Skip to main content

Webinar: Scale GenAI with Confidence – Turn Pilots into Enterprise Wins | Register Today!

Book a Demo

CPO Insights: Addressing Generative AI Privacy Challenges

David Hannibal
Post By David Hannibal March 6, 2025
Abstract header image featuring Squirro's David Hannibal for a blog on generative AI privacy challenges

In today's rapidly evolving landscape, Generative AI presents incredible opportunities, but also complex challenges, especially when it comes to protecting sensitive data and ensuring regulatory compliance. For those in the banking, financial services, and insurance (BFSI) sector, where business builds on handling personal data, or in manufacturing where intellectual property is king, deploying generative AI can feel like a tightrope walk. We all need to innovate, but we can't afford to compromise on security or regulatory adherence.

But there’s good news: By and large, these generative AI privacy concerns have been addressed. If you aren’t convinced, consider this: For years, our enterprise-grade GenAI platform has been relied on by central banks, financial regulators, and some of the leading financial service providers

In this article, we'll dive deeper into the specific challenges of data residency and personally identifiable information (PII) protection, explore practical best practices that you can implement right now, and, most importantly, reveal a crucial layer of protection that can empower your teams while ensuring absolute compliance. I hope you’ll come out with the knowledge and tools you need to confidently navigate this complex terrain and leverage the power of GenAI without sacrificing security or trust. 

(And if you don’t, ping me on LinkedIn or at david.hannibal@squirro.com and we can chat 1:1.)

The AI Data Residency Dilemma

One of the first hurdles we encounter is data residency. We’re often dealing with sensitive first-party data – investment research, customer details, proprietary designs – information that simply cannot leave our sphere of control. This often means opting for deployment options within Virtual Private Clouds (VPCs) or on-premises environments. It's about keeping your data where it belongs: with you.

Another key consideration is whether the GenAI runs within your own tech stack or in a multi-tenant environment. Hosting it in your Virtual Private Cloud (VPC) or on-premises keeps data under your control, while multi-tenant solutions introduce risks by processing data in shared environments, often with limited visibility into where sensitive information may travel.

But data residency is just the beginning. Consider the journey of a query: data from your knowledge base is pulled and then fed to a large language model (LLM) to generate a response. If those LLMs aren't under our direct control, we're potentially exposing personally identifiable information to third-party providers. (Examples of PII include personal details like names, email addresses, account and Social Security numbers, etc.) This is a red flag, especially when dealing with AI privacy laws and strict regulations such as GDPR, HIPAA, CCPA/CPRA, or PDPA.

The PII Challenge

PII is truly the lifeblood of BFSI. Understanding our customers, their behaviors, and preferences is critical. To truly leverage this data, we need to unlock it from unstructured sources like SharePoint, Dynamics, Salesforce, and PDFs, which is best done by feeding it into an enterprise GenAI framework powered by retrieval augmented generation (RAG) and LLMs. 

But the cost of hosting and running LLMs can be steep, pushing many organizations to cloud providers like AWS, GCP, or Azure. This introduces another layer of complexity in data flow and storage, and compliance.

So, What Can We Do?

Here are some best practices that can help you navigate these challenges:

  • Enterprise LLMs: Opt for self-hosted or private LLM instances where you have complete control over the data flow. This provides the highest level of security. 
  • Data Processing Agreements (DPAs): If you must use external LLM providers, ensure robust DPAs are in place. These contracts should explicitly outline data handling and compliance commitments.
  • Data Anonymization: Where possible, strip out the PII. Anonymize or pseudonymize the data before it ever reaches the LLM. This is a strong first line of defense.
  • Access Controls: Implement strict access controls. Only those who absolutely need to should be able to input or retrieve sensitive information – like your clients’ PII – from the system.
  • Audit and Monitoring: Regularly review logs and policies. Continuous monitoring is essential to catch any potential compliance breaches.

A Layer of Protection

As a CPO, I understand the balancing act. We need innovation, but not at the expense of governance or privacy. That's why add-on modules like our privacy layer are crucial. It acts as an intermediary, cleansing data of PII before it interacts with the LLM. 

When a prompt comes in containing PII, the system hashes the PII so that it is masked to the LLM. Next, the LLM generates a response, and then the original PII is securely re-integrated into the final output. This gives users the answers they need without compromising sensitive data. This also ensures your CISO doesn’t fall under any additional GDPR, CCPA, etc., regulations if the data was shipped off to an LLM in another country or regulated jurisdiction.

The Key Differentiator for Compliance

The ability to intercept prompts containing PII before they reach the LLM, and to provide meaningful answers while ensuring PII exclusion from LLM processing, is a game-changer. And it’s precisely this that our privacy layer delivers. It's about having the right controls in place, not just asserting access rights.

The Key Differentiator for Governance and Control

While PII sensitivity is key, it’s almost more critical to ensure that, within the organization, the right data doesn’t get to the wrong person. While many genAI platforms or internally built solutions can easily ensure the right data gets returned, it’s much harder, and more important, to ensure that the right data goes to the right person. 

Access control, or data governance, is paramount to preventing data leaks, both internally and externally. Here, I am thankful to key customers in the regulatory space who have pushed us to the limits to ensure that, when we say we can do privacy and governance at scale, we actually deliver. If I cannot ensure privacy and access controls for the world’s largest regulators, I cannot ensure it for you. Fortunately, we can and we do

Done right, generative AI can empower your teams with the insights they need while keeping your organization's and customers' data safe and compliant. If that sounds interesting, reach out to learn how we can help you confidently step into this new era. Let’s discuss how solutions like our privacy layer, knowledge graphs, or AI guardrails can address your specific challenges and unlock the full potential of GenAI for your organization.

Featured:

Subscribe to Our Newsletter

You will get:

  • - Expert Interviews
  • - Best Practices
  • - Whitepapers
  • - Use Cases and Industry News

For more information check out our Privacy Policy.

Discover More from Squirro

Check out the latest of the Squirro Blog for everything on AI for business

CPO Insights: Addressing Generative AI Privacy Challenges
CPO Insights: Addressing Generative AI Privacy Challenges
Read More
Read More
Leveraging Generative AI for Business Process Improvement
Leveraging Generative AI for Business Process Improvement
Read More
Read More
AI Readiness: Are Organizations Truly Prepared for Enterprise AI?
AI Readiness: Are Organizations Truly Prepared for Enterprise AI?
Read More
Read More