2026-01-12 · Authensor

AI Agent Exposed Customer PII in Its Output

An AI agent debugging a user authentication issue included real customer email addresses, phone numbers, and partial credit card numbers in its debugging output — which was logged to a shared monitoring dashboard accessible by 40 employees. SafeClaw by Authensor prevents this by gating data access at the read level and blocking output that matches PII patterns, ensuring customer data never enters the agent's context unnecessarily.

The Incident: PII in Plain Sight

Context: An AI debugging agent was tasked with investigating why certain users could not log in. It had read access to application logs and the database.

Sequence of events:

  1. The agent queried the database: SELECT * FROM users WHERE login_failed = true ORDER BY last_attempt DESC LIMIT 50
  2. The query returned full user records including email, phone, payment_method_last4, and address
  3. The agent included these records in its analysis output: "Found 50 affected users. Example: john.doe@email.com, phone: +1-555-0142, card ending 4829..."
  4. This output was streamed to the team's shared Datadog dashboard
  5. The dashboard was accessible to 40 employees, including contractors without background checks
  6. A routine compliance audit discovered the PII exposure 5 days later
Root cause: The agent had unrestricted database read access. Its output was not filtered for PII patterns. The debugging workflow treated agent output as internal, not recognizing it as a data processing activity under GDPR.

Regulatory consequence: The company self-reported to the Data Protection Authority. They were required to notify all 50 affected users, conduct a full data protection impact assessment, and implement technical controls to prevent recurrence.

How SafeClaw Prevents This

SafeClaw operates at two levels: it blocks the overly broad database query before it runs, and it can flag output containing PII patterns before the output reaches any downstream system.

Quick Start

npx @authensor/safeclaw

Policy for PII Protection

# safeclaw.config.yaml
rules:
  # Block SELECT * on tables containing PII
  - action: database.query
    query_pattern: "SELECT  FROM users"
    decision: deny
    reason: "Full user record queries are blocked — select only needed columns"


- action: database.query
    query_pattern: "SELECT  FROM customers"
    decision: deny
    reason: "Full customer record queries are blocked"



# Allow specific column queries for debugging
  - action: database.query
    query_pattern: "SELECT id, login_failed, last_attempt FROM users*"
    decision: allow



# Block reading PII-containing log files
  - action: file.read
    path: "*/logs/auth.log"
    decision: deny
    reason: "Auth logs may contain PII — use sanitized log views"



# Block reading customer data exports
  - action: file.read
    path: "*/exports/customers"
    decision: deny
    reason: "Customer data exports are restricted"

Prevention at the Query Level

The agent never sees PII because the query itself is blocked:

{
  "action": "database.query",
  "query": "SELECT * FROM users WHERE login_failed = true",
  "decision": "deny",
  "reason": "Full user record queries are blocked — select only needed columns",
  "suggested_alternative": "SELECT id, login_failed, last_attempt FROM users WHERE login_failed = true",
  "audit_hash": "sha256:d9a3..."
}

The agent can still debug the login issue — but it only gets non-PII columns like id, login_failed, and last_attempt.

Why SafeClaw

PII Columns to Block by Default

At minimum, deny agent access to columns containing:

| Column Pattern | Data Type |
|---------------|-----------|
| email, email_address | Personal identifier |
| phone, mobile, tel | Personal identifier |
| ssn, social_security | Government ID |
| password, password_hash | Credential |
| card_number, payment_* | Financial data |
| address, street, zip | Location data |
| date_of_birth, dob | Personal data |
| ip_address | Pseudonymous identifier |

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw