Security

Sensitive Information Disclosure: The Quiet Way LLMs Leak

Promptention Team
April 18, 2026
6 min read

Table of Contents

An LLM can disclose data it was never meant to reveal: another user's information, training data, internal records pulled in through retrieval. We cover the leak paths, why they are hard to close, and how we help.

Most data breaches announce themselves eventually. This one often does not, because when an LLM discloses something it should have kept private, there is no alarm, no failed control, no broken process. The model simply answered a question, and the answer contained something sensitive. By the time anyone notices, the information is already out. We treat Sensitive Information Disclosure as one of the most underappreciated risks in production LLM systems, and if you are handling customer or proprietary data through a model, it is one you need a clear answer for.

The paths data takes out

Sensitive disclosure is not one bug; it is a family of leak paths, and they need different defenses.

Leakage through retrieval. The most common path we see. Your application pulls context from a knowledge base, a database, a document store, and feeds it to the model to answer a question. If the retrieval layer hands the model data the current user is not entitled to, the model will happily include it in the answer. The model did nothing wrong. The access-control gap upstream did. This is the leak path teams most often miss, because they are watching the model and not the pipeline feeding it.

Cross-user and session bleed. In poorly isolated systems, context from one user or session can surface in another. The fix is architectural isolation, but the symptom shows up as the model "knowing" something it should not.

Training and memorisation. A model fine-tuned on sensitive data can reproduce fragments of it under the right prompt. If you train on real customer records, you have to assume some of that can come back out.

Disclosure under manipulation. An attacker uses prompt injection or social-engineering-style prompts to coax out information the system holds, walking the model past its instructions one step at a time.

Why it is genuinely hard

We will be honest about the difficulty, because the teams that struggle most are the ones who assumed it was easy. The core problem is that the model is designed to be helpful with the information it is given. It does not have an independent notion of "this user should not see this." It sees text in its context and a question, and it answers. So if sensitive data reaches the context, whether through retrieval, memory, or training, the model is inclined to use it.

That means you cannot close this risk by tuning the model to be more careful. You have to control what reaches the model and what is allowed to leave it. Those are pipeline and output problems, not model-behavior problems, and they sit in different parts of your stack.

What to do about it

  • Enforce access control before retrieval, not after generation. The user's entitlements should filter what the retrieval layer can return. Never rely on the model to redact what it should not have been handed.
  • Redact and minimise on the way in. Strip or mask sensitive fields before they enter the context whenever the task does not strictly need them.
  • Scan outputs before they leave. An independent check on the model's response can catch sensitive data, PII, secrets, internal identifiers, before it reaches the user or a downstream system.
  • Be deliberate about training data. If you fine-tune on sensitive material, treat memorisation as a real risk and test for it.

Frequently asked questions

Isn't this just an access-control problem? Access control is the biggest single piece, especially around retrieval, but it is not the whole picture. Memorisation, cross-session bleed, and manipulation-driven disclosure each need their own attention. Strong access control plus input minimisation plus output scanning is the combination that holds.

Can output filtering alone catch leaks? It is a vital backstop, not a complete solution. Filtering the output catches what slipped through, but the cheaper and more reliable place to stop a leak is before sensitive data ever reaches the model. Use both, in that order of preference.

How would we even know a leak happened? That is exactly the danger, and why monitoring matters. Without logging and output inspection, a disclosure looks like a normal answer. Visibility into what your model is actually returning is the difference between catching it and reading about it later.

How Promptention helps

We approach this from both ends of the pipeline. Our PII detection and output moderation inspect what your model is about to return, catching sensitive data and personal information before it leaves the system, and our prompt logging and activity monitoring give you the visibility to know what your model is actually disclosing, in real time rather than in hindsight. Combined with the guidance we give on retrieval-side access control, that turns a silent, hard-to-detect risk into one you can see and stop.

Promptention provides multilingual PII detection, output moderation, and activity monitoring, aligned to OWASP LLM02: Sensitive Information Disclosure.

Written byPromptention Team

Promptention is an enterprise AI security company. We help teams ship LLM and AI-agent applications safely — with guardrails, red teaming, and model scanning built for production.

Back to all articles

Keep reading

Lockdown Mode Is a Retreat, Not a Solution
securityJune 24, 2026

Lockdown Mode Is a Retreat, Not a Solution

OpenAI's Lockdown Mode restricts what ChatGPT can do in order to reduce security risk. That tradeoff reveals a deeper problem with how AI security is being approached.

Read More →4 min read
How to Threat Model an LLM Application (Without Boiling the Ocean)
securityMay 7, 2026

How to Threat Model an LLM Application (Without Boiling the Ocean)

You cannot defend what you have not mapped. We walk through a practical, repeatable way to threat model an LLM or agentic application, the trust boundaries, the data flows, and the questions that surface the risks that matter.

Read More →7 min read
Incident Response for AI: What to Do When the Model Is the Problem
securityMay 5, 2026

Incident Response for AI: What to Do When the Model Is the Problem

Your incident response plan assumes attacks look like intrusions. AI incidents often look like normal usage, which is why teams miss them. We lay out how to detect, investigate, and respond when the model itself is the vector.

Read More →7 min read