Cisco engineer questions whether enterprise AI agents should strip PII before ingestion

Enterprise AI agents are turning a pretty old privacy question into a much more practical engineering one: where do you strip sensitive data? Before the model sees it? After the system logs it? Or not at all, if governance is strong enough? That question surfaced publicly this week when Cisco engineer Brad Bonin pushed on whether agent pipelines should remove PII before ingestion, while others pointed back to OpenAI’s newer governance playbook. The real story is not a fight over one best practice. It’s that agent builders are discovering privacy controls and observability controls can pull in opposite directions. ### Why is this suddenly a live issue? Because agents are not just chatbots anymore. They search internal systems, call tools, hand work to other agents, and leave traces across logs, analytics, and compliance systems. Once that happens, a customer email address or account number is not sitting in one prompt. It can propagate through the whole workflow. That makes “just redact it later” a much weaker answer than it used to be. (developers.openai.com) ### What does “strip PII before ingestion” actually mean? It means putting a privacy filter at the front door. User text, uploaded files, or tool outputs get scanned before they reach the model or the orchestration layer. Sensitive fields get removed, masked, or tokenized first. Microsoft’s Presidio sample shows this exact pattern for OpenAI workflows — anonymize before sending, then de-anonymize later if the business process really needs the original values back. (developers.openai.com) ### So why wouldn’t everyone do that? Because agents often need the original context to do useful work. If you strip names, addresses, claim numbers, or employee IDs too aggressively, the agent can lose the thread. A support agent may not be able to look up the right case. A finance agent may not match the right customer. Redaction protects privacy, but it can also break function — especially in multi-step workflows where tools expect exact identifiers. (microsoft.github.io) ### What is the other camp arguing? Basically: governance beats blind scrubbing. OpenAI’s recent enterprise and developer material leans hard into policy enforcement, tracing, and auditability. The governed-agents cookbook describes pre-flight guardrails, centralized policy enforcement, and full tracing across handoffs. Codex governance docs make the same point from the operations side — detailed logs, analytics, and compliance exports are there so teams can monitor usage, investigate incidents, and prove controls exist. (microsoft.github.io) ### Isn’t that a privacy risk by itself? Yes — that’s the catch. Better observability can mean more sensitive data lands in traces, logs, or downstream systems unless those systems are also locked down. OpenAI’s enterprise privacy page tries to answer part of that concern: business data is not used for training by default, retention can be controlled in some products, and admins get access controls and enterprise security features. But that still leaves the customer responsible for deciding what data should enter the workflow in the first place. (developers.openai.com) ### What’s the practical compromise? Most teams will not choose pure redaction or pure logging. They’ll split the stack. High-risk PII gets filtered or tokenized at ingress. Policy guardrails run before and after model calls. Traces stay on, but with minimization rules for what gets exported or retained. That is basically where the industry is heading — privacy at the edge, governance through the middle, and audit controls at the end. (openai.com) ### Why does Cisco matter here? Because Cisco is not talking about toy demos. It is already working with OpenAI on enterprise engineering agents, which makes this debate feel like a deployment question, not a thought experiment. When engineers inside companies like Cisco ask where PII should be stripped, they are really asking how to make agents usable without creating a compliance mess. ### Bottom line? (developers.openai.com) The argument is not “privacy versus AI.” It’s where to place the control. Strip too early and the agent gets dumb. Strip too late and your audit trail becomes your liability. The winning enterprise pattern will probably be selective tokenization up front, plus strong tracing and governance everywhere else. (openai.com)