Product · Implementation

How Privian implements the AI Security Layer

A single in-process hop between your application and AI providers.

This page describes how Privian builds the masking, routing and rehydration pipeline. For the category definition and reference architecture, see the educational pillar.

Overview

What it is

The AI Security Layer is Privian's product framing for the masking, routing and rehydration layer that sits between your application and AI providers. For the full category definition, architecture and FAQs, see the AI Security Layer category page.

The layer reduces prompt-level exposure before a managed provider call; it does not replace governance, provider review or model-safety controls.

How it works

Inside the request flow

AI Security Layer request flowApplication traffic crosses the security layer and gateway before the provider response returns.ApplicationAI requestSecurity layerdetect and maskGatewayauthenticate and routeProvidermasked promptResponserehydratedApplication traffic crosses the security layer and gateway before the provider response returns.
AI Security Layer request flow

Framework

Security layer sequence

  1. 01

    Detect

    Scan prompts for supported sensitive entities.

  2. 02

    Mask

    Replace detected values with placeholders.

  3. 03

    Route

    Forward protected content with customer-owned credentials.

  4. 04

    Rehydrate

    Restore mapped values before returning the response.

  1. Step 1

    Detect

    Scan inbound prompts for personal and sensitive entities.

  2. Step 2

    Mask

    Replace detected values with deterministic placeholders.

  3. Step 3

    Route

    Forward the masked prompt using your BYOK credentials.

  4. Step 4

    Rehydrate

    Restore originals in the response inside the gateway.

Example

Request boundary example

Before the security layer

Application request: "Review Jane Doe's account, jane@example.com."

At the provider boundary

Provider request: "Review PERSON_1's account, EMAIL_1."

Composed of

What the layer is composed of

  • LLM Gateway

    Provider-agnostic routing with BYOK. See /products/llm-gateway.

  • PII Masking

    Detection and replacement of personal and secret entities.

  • Prompt Security

    Privacy-focused controls on what leaves your network as a prompt.

  • Rehydration

    In-gateway restore of original values in responses.

FAQ

Frequently asked questions

What is the AI Security Layer?
A thin network hop between your application and AI providers that detects, masks, routes and rehydrates — without storing prompts or responses.
How is it different from an LLM gateway?
An LLM gateway is just routing. The AI Security Layer adds privacy controls — masking and rehydration — around that routing layer.
Does the provider see the original values?
No. The provider only ever sees the masked prompt.

Enterprise review

Questions buyers commonly ask

Where does the layer sit?
Between your application and model providers, in the request and response path.
What controls run in the layer?
Authentication, supported-entity detection, masking, provider routing, response rehydration and sanitized observability.
Does the provider see original detected values?
No. Detected values are replaced before the provider call.
Does it replace provider controls?
No. Provider configuration, retention terms and account security remain separate review areas.

Scope

What this does NOT solve

Plans & pricing

Pricing for Privian's AI Security Layer

Explore plans for teams building privacy-sensitive AI workflows. Privian is in beta — pricing and limits may change.