OWASP LLM Top 10LLM02:2025highv1.0.0 · System

PII Output Prevention

Scans model responses for personally identifiable information (PII) — names, emails, phone numbers, national IDs — and blocks or redacts before display.

📘Clone & start observing

Creates a Guideline policy. Observation only — nothing is blocked until you promote to Strict.

Mode on clone: log

Policy name

Defaults to template name. Customise to distinguish multiple instances of the same template.

Leave empty to apply broadly via the template's default data-classification / risk-tier filters.

Rationale

LLMs trained on or augmented with personal data may surface PII in responses, even when the prompt didn't ask for it. GDPR Art. 5 requires data minimisation; this policy enforces it at the output boundary.

Example violation

Model response: "Customer Sarah Mitchell (sarah.m@acme.com, +44 7700 900123) opened ticket #4421."

Triggers (1)

outputScan model response before returning to user

Detectors (2)

pii_detectorpii-named-entity
Multilingual NER for person names, locations, IDs
regexpii-regex
Pattern matching for emails, phones, national IDs

Actions (2)

redactReplace PII with [REDACTED] tokens
logRecord what types of PII were found

Tunable parameters (3)

PII detection confidence threshold

basicnumber

Higher = fewer false positives but may miss obfuscated PII.

Default: 0.8

PII categories to redact

basiclist

Which PII types to redact. Add or remove based on your data classification.

Default: ["EMAIL","PHONE","PERSON","NATIONAL_ID","CREDIT_CARD"]

Custom PII regex patterns

expertregex

Domain-specific identifiers (e.g. customer numbers, policy IDs).

Default: []

Regulatory references

GDPR Art. 5GDPR Art. 32

Template defaults (suggested target after promotion)

Suggested mode

redact

Risk tiers

—

Data classifications

confidential, restricted

Departments

—

Cloned policies start in Guideline mode. Use the promotion wizard to flip to Strict once you trust the false-positive rate.