A new arXiv preprint, published 14 July 2026, proposes turning every LLM prompt into a graph to catch privacy leaks that word-by-word sanitisers miss [S1]. The authors argue that sensitive information doesn't just live in names and phone numbers. It lives in the connections between seemingly innocent fragments. Whether a graph can actually map those connections well enough to protect real users is the question the paper raises but cannot yet answer.

The blind spot in current sanitisers

When you send a prompt to a cloud LLM, you might strip out obvious identifiers: your name, your company, your phone number. Existing sanitisers do roughly this. They scan each chunk of text, assign it a privacy score, and decide whether to mask it [S1].

The PromptGraph authors point to a gap. These tools score each chunk in isolation. They never model how chunks relate to each other [S1]. A prompt might mention "a hospital in inner-city Melbourne" and "a patient admitted last Tuesday." Neither fragment contains a name. Together, they could identify a specific person to anyone who knows the hospital's admission records.

This is contextual inference. The information isn't in any single word. It's in the links between words. Current sanitisers miss it because they never look at the relationships [S1].

How the graph works

PromptGraph turns each prompt into an attributed graph. Each node represents a span of text and carries a privacy score. Each edge represents a contextual dependency between two spans: information that, if removed, would degrade the model's ability to produce a useful answer [S1].

The sanitisation process becomes an optimisation problem. The system selects which spans to protect by maximising privacy gain while penalising the loss of contextual dependencies [S1]. In plain terms: it masks the fragments that leak the most privacy while preserving the connections the LLM needs to give a useful response.

Protected spans are sanitised locally, on the user's side. Placeholders travel to the LLM in their place. When the response comes back, the placeholders are restored only after passing local consistency checks [S1]. The real sensitive data never leaves the user's machine in cleartext.

The approach sits in a growing field. Pr$\varepsilon\varepsilon$mpt, a 2025 preprint, tackles sanitising sensitive prompts for LLMs [P2]. PISanitizer, an open-source tool on GitHub, uses sanitisation to prevent prompt injection in long-context models [P3]. SPIN, accepted as an ACL 2025 Oral paper, addresses the tension between fairness and privacy in LLMs [P5]. PromptGraph's specific contribution is the graph structure: modelling pairwise relationships between spans, not just individual spans.

What it means

Privacy is relational. A fact that is harmless alone can be identifying in context. Anyone who has ever been doxxed by combining three public records understands this intuitively.

PromptGraph formalises that intuition. By representing a prompt as a graph, the system can reason about which combinations of information are dangerous, not just which individual words are sensitive. This is a step beyond the find-and-replace approach that dominates current prompt privacy tools.

The trade-off is utility. Every span you mask is information the LLM can't use. The graph structure helps here: by weighting edges according to how much contextual dependency they carry, the system can prioritise masking spans that leak privacy without breaking the prompt's usefulness. The authors claim their experiments show a better privacy-utility balance than existing baselines [S1].

But the claim is unverified. The preprint contains no specific metrics in its abstract [S1]. We don't know the magnitude of the improvement, the datasets used, or the baselines compared against.

What it means for business

For a two-person law firm using a cloud LLM to draft contract summaries, prompt sanitisation is not theoretical. Every prompt sent to an external model provider potentially exposes client names and deal terms. The firm can run a local model, but local models are expensive to host and often less capable.

PromptGraph's local-sanitisation approach offers a middle path. Sensitive spans are masked before the prompt leaves the building. The LLM receives a sanitised version with placeholders. The response comes back, and the placeholders are restored locally [S1]. The cloud provider never sees the raw sensitive data.

For a suburban medical clinic using an LLM to summarise patient notes, the contextual-inference problem is acute. A sanitiser that strips "John Smith" but leaves "presented with chest pain at the Carlton clinic on 15 July" has not protected the patient. The combination of symptoms, location, and date can identify them. A graph-based approach that models the relationship between those spans could catch what a word-level tool misses.

No one should deploy this tomorrow. It is an unreviewed preprint with no published metrics and no production deployment [S1]. But the direction matters. If graph-based sanitisation proves out, it could become a standard layer between businesses and cloud LLM providers.

What we don't know yet

The preprint's abstract reports "extensive experiments" but gives no numbers [S1]. We don't know:

  • What datasets were used for evaluation
  • Which baselines were compared against
  • How much privacy improvement PromptGraph delivers over existing methods
  • How much utility is lost in the process
  • What the computational cost of building and optimising the graph is for each prompt

The paper is categorised under both cs.CR (cryptography and security) and q-fin.GN (quantitative finance general) on arXiv [S1]. The finance categorisation is unusual for a prompt-privacy paper and may reflect an intended application domain, but the abstract does not mention finance specifically.

No independent researchers have replicated the results. The method has not been peer-reviewed [S1]. It has not been deployed in any production system.

The next concrete signal to watch: whether the authors release code and data, and whether the full paper contains the quantitative metrics that would let others assess the claimed improvements. Until then, PromptGraph is a promising idea, not a proven tool.

If this kind of plain-English decode is what you want from AI coverage, the subscribe button is right there.

Sources

More from Not A Tech Guy


Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.