Context Minimization

The simplest exfiltration prevention is also the most effective: do not put sensitive data in the context window in the first place. Context minimization is the discipline of including only the data the model needs for the current task — nothing more. If the model needs a customer's name and order number, it receives the name and order number. Not the full customer record with address, phone, email, purchase history, and credit card last four digits.

1. Field-Level Filtering When retrieving data for context injection, select only the specific fields the model needs. A retrieval query that returns entire documents when the model only needs three fields is an exfiltration surface expansion. The RAG pipeline should support field-level selection, not just document retrieval.
2. Dynamic Redaction For fields that must enter the context but contain sensitive components, apply redaction before injection. Email addresses become j***@example.com. Phone numbers become ***-***-1234. The model retains enough information to reference the data without the full value being available for exfiltration.
3. Context TTL Data in the context window should have a lifetime. Conversation history that accumulates indefinitely accumulates sensitive data indefinitely. Implement context pruning that removes data from the context window after it has served its purpose — or after a fixed number of turns.