OpenAI Privacy Filter vs. a Security Gateway: Why a Model Isn't a Product

What OpenAI Actually Released

Alongside the GPT-5.5 launch, OpenAI released Privacy Filter — a 1.5 billion parameter, open-weight model specifically trained to detect personally identifiable information in text. It's available on HuggingFace under a permissive license.

Privacy Filter is genuinely impressive as a detection model. It uses context-aware ML inference rather than regex or NER, which means it can understand when "John Smith" is a person versus a product name. This is a real advancement over pattern-matching approaches.

But here's the critical distinction: a model that detects PII is not the same as a system that enforces data policy.

What a Model Gives You

Privacy Filter gives you a function: you pass in text, you get back labeled entities. That's it. Everything else is your responsibility:

• You integrate it into your request pipeline
• You decide what to do when PII is detected (block? redact? log?)
• You handle the latency impact of running a 1.5B parameter model
• You manage the model lifecycle (updates, GPU allocation, scaling)
• You ensure fail-closed behavior when the model is unavailable
• You build this separately for every LLM provider you use

What a Security Gateway Gives You

A security gateway like AISG is a complete enforcement layer that sits between your application and every LLM provider. It handles:

The "Locked to One Vendor" Problem

Privacy Filter is designed for the OpenAI ecosystem. If you use it to scan prompts going to GPT-5.5, great. But what about your Claude calls? Your Gemini calls? Your open-source Llama deployments on Groq?

Most production teams use multiple providers — for cost optimization, latency requirements, or specific model capabilities. A PII model that only covers one provider leaves gaps in your security posture for every other call.

AISG intercepts every request regardless of which provider it's going to. One policy, consistent enforcement, zero blind spots.

They're Complementary, Not Competing

The honest take: Privacy Filter's ML-based detection is genuinely better at catching context-dependent PII than regex patterns. When "Baker Street" is an address versus a cultural reference, a 1.5B parameter model will get it right more often.

That's why we're exploring Privacy Filter as a dual-layer enhancement in AISG Cloud — running alongside Presidio to catch what rule-based detection misses, while Presidio handles the blocking, redaction, and enforcement.

The model is the detection engine. The gateway is the policy engine. You need both.

What You Should Actually Do

1. Don't trust black-box safety. Even if your provider offers built-in PII screening, you should verify it with an independent layer you control. "The provider says they redact PII" is not an audit trail.
2. Enforce policy before data leaves your system. A model that runsat the provider means your data already reached the provider. A gateway intercepts it before it leaves.
3. Cover all providers consistently. Your DLP policy shouldn't change depending on which model you're calling. One governance layer, applied everywhere.
4. Self-host if you can. For the highest assurance, run the security layer in your own infrastructure. No data leaves your VPC, period.