Skip to content
Data RedactionPIIAI SecurityLLM

AI Redaction Placeholders: What They Do and Do Not Protect

Redaction placeholders like <private_email> show a tool caught something, not that the model never saw the original. What they protect, and what they miss.

8 min readPortEden Team

You paste a customer message into ChatGPT, or you read a summary it produced, and a small tag appears where a name or an email used to be: <private_person> or <private_email>. That tag is an AI redaction placeholder, and it means a privacy tool removed something sensitive before the text reached you. It is a good sign. It is also easy to misread. This post explains what a redaction placeholder genuinely protects, what it does not, and the questions to ask so you can tell real protection from the cosmetic kind.

What a redaction placeholder actually is

A redaction placeholder is a typed label that an automated privacy tool puts in place of a sensitive value it removed. Instead of deleting the value silently, the tool leaves a marker that names the kind of information that used to be there, so the surrounding text still makes sense.

The lowercase, angle-bracket tokens many people see, <private_person>, <private_email>, and <private_date>, come from OpenAI's Privacy Filter, an open-weight model for detecting personal data in text. Other tools use other styles, such as [EMAIL_ADDRESS] or a plain [REDACTED]. For a full table of what each token stands for, see our reference on redaction placeholders.

What a placeholder does protect

The protection is real as far as it goes. Once a value has been replaced with a placeholder, that value is no longer in the text you are looking at. It will not be saved in that log, displayed on that screen, copied into that ticket, or learned from that particular copy. For a name, an email, or a card number, that is a meaningful reduction in exposure.

Typed placeholders also keep the text useful. A model reading your <private_date> appointment still understands that a date belonged there, so it can summarize or route the message without the real value. That is the point of redaction for AI: keep the structure, drop the secret.

What a placeholder does not protect

Here is where a placeholder is easy to over-trust. Seeing one tells you something was caught in the copy you are reading. It does not, on its own, answer three questions that decide whether your data was actually protected.

It does not tell you when the value was removed

A placeholder shows the value is gone from the text in front of you. It does not show when the value was removed. If the AI model you are sending data to produced the redaction, that model already received and processed the original, and redaction after the fact cannot un-send it. The clean transcript is cosmetic. The only way to keep a value from a model is to block or remove it before the request reaches the model, at egress from your systems.

What matters is whether redaction runs before the data reaches the model or only on what the model hands back. If you are building this into a pipeline, our guide on how to redact PII before it reaches an LLM covers where to place it.

It does not mean everything was caught

A placeholder marks a value the tool recognized. It says nothing about values the tool missed. Detection is probabilistic, and vendors say so. OpenAI describes its Privacy Filter as a redaction and data minimization aid, not an anonymization, compliance, or safety guarantee, and notes that it only catches the categories it was trained on and can perform worse on non-English text. So the absence of a placeholder is not proof that a document is clean. These details are accurate as of June 2026; confirm current behavior with the vendor.

It does not tell you if the value is recoverable

Finally, a placeholder does not tell you whether the original is gone for good or recoverable. Tools like the Privacy Filter discard the value, so <private_email> is one-way and cannot be reversed from the token. Enterprise systems may instead keep a short-lived, access-controlled vault so authorized people can restore the value later. Either way, the mapping lives outside the text, never inside the token, which is why you cannot infer the answer from the placeholder alone.

Cosmetic redaction vs real redaction

The difference between cosmetic redaction and real redaction is not visible in the placeholder. It is in how the system behind it works. Four questions separate the two:

  • Where does redaction run? Before the model receives the data, at egress from your systems, or only on the output you are shown. Only the first keeps the raw value away from the model and its vendor.
  • Is there a record of what was redacted? A real control produces an audit trail of which identifiers were redacted on each request. Without it, a miss is invisible.
  • Does the vendor receive the raw value at all? If redaction happens at the boundary, the answer is no by construction, and vendor trust stops being the question.
  • Can the right people recover values under control? For workflows that need the real value back, recovery should be scoped and logged, not impossible and not wide open.

If a tool cannot answer these, the placeholder you see may be protecting the transcript more than it is protecting your data.

How PortEden approaches it

PortEden is built around the first answer to those questions. It is a data firewall for AI: it redacts at egress, on the boundary between your systems and the model, so raw values never reach the model or its vendor in the first place.

The flow is detect, redact, re-hydrate. A classifier scans every field bound for the AI, covering more than 50 identifier types and over 120 secret patterns, with median latency under 40 milliseconds on an email-sized payload. Detected values are replaced with structure-preserving placeholders such as [PERSON_1] and [DATE_2024-03-15], and the originals go into a short-lived, encrypted vault. When the model's reply comes back referencing the placeholders, PortEden restores the real values in the user's browser. The model never sees the originals, the user never sees the placeholders, and every redaction event is recorded in the audit log.

Policy can be scoped per integration, per user, and per AI client, and the approach maps to HIPAA section 164.514(b) Safe Harbor de-identification as a redaction control. The same engine is available over an API you can wire into your own pipeline; see the API documentation or the PII API.

The bottom line

A redaction placeholder is a good sign. It means a privacy tool is doing something. It is not, on its own, a guarantee that your data was protected, that everything sensitive was caught, or that the model never saw the original. If the model itself produced the placeholder, the data already reached it, which is why redaction that runs before the model is the only kind that keeps data out. Treat each placeholder as a prompt to ask one question: where does this redaction actually run. When the answer is at egress, with an audit trail, the tag in your transcript reflects protection that already happened upstream.

To decode the specific tokens you are seeing, our redaction placeholders reference lists every one and what it stands for.

See redaction that runs before the model

PortEden strips PII at the boundary and can return source data already redacted. Free tier, no credit card.

Get started freeSee data redactionDecode the placeholders

Continue Reading

Data RedactionPII

How to Redact PII Before It Reaches an LLM

9 min read

AI Agent SecurityEmail Security

AI Business Email Security: How to Protect Your Inbox from AI Agents

11 min read

PortEden is a software provider, not a law firm, accounting firm, or compliance auditor, and nothing on this page is legal, compliance, tax, or other professional advice. PortEden does not issue compliance certifications, attestations, or audit opinions. This content is provided for general informational purposes only, on an as-is basis and without warranties of any kind, and may not reflect the most current laws, regulations, or your specific situation. Before acting on it, consult a qualified attorney, auditor, or compliance professional.