AI Prompt Security: Protecting Enterprise Data at the LLM Boundary

When your employees use AI tools, they communicate with external models through prompts - natural language instructions that often contain the most sensitive information in your organisation. A lawyer summarising a privileged memo. An HR director asking about a disciplinary case. A CFO modelling acquisition scenarios. A developer pasting proprietary source code.

​

AI prompt security addresses a gap that traditional security architectures were never designed to cover: the systematic, high-volume, voluntary export of sensitive data through legitimate SaaS channels, embedded in natural language that conventional pattern-matching tools struggle to classify.

​

The challenge is not that employees are doing something wrong. They're doing exactly what these tools are designed for. The challenge is that the data flowing through these prompts; names, financial figures, legal strategies, health information, intellectual property - leaves your environment the moment the user presses enter.

Consider what happens when a lawyer at a mid-sized firm uses ChatGPT to summarise meeting notes:

 

The prompt: "Summarise the key takeaways from yesterday's call with Sophie Chen at Meridian Capital regarding the proposed acquisition of GreenField Energy. Key points: purchase price range of £45–52M, earn-out structure tied to EBITDA, and concerns about the environmental liability in the Northampton site."

 

What just left the building:

• Client name (Sophie Chen)

• Client organisation (Meridian Capital)

• Target company (GreenField Energy)

• Deal structure (purchase price, earn-out terms)

• Material non-public information (MNPI)

• Potential environmental liability (litigation risk)

 

This single prompt contains enough information to identify the transaction, the parties, and the commercial terms. Under US v. Heppner, feeding privileged communications into a third-party AI may constitute a waiver of legal professional privilege. Under GDPR, the personal data in this prompt has been transferred to a third-party processor without the technical safeguards regulators expect.

And this happens hundreds of times a day across your organisation.

AliasPath sits between your users and the AI model - at the proxy or API gateway level - and transforms every prompt before it leaves your network.

​

The same prompt, after AliasPath processing: "Summarise the key takeaways from yesterday's call with Emilia Chang at Halcyon Partners regarding the proposed acquisition of BlueRidge Solutions. Key points: purchase price range of £45–52M, earn-out structure tied to EBITDA, and concerns about the environmental liability in the Warwick site."

​

The AI model receives a complete, coherent prompt. It can summarise, analyse, and draft a response that's just as useful as if it had received the real data. But the names, companies, and locations are aliases - plausible, culturally coherent substitutes that preserve semantic meaning without exposing real identities.

​

When the response comes back, AliasPath rehydrates the aliases to their real values for the authorised user. The lawyer sees "Sophie Chen" and "Meridian Capital" in the AI's output. The AI model never did.

 

This is not tokenisation. We don't replace names with "[PERSON_1]" or "Entity_A" - that degrades AI output quality because the model loses context about gender, ethnicity, jurisdiction, and role. Our aliases are contextually significant: "Sophie Chen" becomes "Emilia Chang", not "Person_X". The AI reasons naturally. The data stays protected.

Privilege protection. If privileged legal communications are shared with a third-party AI without adequate technical safeguards, courts may find that privilege has been waived. Pseudonymisation at the prompt layer is a demonstrable technical measure that preserves the confidentiality required to maintain privilege.

​

Competitive intelligence. AI providers aggregate usage data for model improvement, abuse detection, and service analytics. Even where providers commit to not training on enterprise data, the prompt itself has been transmitted, processed, and logged - however transiently. In M&A, litigation, or competitive strategy scenarios, this creates an unacceptable exposure.

​

Cross-matter aggregation. In legal and professional services firms, different teams work on matters involving the same counterparties. When those teams use AI tools connected to shared knowledge bases (RAG, Copilot, connected drives), a query from one matter can surface information from another - information the querying user should never have seen. Pseudonymisation prevents this by ensuring that real identities are never stored in the shared knowledge base.

 

Regulatory expectation. The EDPB's 2025 Guidelines on Pseudonymisation explicitly recognise pseudonymisation as a technical measure supporting GDPR compliance. The EU AI Act's requirements for high-risk AI systems include data governance obligations that pseudonymisation directly addresses. Regulators are not asking whether you have a policy - they're asking whether you have a technical control.

What data does AliasPath detect in prompts?

AliasPath detects personal names, addresses, phone numbers, email addresses, national identifiers (NI numbers, SSNs, passport numbers), financial account numbers, company names, project names, and other configurable entity types. For complex semantic risks, such as legal privilege, opinion, or strategic intent - AliasPath can route prompts to a private LLM for deeper classification before deciding whether to pseudonymise, block, or allow.

​

Does this work for file uploads, not just text prompts?

Yes. AliasPath inspects file uploads (PDFs, Word documents, spreadsheets, images with embedded text) in addition to text prompts. Files are processed in real time at the proxy layer, sensitive data is pseudonymised within the file before it reaches the AI model.

 

What about Copilot, which is integrated into Microsoft 365?

Copilot queries pass through Microsoft's Graph API and, depending on configuration, may route through external model endpoints. AliasPath can be deployed as a downstream proxy behind your primary secure web gateway (Zscaler, Palo Alto, etc.), intercepting Copilot traffic specifically without disrupting other Microsoft 365 functionality. This is the same composable architecture that enterprises use for other high-risk application categories.

​

Can employees bypass AliasPath by using AI tools on personal devices?

AliasPath operates at the network boundary, not the endpoint. If an employee accesses AI tools outside your managed network (personal device, personal account), AliasPath cannot intercept that traffic, but this is true of any network-layer security control. The appropriate complementary measure is policy (acceptable use), not technology. What AliasPath ensures is that all AI usage through your managed environment is protected.

​

How does AliasPath affect AI output quality?

Because AliasPath uses contextually coherent aliases rather than generic tokens, AI output quality is preserved. The model receives names that are culturally plausible, addresses that are geographically coherent, and identifiers that are structurally valid. In independent testing, AI outputs generated from pseudonymised prompts are indistinguishable in quality from outputs generated from real data.