Start For Free Start For Free Start For Free

Runtime Guardrails & PII Redaction

"Govern, Secure and Control every AI Action"

Overview

Most AI security inspects the user’s prompt and the model’s answer. But sensitive data and injected instructions enter at far more points than the chat box – in tool-call arguments, in MCP invocations, and in the documents a RAG pipeline retrieves. And once a prompt leaves your environment for a hosted scanner, you’ve created a second copy of exactly the data you’re trying to protect. DeepintShield runs every check in-process, inside your trust boundary, at the five stages where harm can occur, and redacts PII, PHI, and secrets before the model or the audit log ever sees them. Audit-safe redaction reduces a secret to a length-only hint, so the audit trail never becomes a second copy of the leak

Challenges

1
Injection through retrieved content
Prompt injection and jailbreaks arrive via retrieved documents and tool descriptions, not just the user’s message.
2
Sensitive-data disclosure
PII, PHI, card numbers, and secrets pass through prompts, responses (including streaming), tool calls, and RAG chunks.
3
Off-box scanning exposure
Hosted scanners require sending your prompts off-box, creating data-residency and DPDP/GDPR risk.
4
Latency and token cost of safety
Checks that route through an external model add per-call latency and billing.
5
Inconsistent enforcement
No single policy set covers all the points where an AI request can be manipulated.

Solutions

1
Five-stage Guardrails
Evaluate input prompts, model outputs, tool calls, MCP invocations, and retrieved RAG chunks against your policies, with a visual policy builder and OWASP LLM Top 10 + Agentic ASI Top 10 packs.
2
Inline PII/PHI/secret redaction
Rrewrites sensitive data at the request, response (including streaming deltas), MCP-tool, and RAG boundaries with presets.
3
Self-hosted Dataplane
Every detector runs inside your boundary with no data egress, removing residency concerns by construction - a strong DPDP/BFSI fit.
4
In-tree ML detectors
DeBERTa, RoBERTa, and BERT run in-process with no provider call and no token billing, in sync / async / shadow modes
5
Staged rollout
Monitor → shadow → canary → enforce applies one consistent policy set across every stage, with cached guardrail evidence cloned onto cache-hit requests so verdicts stay compliant.
Scroll to top