
Key facts.
- OpenTelemetry ships a "Handling sensitive data" guide and the matching collector processors: attributes (delete, update, hash keys), redaction (allow-list enforcement), filter (drop risky spans), and transform (regex masking).source
- The GenAI semantic conventions define attributes like gen_ai.prompt and gen_ai.completion that carry full text, which makes them the primary redaction targets in an agent trace.source
- The most secure approach is to redact before the data ever becomes a span attribute, so sensitive content never enters the pipeline at all, with PII detection via tools like Microsoft Presidio.source
- Under GDPR, IP addresses, user IDs, email addresses, and session tokens all qualify as personal data, so they trigger controller obligations and potential fines up to 4% of global revenue if mishandled in telemetry.source
Why is a reasoning trace a privacy hazard specifically?
It records actual inputs and outputs, not a sanitized summary. To debug why an agent did something, you capture the prompt it received (which may contain a customer's message), the documents it retrieved (which may contain account details), the tool calls it made (which may carry names, emails, or payment data), and the reasoning that connected them. that's precisely the richness that makes the trace useful, and precisely what makes it a regulated dataset. A trace store full of raw prompts and tool payloads is a store full of personal data, subject to the same rules as any other system that holds it.
Debuggability and compliance aren't a forced choice. Redact the sensitive values while keeping the structure: the shape of the reasoning, the sequence of tool calls, the success or failure, the latencies, all stay. The names and account numbers don't.

What does privacy-preserving tracing actually look like?
Defense in depth across four layers. At instrumentation, minimize: capture metadata (token counts, model names, tool success and duration) and use config like disabling full message-content capture where you don't need it. At the application, use allow-lists and represent sensitive presence with flags or hashes instead of raw values. At the collector, run the OpenTelemetry redaction, attributes, filter, and transform processors as a central gateway so nothing unapproved reaches the backend. And keep a separate, access-restricted audit log with full detail for compliance, distinct from the redacted observability stream your engineers read. Pair this with a PII detector like Presidio to catch what regex misses.
| Layer | What it does | Example control |
|---|---|---|
| Instrumentation | Capture less to begin with | Disable full message-content capture |
| Application | Mask before it leaves code | Hash IDs, flag presence not value |
| Collector | Central redaction gateway | Redaction / filter / transform processors |
| Storage | Separate audit from telemetry | Restricted full log vs redacted stream |
this is observability as a pattern-level property, which is where a Pattern Intelligence Layer puts it. Reliability at the pattern level means redaction and minimization are enforced around the agent's tracing on every run, so the team keeps the debuggability of full reasoning traces without the compliance exposure of raw PII. The model can change and the agent can scale, and the privacy controls hold, because they live in the pattern that captures the trace, not in a hope that the model never surfaces something sensitive.
Frequently asked questions
Will a stronger model reduce the sensitive data my traces collect?
The trace that debugs the agent is where PII piles up, and a more capable model doesn't make it safer, since IBM found AI breaches hit personal data 65% versus 53%. (source)
Do I lose debuggability if I redact?
No. You keep the reasoning structure, tool sequence, outcomes, and latencies. You strip the personal values. The shape that explains a failure survives redaction.
where's the safest place to redact?
Before the data becomes a span attribute, so it never enters the pipeline. Failing that, the collector is the central gateway. Layer both for defense in depth.
Does a better model reduce the PII in traces?
No. AI-touched data carries more PII exposure, not less, per the 2025 breach data. The control has to be redaction in the trace pipeline, independent of the model.

