Architecture ยท AI Systems ยท Data Security
Architecting Trustworthy AI: An Enterprise Guide to Data Strategy and Management
A tiered framework for safely classifying, protecting, and governing enterprise data when integrating large language models into production systems.
๐ 12 min read
๐ฅ Developers ยท Architects ยท Tech Leaders
As enterprises race to embed AI into their products and workflows, a dangerous assumption is spreading quietly through engineering teams: that sending data to an LLM is roughly equivalent to querying a database. It is not. LLMs are probabilistic, externally-hosted (often), context-retaining surfaces , and the consequences of mishandling data in these pipelines can range from compliance violations to existential reputational damage. This guide presents a practical, tiered framework for every engineering team building AI-powered systems.
Why data classification is non-negotiable in AI systems
Traditional data governance was designed around structured pipelines , databases, APIs, ETL jobs , where data movement was explicit, auditable, and deterministic. LLM-based architectures break every one of those assumptions. When you pass data into a prompt, you are not querying a function with a defined return type. You are exposing that data to a system that may reflect, restate, recombine, or leak it in unpredictable ways.
The old model
Explicit queries โ deterministic output โ auditable path. Data flows are known and bounded.
The AI model
Unstructured prompts โ probabilistic generation โ emergent behavior. Data boundaries are porous.
The solution is not to avoid LLMs , it is to approach them with the same rigor that regulated industries apply to any third-party data processor. That starts with data classification.
The six-tier data classification framework
The framework below classifies enterprise data into six input tiers , from fully sendable to strictly blocked , plus two mandatory output tiers. Each tier carries a defined posture, a required control, and an implementation pattern developers can apply immediately.
Public (safe to send)Strictly blocked (never send)
Tier 1 , PublicAllowed with sanitization
Required control: None (basic sanitization only)
Public data is safe to send directly to the LLM after basic sanitization and formatting. This covers product catalogues, public documentation, FAQ content, and non-sensitive user queries. The system must still detect and block prompt injection attempts before dispatching any input.
// Tier 1 , Public data handling
if (isPromptInjection(input)) block();
cleanInput = sanitize(input); // trim, normalize, strip control chars
sendToLLM(cleanInput);
Example: "List all products in the software category" โ sanitize whitespace and control characters โ send. No tokenization or access control required.
Tier 2 , InternalHandle with care , data minimization
Required control: Data minimization + RBAC enforcement
Internal business data , employee assignments, internal IDs, project codes, org-level configurations , should only reach the LLM when strictly necessary and never in full. Enforce role-based access control first, then strip all non-essential identifiers before constructing the prompt.
// Tier 2 , Internal data handling
if (!hasAccess(user, "internal")) deny();
input = removeFields(input,
["employeeId", "fullName", "costCenter"]);
sendToLLM(input);
Example: "Employee (ID: EMP-4821) is assigned to Project Alpha" โ verify access โ strip identifier โ send "A team member is assigned to Project Alpha."
Tier 3 , ConfidentialRestricted , encryption + RBAC required
Required control: Encryption at rest + RBAC + aggregation
Confidential financial, strategic, or business-sensitive data must never be exposed raw. Enforce role-based access control, aggregate or summarize values before transmission, and encrypt at rest using AES-256. When raw data is unavoidable, evaluate a private or on-premises LLM deployment.
// Tier 3 , Confidential data handling
if (!hasRole(user, "finance-analyst")) deny();
input = aggregate(input); // "~$5M range" not "$4,982,341.00"
// Data at rest must be AES-256 encrypted
sendToLLM(input);
Example: "Q1 revenue is $4,982,341" โ aggregate โ send "Revenue increased by approximately 12% in Q1." Exact figures must never appear in the prompt.
Tier 4 , PIITokenize , replace identifiers before sending
Required control: Tokenization + audit logging
Personally identifiable information , names, email addresses, phone numbers, national IDs , must be detected using regex patterns and Named Entity Recognition (NER), replaced with opaque tokens, and only the tokenized form is passed to the LLM. Token-to-value mappings must be stored in an encrypted vault.
// Tier 4 , PII tokenization
tokens = tokenizePII(input); // "Alice Brown" โ "USER_4F2A"
logAccess(user, resource, "PII"); // mandatory audit entry
sendToLLM(tokens.sanitizedText);
Example: "Alice Brown can be reached at alice@company.com" โ "USER_4F2A can be reached at EMAIL_001." The mapping lives only in your secure token vault.
Tier 5 , PCI / Regulated IDsBlocked , on-premises processing only
Required control: DLP detection + application-layer blocking
Payment card data, account numbers, tax identifiers, and other PCI-regulated fields must be blocked at the application layer before the LLM pipeline is invoked at all. This data class must never leave your network boundary. On-premises or private model processing may be approved through a formal governance review only.
// Tier 5 , PCI / regulated ID blocking
if (dlpScan(input).containsRegulatedData()) {
auditLog(user, "BLOCKED: Tier 5 detected");
throw new Error("Request blocked: regulated data");
}
Note: Redacting a payment card number from a transaction request often makes the request meaningless. Treat this as an authorization problem, not a sanitization problem , block the entire request.
Tier 6 , Biometric / Health / PassportStrictly blocked , hard reject + security alert
Required control: Hard block + security alert + zero payload logging
Highly regulated data , biometrics, health information, passport details, and genetic data , must be rejected at the earliest possible point in the pipeline. The payload content must not be logged. The event itself must be recorded and trigger an automated security alert for immediate team review.
