Your agent traces are full of PII, and that is a compliance problem

The reasoning traces that make an agent debuggable also capture prompts, retrieved context, and tool data thick with personal information. You can keep the visibility and redact the risk.

B

Balagei G Nagarajan

4 MIN READ


An agent trace flowing through a series of redaction filters that strip out names, emails, and IDs before it reaches storage
Pair this with a PII detector like Presidio to catch what regex misses.
— from “Your agent traces are full of PII, and that is a compliance problem”

Key facts.

  • OpenTelemetry ships a "Handling sensitive data" guide and the matching collector processors: attributes (delete, update, hash keys), redaction (allow-list enforcement), filter (drop risky spans), and transform (regex masking).source
  • The GenAI semantic conventions define attributes like gen_ai.prompt and gen_ai.completion that carry full text, which makes them the primary redaction targets in an agent trace.source
  • The most secure approach is to redact before the data ever becomes a span attribute, so sensitive content never enters the pipeline at all, with PII detection via tools like Microsoft Presidio.source
  • Under GDPR, IP addresses, user IDs, email addresses, and session tokens all qualify as personal data, so they trigger controller obligations and potential fines up to 4% of global revenue if mishandled in telemetry.source

Why is a reasoning trace a privacy hazard specifically?

It records actual inputs and outputs, not a sanitized summary. To debug why an agent did something, you capture the prompt it received (which may contain a customer's message), the documents it retrieved (which may contain account details), the tool calls it made (which may carry names, emails, or payment data), and the reasoning that connected them. that's precisely the richness that makes the trace useful, and precisely what makes it a regulated dataset. A trace store full of raw prompts and tool payloads is a store full of personal data, subject to the same rules as any other system that holds it.

Debuggability and compliance aren't a forced choice. Redact the sensitive values while keeping the structure: the shape of the reasoning, the sequence of tool calls, the success or failure, the latencies, all stay. The names and account numbers don't.

Defense-in-depth layers: redaction at instrumentation, at middleware, at the collector, and at storage, with PII stripped progressively at each gate

What does privacy-preserving tracing actually look like?

Defense in depth across four layers. At instrumentation, minimize: capture metadata (token counts, model names, tool success and duration) and use config like disabling full message-content capture where you don't need it. At the application, use allow-lists and represent sensitive presence with flags or hashes instead of raw values. At the collector, run the OpenTelemetry redaction, attributes, filter, and transform processors as a central gateway so nothing unapproved reaches the backend. And keep a separate, access-restricted audit log with full detail for compliance, distinct from the redacted observability stream your engineers read. Pair this with a PII detector like Presidio to catch what regex misses.

LayerWhat it doesExample control
InstrumentationCapture less to begin withDisable full message-content capture
ApplicationMask before it leaves codeHash IDs, flag presence not value
CollectorCentral redaction gatewayRedaction / filter / transform processors
StorageSeparate audit from telemetryRestricted full log vs redacted stream

this is observability as a pattern-level property, which is where a Pattern Intelligence Layer puts it. Reliability at the pattern level means redaction and minimization are enforced around the agent's tracing on every run, so the team keeps the debuggability of full reasoning traces without the compliance exposure of raw PII. The model can change and the agent can scale, and the privacy controls hold, because they live in the pattern that captures the trace, not in a hope that the model never surfaces something sensitive.

Frequently asked questions

Will a stronger model reduce the sensitive data my traces collect?
The trace that debugs the agent is where PII piles up, and a more capable model doesn't make it safer, since IBM found AI breaches hit personal data 65% versus 53%. (source)

Do I lose debuggability if I redact?
No. You keep the reasoning structure, tool sequence, outcomes, and latencies. You strip the personal values. The shape that explains a failure survives redaction.

where's the safest place to redact?
Before the data becomes a span attribute, so it never enters the pipeline. Failing that, the collector is the central gateway. Layer both for defense in depth.

Does a better model reduce the PII in traces?
No. AI-touched data carries more PII exposure, not less, per the 2025 breach data. The control has to be redaction in the trace pipeline, independent of the model.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.