Beyond Masking: The Challenge of Safe Data Reveal
You can build a masking demo in an afternoon. Run a regex for credit card patterns, swap the match for XXXX, and ship it. The demo works, the compliance slide says “no PII sent to the LLM,” and everyone moves on. That demo is fooling you by leaving things out. It works because the input is a) clean (card 4111 1111 1111 1111), b) because the only sensitive thing in it is a textbook PII pattern, and c) because nobody downstream ever needs to use the value again.