Privacy

Prompt Injection vs. PII Leak: Different Threats, Different Fixes

The two are constantly conflated in security roadmaps. They are not the same problem, they don't share a mitigation, and the controls for one are useless against the other.

PromptShielder Security Team· Applied cryptography & privacy engineering March 25, 2025 6 min read

Two threats that share a name and nothing else

The security industry lumps both under 'AI safety' and the resulting roadmaps confuse them. A control that sanitises an LLM's output (injection defence) does nothing about the raw personal data in the prompt (leak defence). A control that redacts personal data before sending (leak defence) does nothing to stop an attacker's poisoned webpage from steering the model (injection defence).

Prompt injection: integrity

An attacker embeds instructions in content the model ingests — a webpage, a PDF, a support ticket, a calendar invite — and the model follows those instructions instead of yours. The fixes are architectural: separate untrusted content into a distinct role, constrain what tools the model can invoke, filter or type-check its output before you act on it, and use structured decoding when the shape of the answer is known.

PII leak: confidentiality

The user pastes something they shouldn't have. The model provider retains it. Later, a subpoena, a training run, an internal review, or a breach exposes it. There is no clever system prompt that undoes this. The only fix is not sending the material in the first place.

How redaction fits

Client-side redaction is the cleanest leak control because it operates before send, on the user's device, without a proxy. It happens to also reduce injection blast radius as a side effect — a smaller attack surface means fewer secrets to exfiltrate — but that is a benefit, not the primary purpose.

Frequently asked

Does OWASP treat these separately?+

Yes. LLM01 (Prompt Injection) and LLM06 (Sensitive Information Disclosure) are distinct entries in the OWASP LLM Top 10 for exactly this reason.

Can a single tool cover both?+

Rarely well. Vendors that claim to often do one properly and gesture at the other.

Sources
PrivacyTechnical
Try PromptShielder

Redact prompts before they leave your browser.

Free to try. Nothing is sent to a server. Ever.