AI / ML Security — Detection, Trust Boundary, Governance

This section captures the security architecture used to run an AI document-intelligence platform for legal and healthcare workflows, where every uploaded file may contain attorney–client privileged material, protected health information, or other regulated content. Security here is not a feature bolted on after launch — it is the design constraint that determines how documents are ingested, where inference runs, who can see results, and what the system remembers.

The core principle is defense in depth with policy-driven routing: every document is classified by sensitivity on ingest, redacted before any model ever sees it, encrypted everywhere it lives, and routed to the model tier that its classification permits — never left to user discretion. Every query and retrieval is recorded with enough context to reconstruct "who saw what, when, and why" during a compliance review.

Design Pillars

Ingest-time redaction — PII and privileged content are detected and masked before any text is persisted, embedded, or sent to an external model provider.
Encryption at rest and in transit — AES-256 for storage, TLS 1.3 for every network hop, envelope encryption with customer-managed keys.
Role-based access control aligned to matter management — RBAC mirrors the legal team's matter-centric org model with per-matter ACLs and ethical-wall enforcement.
Full audit logging — every query, retrieval, and model call recorded in append-only, hash-chained logs signed for compliance review.
Provider routing by sensitivity tier — a policy layer classifies each request and pins privileged matters to the on-prem model by policy rather than user discretion.

Subsections

Detection & Transformation

PII & Privileged-Content Redaction — regex + spaCy NER + domain lexicons; reversible tokenization; quarantine path.
Differential Privacy for Aggregates — Laplace/Gaussian noise on counts and averages under an ε/δ budget.
k-Anonymity & l-Diversity — generalization and suppression on quasi-identifiers before dataset release.
Format-Preserving Encryption (FPE) — FF1/FF3-1 for realistic non-prod data and legacy format constraints.
Tokenization vs. Pseudonymization vs. Anonymization — taxonomy and GDPR treatment.
Structured-PII Detection with Microsoft Presidio — pluggable recognizers for legal identifiers.

Trust Boundary & Inference-Time Protection

Prompt-Injection Defense for RAG — content sanitization, tool-use allowlists, the two-prompt pattern.
Output Filtering & Canary Tokens — leak scanning, re-emergence detection, exfil canaries.
Confidential Computing for On-Prem Inference — Intel TDX, AMD SEV-SNP, attestation, confidential GPUs.
Homomorphic Embedding Search — SEAL / OpenFHE / TenSEAL for encrypted query vectors.

Governance & Lifecycle

Data Residency & Sovereignty Routing — EU / US / HIPAA / ITAR region pinning on top of the sensitivity-tier router.
Right-to-Erasure (GDPR Art. 17) in a Vector Store — tombstoning, tenant-scoped indexes, re-embedding schedules.
Secrets & Key Rotation — envelope encryption, per-matter CMKs, rewrap without re-encrypting payloads.
Audit Log Integrity — append-only storage, hash-chained entries, external notarization.
Supply-Chain Security for Model Artifacts — SBOMs, model cards, cosign verification, runtime enforcement.