Prompt Injection vs. PII Leak: Different Threats, Different Fixes
The two are constantly conflated in security roadmaps. They are not the same problem, they don't share a mitigation, and the controls for one are useless against the other.
Two threats that share a name and nothing else
The security industry lumps both under 'AI safety' and the resulting roadmaps confuse them. A control that sanitises an LLM's output (injection defence) does nothing about the raw personal data in the prompt (leak defence). A control that redacts personal data before sending (leak defence) does nothing to stop an attacker's poisoned webpage from steering the model (injection defence).
Prompt injection: integrity
An attacker embeds instructions in content the model ingests — a webpage, a PDF, a support ticket, a calendar invite — and the model follows those instructions instead of yours. The fixes are architectural: separate untrusted content into a distinct role, constrain what tools the model can invoke, filter or type-check its output before you act on it, and use structured decoding when the shape of the answer is known.
PII leak: confidentiality
The user pastes something they shouldn't have. The model provider retains it. Later, a subpoena, a training run, an internal review, or a breach exposes it. There is no clever system prompt that undoes this. The only fix is not sending the material in the first place.
How redaction fits
Client-side redaction is the cleanest leak control because it operates before send, on the user's device, without a proxy. It happens to also reduce injection blast radius as a side effect — a smaller attack surface means fewer secrets to exfiltrate — but that is a benefit, not the primary purpose.
Frequently asked
Does OWASP treat these separately?+
Yes. LLM01 (Prompt Injection) and LLM06 (Sensitive Information Disclosure) are distinct entries in the OWASP LLM Top 10 for exactly this reason.
Can a single tool cover both?+
Rarely well. Vendors that claim to often do one properly and gesture at the other.