// Tier 6 , Strictly blocked data
if (detectHighlyRegulated(input)) {
triggerAlert(securityTeam, {
user: user.id, timestamp: new Date(),
reason: "Tier 6 data detected" // payload intentionally omitted
});
return reject("Request cannot be processed");
}
Example: A request containing health-related fields must be blocked entirely , not redacted. Removing a diagnosis from a request changes its intent; block the whole request.
Output tiers: the second half of the problem
Most teams focus entirely on what goes into the LLM and ignore what comes back out. This is a critical oversight. LLMs can inadvertently synthesize, infer, or reflect sensitive information in their responses even when the input was sanitized. Two mandatory output controls close this gap.
Output Tier AOutput filtering , generalize and mask sensitive insights
Required control: Post-process every response; generalize or mask sensitive derived insights
Every LLM response must pass through an output filter before being returned to the client. The filter should convert specific values into generalized statements and anonymize any content that could constitute a sensitive disclosure , even if not present in the original input prompt.
// Output Tier A , response filtering
output = filterSensitiveInsights(output);
// "Account #A-2291 generated $340K this quarter"
// โ "This account is a significant revenue contributor"
return anonymize(output);
Output Tier BOutput validation , scan, redact, and audit-log every response
Required control: PII scan + redaction + audit log on every outbound response
After filtering, run a final PII scan across the complete response payload. Redact any remaining identifiers, validate the response is appropriate for the requesting user's access level, and log the full exchange for audit compliance.
// Output Tier B , validation and audit
output = redactPII(output);
auditLog({ user, requestId, output });
// "Alice Brown prefers enterprise tier"
// โ "The user prefers enterprise tier"
return output;
The full data flow: how it connects in practice
Below is the recommended pipeline architecture connecting all tiers. Every request flows through classification, input control, LLM processing, and output control before it reaches the end user. No request bypasses this chain.
Request pipeline , left to right
User request
โ
Data classifierTier 1โ6 assigned
โ
DLP / NER scanregex + model
โ
Input controlsanitize / tokenize / block
โ
LLM
โ
Output filtergeneralize / redact
โ
Audit log
โ
User
โย Tier 5 & 6 reject before DLP completes
โย Tier 4 detokenizes after LLM if needed
โย Output filter runs on all tiers
Implementation checklist for engineering teams
Use this checklist as part of your AI feature design review. Every LLM integration in your system should satisfy each item before shipping to production.
- Data classification has been assigned to every field that could reach a prompt
- Prompt injection detection runs before all LLM calls, across all tiers
- RBAC is enforced at the application layer, not only in the UI
- A regex + NER pipeline is implemented for PII detection (Tier 4)
- The token vault is encrypted and access-controlled (Tier 4)
- DLP scanning is integrated and runs before the LLM pipeline is invoked (Tier 5+)
- Tier 5 and 6 data triggers hard blocks with automated alerting , not soft warnings
- Output filtering and PII redaction run on every LLM response without exception
- Every LLM exchange is audit-logged (excluding Tier 6 payload content)
- Private or on-premises LLM deployment has been evaluated for Tier 3+ workloads
Common mistakes architects make
Even experienced teams get these wrong under delivery pressure. These are the failure modes that appear most frequently in enterprise AI deployments.
Treating output filtering as optional
Teams invest heavily in input classification but ship raw LLM output directly to users. An LLM can infer and restate sensitive data even from sanitized inputs , output filtering is not optional, it is a required layer at every tier.
Redacting instead of blocking for Tier 5 and 6 data
Redacting a payment card number from a financial transaction request makes the request meaningless. These are authorization problems, not sanitization problems. Block the entire request, not just the sensitive field.
Relying on the LLM to self-govern via system prompts
System prompt instructions like "do not repeat personal data" are not a control , they are a suggestion. Models can be adversarially prompted to ignore instructions. All controls must live in your infrastructure layer, not inside the prompt.
Logging Tier 6 payload content
When blocking biometric or health data, logging the blocked payload creates a new exposure: that highly sensitive content now lives in your log store. Log the event metadata (timestamp, user, request ID) but never the payload content for Tier 6 data.
Technology leader considerations
For CTOs and AI product leaders, this framework is not only an engineering concern , it maps directly to regulatory exposure. Multiple compliance obligations apply depending on your jurisdiction and industry vertical.
Regulatory mapping
GDPR Article 25 (privacy by design) directly requires Tier 2โ4 controls. PCI-DSS mandates Tier 5 hard blocks for cardholder data. HIPAA requires Tier 6 treatment for any PHI passed to external processors.
Vendor diligence
External LLM providers must be treated as data processors under GDPR. For Tier 3+ data, a Data Processing Agreement (DPA) is legally required before any data is transmitted. Tier 5+ data must not leave your perimeter regardless of DPA status.
Architecture principle
Design for the highest classification tier that could reasonably appear in a given pipeline , not the most common case. A user-facing assistant might typically handle Tier 1 data, but a single misdirected request containing a regulated identifier means Tier 5 controls must be present from the first deployment. Retrofitting controls is significantly more expensive than designing for them upfront.
Build AI systems that earn trust by design
The enterprises that succeed with AI in the long run will not be the ones who moved fastest , they will be the ones who built the governance foundation that lets them move confidently. Classify your data. Apply the right controls at every tier. Make output filtering as non-negotiable as authentication. This framework is not a compliance checkbox , it is the architecture that makes enterprise AI sustainable.
Written by Pavan Verma , May 26, 2026 , Based on the enterprise AI data governance framework