Rivano’s PII detection engine scans every AI request and response in real-time, identifying sensitive data before it reaches providers or leaves your infrastructure. Combined with governance policies, you can block, redact, or flag PII automatically.

Enabling PII Detection

PII detection is enabled per-agent or globally via a policy. To enable it for a specific agent, create a policy targeting that agent:

name: detect-pii-all-traffic
description: Scan all inbound and outbound traffic for PII
status: active
priority: 5

conditions:
  direction: both
  agents:
    - agent_abc123

pii_detection:
  enabled: true
  categories:
    - ssn
    - credit_card
    - email
    - phone
    - name
    - address

action: log

To redact PII instead of just logging it:

name: redact-pii-inbound
description: Redact PII before sending to AI providers
status: active
priority: 5

conditions:
  direction: inbound
  pii_types:
    - ssn
    - credit_card

action: redact
redaction:
  replacement: "[REDACTED]"
  preserve_format: false

With preserve_format: true, a credit card like 4111-1111-1111-1111 becomes ****-****-****-1111 (last four preserved). With false, it becomes [REDACTED].

Detection Categories

Rivano’s detection engine recognizes the following PII categories:

Category	Examples	Confidence
`ssn`	`123-45-6789`, `123456789`	High
`credit_card`	`4111 1111 1111 1111`, `5500-0000-0000-0004`	High
`email`	`user@example.com`	High
`phone`	`+1 (555) 123-4567`, `555.123.4567`	Medium-High
`name`	Person names identified via NER	Medium
`address`	Street addresses, ZIP codes	Medium
`ip`	`192.168.1.1`, `2001:db8::1`	High

Each detection includes a confidence score (0-1). By default, only detections above 0.7 trigger policy actions. Adjust the threshold in your policy:

pii_detection:
  enabled: true
  confidence_threshold: 0.8  # stricter — fewer false positives
  categories:
    - ssn
    - credit_card

Viewing PII Events

Dashboard

Navigate to Traces → PII Events to see a filtered view of all traces where PII was detected. Each event shows:

Trace ID — link to the full trace detail
Category — the type of PII detected (e.g., ssn, email)
Direction — whether PII was in the inbound request or outbound response
Action taken — what the policy did (logged, redacted, blocked)
Span — the exact text position where PII was found
Confidence — detection confidence score

API

Query PII events programmatically:

curl "https://api.rivano.ai/v1/traces?has_pii=true&since=2025-12-01" \
  -H "Authorization: Bearer rv_live_abc123"

Each trace in the response includes a pii_detections array:

{
  "pii_detections": [
    {
      "category": "ssn",
      "confidence": 0.98,
      "direction": "inbound",
      "action": "redacted",
      "position": { "start": 45, "end": 56 },
      "original_length": 11
    }
  ]
}

Note: when PII is redacted, the original text is not stored — only the category, position, and length are retained for audit purposes.

Best Practices

Start with log action — deploy PII detection in monitoring mode first to understand your baseline before enabling blocking or redaction.
Layer policies by severity — block SSNs and credit cards (high risk), redact emails and phone numbers (medium risk), log names and addresses (low risk).
Set per-agent policies — customer-facing agents may need stricter PII rules than internal analytics agents.
Review false positives weekly — tune confidence thresholds based on your actual traffic patterns.
Combine with content policies — PII detection works alongside regex pattern matching for custom sensitive data formats (employee IDs, internal codes, etc.).