Start with the threat model
Before selecting a privacy architecture, you need to understand what you are protecting against. "Privacy" is not a single requirement -- it is a spectrum of threats, and different architectures defend against different threats.
Threat 1: Data exfiltration via AI provider. Your data is sent to a third party (the AI provider) who could store, log, use for training, or be compelled by law enforcement to disclose it. Even with contractual protections, the data was on their infrastructure.
Threat 2: Data exposure during transit. Data intercepted between your systems and the AI provider. TLS mitigates this for internet-facing APIs, but the risk increases in complex network topologies.
Threat 3: Unauthorised internal access. An employee accesses AI-processed data they should not have access to. The AI system becomes a side channel for accessing restricted information.
Threat 4: Model output leakage. The model's responses reveal information from its training data or from other users' queries (in multi-tenant systems). Prompt injection attacks could cause the model to disclose system prompts or context from other sessions.
Threat 5: Regulatory non-compliance. The AI processing itself creates a compliance violation, even if no data is actually misused. The act of sending data to external infrastructure may violate regulations regardless of what the recipient does with it.
Threat 6: Inference about individuals. The AI system infers sensitive attributes (health status, political views, financial situation) from seemingly innocuous data, creating derived data that is itself subject to privacy regulations.
Not every organisation faces all six threats. A marketing team using AI on public data faces mainly threat 3. A healthcare organisation processing patient records faces all six. Your architecture should be proportional to your actual threat profile.
