Safer Reasoning Traces: Measuring and Mitigating Chain-of-Thought Leakage in LLMs

· Source: Paper Index on ACL Anthology · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Chain-of-Thought (CoT) prompting improves LLM reasoning but significantly increases privacy risk by resurfacing personally identifiable information (PII) into reasoning traces and outputs, even when models are instructed against it. A model-agnostic framework defines leakage as risk-weighted, token-level events across 11 PII types, tracing leakage curves based on the allowed CoT budget. This framework compares open- and closed-source model families on a structured PII dataset with a hierarchical risk taxonomy. Findings indicate CoT consistently elevates leakage, particularly for high-risk categories, and that leakage is strongly dependent on the model family and budget, with increasing budgets either amplifying or attenuating leakage. Lightweight inference-time gatekeepers, including a rule-based detector, a TF–IDF + logistic regression classifier, a GLiNER-based NER model, and an LLM-as-judge, were benchmarked using risk-weighted F1, Macro-F1, and recall. No single method proved dominant, suggesting the need for hybrid, style-adaptive gatekeeping policies.

Key takeaway

For Machine Learning Engineers deploying LLMs with Chain-of-Thought prompting, recognize that this technique consistently elevates personally identifiable information leakage, even with explicit instructions. You must implement hybrid, style-adaptive gatekeeping policies to balance utility and privacy risk, as no single mitigation method is universally effective across models or reasoning budgets. Consider the specific model family and CoT budget when designing your PII protection strategy.

Key insights

Chain-of-Thought prompting consistently elevates personally identifiable information leakage in LLMs, requiring adaptive mitigation strategies.

Principles

Method

A model-agnostic framework defines leakage as risk-weighted, token-level events across 11 PII types, tracing curves based on CoT budget and comparing models on a hierarchical risk taxonomy.

In practice

Topics

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.