Presenters

Source

Privacy-Aware Infrastructure: The AI Native Era’s Secret Sauce for Better Architecture 🚀

Hey tech enthusiasts! Amrit Raj here, and today we’re diving deep into a topic that might sound a little counterintuitive at first: privacy as a driving force for better architecture. In this AI-native era, building with privacy in mind isn’t just about ticking compliance boxes; it’s about creating systems that are more adaptable, more deterministic, and ultimately, more reliable. Let’s explore how we’re making this a reality!

From AI-Assisted to AI-Native Infrastructure 💡

We’ve come a long way. Previously, we explored how Generative AI (GenAI) accelerated privacy workflows by assisting humans with faster reviews and continuous validation. Then, we discussed scaling privacy infrastructure to keep pace with rapid GenAI-driven product development. Today, we’re taking the next leap: moving from AI helping humans to AI-native infrastructure that makes robust, replayable enforcement decisions on its own. Our concrete example for this journey? Asset classification.

The Four Pillars of Privacy-Aware Infrastructure 🏗️

Before we get into the nitty-gritty of asset classification, let’s quickly outline our recipe for privacy-aware infrastructure, focusing on purpose limitation. It’s built upon four key workflows:

  1. Understand: This is where we pinpoint the data that needs our protection.
  2. Discover: Once we know what data to protect, we need to understand its origin and where it flows.
  3. Enforce: With a complete picture of our data’s journey, how do we prevent regressions in our privacy requirements?
  4. Demonstrate: How do we ensure our systems continuously meet privacy mandates and provide a clear audit trail?

Today, our spotlight is squarely on the Understand workflow, specifically how we classify different assets to ensure downstream enforcement and demonstration are accurate and reliable.

The Sheer Scale of the Problem: Data Flow Graphs 📊

Let’s ground ourselves with a visualization. Imagine a data flow graph with 100,000 nodes downstream from a single Hive table column! Each node represents a table column, log field, ML feature, or pipeline stage carrying data derived from the source. This is already pushing the limits of human visual comprehension, and it’s a small subset of the problem scale we’re tackling.

When we zoom in, these nodes represent everything from database columns and log fields to ML features and new AI-native modalities like audio, vision, embeddings, sensor data, and feedback loops. These new data types are shipping faster than manual review can keep up, making classification crucial.

The High Stakes of Classification ⚠️

Getting classification wrong has serious consequences:

  • Incorrect Enforcement: Blocking the wrong data flow can break product features.
  • Permitting the Unacceptable: Failing to identify sensitive data can lead to privacy breaches.
  • Missing Privacy Requirements: If a category is missed, the associated privacy mandate is also missed.
  • No Auditability: Without proper tracing, demonstrating compliance becomes impossible.

Classification is the bedrock of our privacy workflows. Get it wrong, and everything that follows can crumble.

Our End-to-End Classification Pipeline 🛠️

Our classification pipeline is triggered by events like schema changes, code changes, or configuration updates. It then fetches context from various sources: lineage graphs, ownership metadata, annotations, ML features, code search results, and more.

A critical step before data reaches the classifier is masking and sanitization. This prevents circular reasoning – ensuring the label we’re predicting isn’t present in the data we’re using to predict it.

The pipeline then proceeds in two paths:

  1. Deterministic Rules: These handle the initial pass at classification.
  2. LLM Fallback: Whatever the rules can’t handle is passed to the LLM.

Both paths produce the same output: a category confidence score and the decision path used. All of this is stored as versioned evidence for replay and auditing.

The Core Problem: Noisy Signals to Crisp Decisions 🎯

On one side, we have noisy signals: ambiguous names, incomplete lineage, shifting ownership, and scanner false positives. On the other, we desire a crisp output: a robust decision with a confidence score and a traceable path to that decision. Our system’s job is to transform these weak, individual signals into strong, reliable decisions, tracking which signals are consistently informative and separating them from the noise.

Three Key Challenges We Faced 🥊

Let’s dive into the three main challenges we encountered and our learnings:

Challenge 1: Signals Can Be Incredibly Noisy 🙉

  • The Problem: Dumping all context (lineage, code, schema, names, data samples) into a model forces it to constantly rediscover what’s important. This leads to ballooning token usage, diluted attention across noise, and blurred decision boundaries where misleading or circular fields slip through unnoticed.
  • The Solution: Structured Evidence Briefs! Instead of raw context dumps, we produce ranked signal summaries. Each field gets a policy indicating its usefulness, conditional usefulness, or if it’s a circular field to be masked. This “evidence brief” surfaces top supporting and contradicting signals, providing the decision engine with focused, high-quality input. The model no longer has to guess; we tell it what matters.

