Safer Reasoning Traces: Measuring and Mitigating Chain-of-Thought Leakage in LLMs
Summary
Chain-of-Thought (CoT) prompting improves LLM reasoning but significantly increases privacy risk by resurfacing personally identifiable information (PII) into reasoning traces and outputs, even when models are instructed against it. A model-agnostic framework defines leakage as risk-weighted, token-level events across 11 PII types, tracing leakage curves based on the allowed CoT budget. This framework compares open- and closed-source model families on a structured PII dataset with a hierarchical risk taxonomy. Findings indicate CoT consistently elevates leakage, particularly for high-risk categories, and that leakage is strongly dependent on the model family and budget, with increasing budgets either amplifying or attenuating leakage. Lightweight inference-time gatekeepers, including a rule-based detector, a TF–IDF + logistic regression classifier, a GLiNER-based NER model, and an LLM-as-judge, were benchmarked using risk-weighted F1, Macro-F1, and recall. No single method proved dominant, suggesting the need for hybrid, style-adaptive gatekeeping policies.
Key takeaway
For Machine Learning Engineers deploying LLMs with Chain-of-Thought prompting, recognize that this technique consistently elevates personally identifiable information leakage, even with explicit instructions. You must implement hybrid, style-adaptive gatekeeping policies to balance utility and privacy risk, as no single mitigation method is universally effective across models or reasoning budgets. Consider the specific model family and CoT budget when designing your PII protection strategy.
Key insights
Chain-of-Thought prompting consistently elevates personally identifiable information leakage in LLMs, requiring adaptive mitigation strategies.
Principles
- CoT prompting increases PII leakage, even with explicit instructions.
- Leakage is dependent on model family and CoT budget.
- Increasing CoT budget can either amplify or attenuate PII leakage.
Method
A model-agnostic framework defines leakage as risk-weighted, token-level events across 11 PII types, tracing curves based on CoT budget and comparing models on a hierarchical risk taxonomy.
In practice
- Benchmark gatekeepers like rule-based detectors or NER models.
- Implement hybrid, style-adaptive gatekeeping policies.
Topics
- Large Language Models
- Chain-of-Thought
- PII Leakage
- Privacy Risk
- Inference-time Mitigation
- Gatekeeping Policies
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, Machine Learning Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.