieved context.
Sensitive-data, secret, and unsafe-disclosure signals are identified inside the route path where enabled.
The route applies the configured action inline: redact, mask, strip, block, or require consent.
Sentinel can compose privacy signals with policy and runtime risk where integrated.
Sanitized traffic continues, or the request is blocked, reviewed, or routed for consent.
Inline route action, not after-the-fact notification.
PriviShield should not treat every privacy signal as a hard stop. The guard model can support different outcomes depending on the data class, policy state, context, and configured risk tolerance: allow with metadata, redact, strip, block, or route for consent.
Low-risk content can continue while preserving privacy state for audit or downstream policy evaluation.
Detected values can be masked, stripped, or substituted before the route continues toward the provider.
High-risk secrets, credential material, or unsafe disclosure patterns can stop the request before provider execution.
Sensitive cases can be routed to consent or approval flows where configured instead of silently continuing.
PriviShield is strongest when it is part of the same operating route as provider access, credential custody, and runtime control. It sanitizes exposure in the flow before execution continues. Gateway routes the traffic. Vault protects access objects. Sentinel controls continuation.
Gateway can hand route traffic through PriviShield so sensitive-data findings become inline route actions and route evidence where integrated.
Vault protects credentials and execution rights. PriviShield complements Vault by detecting and sanitizing secret-like material when it appears in prompts, payloads, tools, or route traffic.
PriviShield can provide sensitive-data signals inside the route-control path while Sentinel evaluates policy, pathway risk, and continuation decisions where the security pipeline is enabled.
PriviShield’s strongest current public claim is provider-bound sanitization inside the trusted route path where enabled. Return-path, tool-output, and memory/RAG handling should be described by the exact surface that is wired: PriviShield sanitization, Sentinel response scanning, or post-release platform scope.
sanitize provider-bound traffic inside the trusted route path where enabled
pair with Sentinel response scanning where integrated
sanitize tool or workflow payloads where wired into the route path
memory and managed RAG protection remain post-release platform scope
Privacy evidence should explain what was detected and what action was taken without turning sensitive data into the audit artifact. In supported paths, PriviShield actions can produce redaction metadata, sanitized hashes, block reasons, consent state, and audit records from the same route flow without displaying raw sensitive values.
The evidence boundary matters. A privacy system that records the raw value it removed can recreate the exposure it was supposed to prevent. PriviShield evidence should prove the route action while keeping sensitive values masked, hashed, or referenced rather than displayed.
PriviShield is built for AI routes where prompts, tools, workflows, and retrieved context can carry sensitive data toward provider execution. Detect the exposure, sanitize the payload inside the trusted route path, and let Sentinel control what continues.