Challenge 2: Severe Drift and Variability 🔄

  • The Problem: Our iteration metrics rely on labels that are noisy and shift over time. Batch-to-batch variations and system changes mean optimizing against shifting ground truth makes us chase a moving target, not track real progress. Regressions can ship to production because our evaluation sites no longer reflect reality.
  • The Solution: Multi-Judge LLM Evals & Human Review! We set up a system to perform evals on samples from every batch. Three LLM judges, using different framings (direct classification, critique-then-classify, metadata-only), evaluate each asset. These judges share a model deliberately different from the classifier to ensure diversity. We measure agreement using Cohen’s Kappa. When judges disagree, a human review gate breaks ties, and their decisions update the ground truth reference set. When they agree, it’s marked for potential promotion to a frozen reference set. This ensures only reviewed outcomes update our ground truth.

Challenge 3: The Sheer Scale of Assets 📈

  • The Problem: Millions upon millions of assets mean LLM calls can take seconds, consume significant tokens, and produce probabilistic outputs that are hard to reproduce. Classifying everything with LLMs would lead to hours of wall clock time, massive compute bills, and auditability nightmares (“Why did it behave differently?”). We need millisecond latency and deterministic decisions for common cases, reserving LLMs for truly challenging scenarios.
  • The Solution: Distilling LLMs to Generate Rules! Our approach is to use LLMs to put LLMs out of business for common patterns. This is called distillation:
    1. Stable Patterns: Identify consistent LLM classifications.
    2. Propose Rules: Generate exact rules (regex, heuristics, field value matches).
    3. Validate: Test rules against a holdout set. Block list ineffective ones.
    4. Shadow Mode: Run rules in logging mode, comparing outputs to LLM predictions.
    5. Promote: If shadow mode confirms stability, graduate the rule to our ruleset. Every promoted rule shrinks the LLM surface area. The end state: LLMs handle only genuinely ambiguous cases, while common patterns run at millisecond latency, are fully deterministic, replayable, and auditable.

Key Learnings: Scars Behind the Principles ✨

We learned some valuable lessons, often the hard way:

  • Masking is a System-Wide Invariant: Initially, we treated masking as a prompt concern. Rules processed unmasked fields, hindering coverage. The fix? Both rules and LLMs now evaluate on the same masked context. This dramatically improved rule coverage and reduced LLM usage.
  • Context is Greater Than Prompts: Surprisingly, prompt optimization alone hit accuracy ceilings. Investing in improving the quality and structure of the context (like code resolution) was the key to breaking through. The lesson: Invest in context before touching the prompt.
  • No Oscillation Detection: Our optimization loop bounced between prompts for dozens of iterations, burning compute. The fix: A Kappa-based tuning controller to detect and prevent oscillation.

Guiding Principles for Success 🧭

These learnings solidified into three core principles:

  1. Context is Greater Than Prompts: Focus on providing rich, structured context to your models.
  2. Decouple Eval from Optimization: Your evaluation setup and panel must be independent of your classifier for accurate progress measurement.
  3. Distill to Deterministic: Use LLMs to learn stable patterns and distill them into efficient, auditable rules, shrinking the LLM surface area over time.

What’s Next? The Future is AI-Native and Privacy-First! 🌐

Our journey doesn’t stop here. We’re looking at:

  • Migrating legacy classifiers into our context-first, distillation-based system.
  • Expanding beyond classification to other privacy workflows like lineage improvement and safe enforcement rollout.
  • Applying these techniques to agent observability and oversight – the challenges of noisy signals, deterministic enforcement, and replayable auditability are universal!

Privacy-aware infrastructure isn’t a burden; it’s a catalyst for building better, more resilient systems. The AI-native era empowers us to learn rapidly with LLMs while enforcing with deterministic, replayable logic.

If you’re working on classification, lineage, enforcement, or agent oversight, I’d love to connect! Let’s build a more private and reliable future, together. Thanks for listening!

Appendix