PII in AI pipelines: what IAM and security teams need to change

TL;DR: PII now moves through prompts, retrieved documents, model outputs, and agent actions, creating exposure paths that legacy DLP was not built to track, according to WitnessAI. The governance gap is not just data leakage, but the assumption that sensitive information can be safely reviewed after it has already crossed into AI systems.

NHIMG editorial — based on content published by WitnessAI: PII protection in AI pipelines and why legacy DLP falls short

By the numbers:

• Legacy DLP achieves 5 to 25% accuracy in classifying unstructured content, with false positive rates exceeding 40%.
• IBM’s 2024 study found organizations that deployed AI in prevention workflows reduced average breach costs by $2.2 million per incident.
• Healthcare breaches in 2025 still averaged $7.42 million and took 279 days to identify and contain.

Questions worth separating out

Q: How should security teams protect PII in AI pipelines without breaking user workflows?

A: Security teams should combine discovery, semantic classification, tokenization, and graduated enforcement so they can protect sensitive data without forcing every interaction into a hard block.

Q: Why do AI copilots and agents make PII governance harder than traditional DLP does?

A: AI copilots and agents make PII governance harder because they move data through prompts, retrieval, outputs, and tool actions that legacy DLP was not designed to understand.

Q: How do organisations know whether AI PII controls are actually working?

A: They know controls are working when users can complete legitimate tasks while sensitive data is consistently redacted, tokenized, or routed according to policy.

Practitioner guidance

• Discover AI tools and agent connections first Inventory sanctioned and shadow AI use across chatbots, copilots, developer tools, MCP connections, and production-integrated agents before applying policy.
• Shift from pattern matching to semantic classification Classify sensitive content by meaning, not only by regex or keyword list.
• Apply tokenization before external model exposure Replace raw identifiers with tokens before prompts reach external models, then restore values only for authorized workflows.

What's in the full article

WitnessAI's full analysis covers the operational detail this post intentionally leaves for the source:

• How the Observe and Control modules distinguish discovery from runtime enforcement across AI tools and agents
• The step-by-step tokenization and rehydration approach used to preserve workflow continuity while protecting raw PII
• Examples of policy routing, warning, block, and approved-model actions in enterprise AI use cases
• The platform's deployment model for continuous discovery across AI applications, IDEs, and MCP server connections

👉 Read WitnessAI's analysis of PII protection in AI pipelines →

PII in AI pipelines: what IAM and security teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →