MONA explainer 13 min read

PII Redaction, Trace Sampling, and the Technical Limits of LLM Logging at Production Scale

Diagram of LLM trace pipeline showing PII redaction, sampling decision points, and audit log storage layers

ELI5

LLM logging records every prompt, completion, and decision trace your model makes — but at production volume, you cannot store all of it, cannot expose raw user data, and cannot break compliance rules. The solution is selective capture with privacy filters and structured retention policies.

Every production LLM Logging And Auditing pipeline eventually confronts the same paradox: the trace you need to debug the hallucination is almost certainly the one your sampling policy decided to discard. The interaction that triggers a compliance audit is the one that touched data you weren’t supposed to retain. Engineering teams reach for logging as the obvious answer, then discover that logging everything is not an engineering decision — it’s a legal one, a cost one, and an architectural one, all at once.

The problem is not that logging is hard. The problem is that the three constraints — capture fidelity, privacy compliance, and storage cost — pull in opposite directions, and no configuration satisfies all three simultaneously. Understanding why requires looking at the mechanism beneath the surface.

The Three-Layer Architecture of LLM Observability

LLM Observability is not a single system. It is a stack with three distinct layers, each with its own failure mode, and conflating them is where most teams run into trouble.

The bottom layer is Structured Logging: capturing the raw signal from each inference call — model name, latency, token counts, retrieved context, tool arguments, timestamps with millisecond precision. This is the substrate everything else sits on. The middle layer is Distributed Tracing: composing individual log events into coherent causal chains (what is called a trace), so you can follow a user query from the router through retrieval through model inference and back. The top layer is evaluation: attaching quality signals (hallucination scores, latency thresholds, human ratings) to those traces after the fact, so the infrastructure carries meaning, not just raw events.

What do you need to understand before implementing LLM logging in production?

Before a single line of instrumentation code gets written, two things must be settled: what you are required to keep, and what you are prohibited from keeping. These constraints come from different directions and rarely align neatly.

The Audit Trail requirements are largely regulatory. HIPAA mandates retention of audit logs for 6 years, requiring at minimum: timestamp, accessor identity, the action performed, and a reference to the PHI involved (Kognitos). SOX requires audit work papers for 7 years, operational logs for 366 days. The EU AI Act’s transparency provisions, effective August 2, 2026, require automated decision logs to be retained for a minimum of 6 months — though “minimum” matters here; that floor rises for high-risk system classifications (TrueFoundry Compliance). The storage requirement across all of these is functionally identical: append-only, tamper-evident. S3 Object Lock, Azure Blob immutable storage, or ingestion into a SIEM are the standard implementation options (BrightByte).

What you cannot keep is at least as consequential as what you must. An LLM pipeline in a healthcare or financial context will routinely receive prompts containing names, account numbers, diagnosis codes, and social security numbers — not because users intend to include them, but because they are copying from documents and forms into chat interfaces. Logging those raw prompts verbatim creates a PII Redaction obligation: you are now a processor of sensitive personal data, with all the associated legal exposure.

The OpenTelemetry specification for LLM observability adds a third layer of complexity. As of mid-2026, the gen_ai.* semantic conventions have been migrated from the main OTel repo (v1.42.0) to a dedicated semantic-conventions-genai repository, which remains in pre-release development status with no published stable version (OTel Releases). The gen_ai.prompt and gen_ai.completion attributes, which many existing instrumentation libraries still use, were deprecated in v1.38.0 in favor of a message-structured model (OTel GenAI Repo). Teams instrumenting today are building against experimental conventions that will change.

Not a stable foundation. An evolving draft.

What are the technical limitations of LLM logging at high volume and scale?

Volume is where the physics of logging become uncomfortable. A production LLM endpoint handling ten thousand requests per hour, each with a multi-turn conversation context, produces trace data at a rate that makes naive “log everything” policies economically incoherent. The core LLM Cost Management problem is not just storage — it is the cost of retrieval. Logs that nobody can query efficiently are not an observability asset; they are a compliance liability with a storage invoice attached.

Prompt Logging at full fidelity also creates a non-trivial inference overhead problem. Each logged span must be serialized, transmitted to a collection endpoint, indexed, and eventually queried. For high-throughput deployments, this telemetry path can consume a meaningful fraction of the latency budget that the SLO is trying to protect.

The structural answer to volume is sampling. But sampling introduces its own failure mode: you are making a decision about what to discard before you know what matters. Head sampling — deciding at trace start whether to retain a trace — is the simplest implementation and the most epistemically dangerous. A 1% head sampling rate means that the rare pathological trace (the hallucination on a niche query, the timeout that preceded a model fallback) is dropped 99% of the time, precisely because it is rare (FutureAGI).

The 2026 production standard has shifted toward tail sampling as a result: retain 100% of error traces, 100% of traces with below-threshold evaluation scores, 100% of high-cost traces above the P95 latency or token-count threshold, and a 1–10% random baseline sample of everything else (FutureAGI). This preserves the signal you need for debugging while keeping storage costs within reason — but it requires a buffering layer that holds spans in memory until the trace completes and the sampling decision can be made. That buffer is an architectural commitment, not a configuration option.

What PII Redaction Actually Guarantees (and What It Doesn’t)

The mental model most teams carry into PII redaction is wrong in a specific way: they treat redaction as a boolean — either the data is clean or it isn’t. The mechanism is probabilistic, and that distinction has compliance consequences.

Microsoft Presidio (version 2.2.362, released March 2026, 9,700+ GitHub stars, MIT license) is an open-source framework for text-based PII detection and redaction (Presidio GitHub). It supports text, images, and DICOM medical images. Its own README is explicit on the fundamental limitation: “No guarantee that Presidio will find all sensitive information” (Presidio Docs). This is not a shortcoming of Presidio specifically — it is a property of any pattern-matching or NER-based system applied to natural language.

The failure modes distribute asymmetrically. False negatives — PII that passes through unredacted — are the compliance risk. False positives — benign text redacted as PII — are the data quality risk. A product name that matches a person’s name pattern, a medical procedure code that resembles a phone number format: these are not hypothetical edge cases. They are the everyday outputs of redaction pipelines running on messy real-world text.

LLM-based redaction does not resolve this. Using an LLM to identify and redact sensitive information introduces a new class of problem: the model’s output is non-deterministic. The same input, on repeated calls, can produce different redaction decisions. Non-deterministic redaction is incompatible with consistent audit logs — a fact that makes LLM-based redaction architecturally unsuitable as a primary mechanism for compliance pipelines (Philterd Blog).

The practical architecture that survives compliance review is defense in depth: pattern-matching (regex for known formats like SSNs and credit card numbers) as the first pass, NER-based detection (Presidio or equivalent) as the second, and an output validation layer that checks for residual high-confidence PII before a log entry is written. No single layer catches everything. The combination catches most of what a single layer misses.

When it breaks: The redaction pipeline itself can become a data loss vector when false positive rates are high enough to corrupt the context that evaluation systems need to score model outputs. A trace with systematically over-redacted content cannot be used to verify whether the model responded correctly — the observability tool is now blind to the thing it is trying to observe.

Three-layer LLM observability stack showing structured logging at base, distributed tracing in the middle, and evaluation signals at top, with PII redaction and tail sampling decision points annotated
LLM observability is a three-layer stack. PII redaction and sampling decisions must be made before data enters the audit store — choices that directly determine what you can later debug.

The Standards Problem: When the Floor Is Still Being Poured

The OpenTelemetry GenAI conventions represent a specific kind of technical risk: they are authoritative enough that most tooling vendors are converging on them, but experimental enough that the attribute names and data models are still changing. This is not an abstract concern.

The gen_ai.prompt and gen_ai.completion attributes are the most widely instrumented span attributes in the existing LLM observability ecosystem. Both are deprecated. Teams that built instrumentation against them before the v1.38.0 deprecation are now running code that emits attributes the specification has moved away from. The migration requires setting OTEL_SEMCONV_STABILITY_OPT_IN=gen_ai_latest_experimental as an environment variable to opt into the replacement model (OTel Docs) — but the replacement model itself carries the “experimental” label, meaning it too can change.

The parallel standard, OpenInference (Apache 2.0, originated from Arize, now adopted across multiple vendors), adds interoperability without resolving the stability question. Most 2026 observability stacks emit OpenInference instrumentation, export via OTLP, and validate against both OpenInference and OTel GenAI specs (OpenObserve). The convergence is real. The stability is not yet.

For the A/B Testing for LLMs use case specifically, the standards question has a practical edge: if your trace schema changes between the control and treatment periods of an experiment, the traces are no longer directly comparable. A schema migration in the middle of an A/B testing run is the instrumentation equivalent of changing the measuring instrument between measurements.

What the Mechanism Predicts About Failure Modes

The three-layer architecture, the probabilistic redaction guarantee, and the sampling tradeoff together predict a specific set of failure patterns that teams encounter repeatedly in production.

If you use head sampling at rates below 5%, expect that the traces you most want to debug will be systematically underrepresented — not because your sampling is unlucky, but because rare events are the ones that justify low sample rates in the first place, and rare events are where pathological model behavior concentrates. Tail sampling does not eliminate this; it moves the buffering cost to infrastructure rather than eliminating the sampling decision.

If your PII redaction runs after prompt logging writes to disk, the compliance window is the gap between write and redaction. For any regulated data category, that gap matters. The architecture that closes it is gateway-layer redaction: intercept and scrub the prompt before it touches a persistent store, not after.

If your audit trail retention policy was designed for classical application logs, it almost certainly does not account for the size of LLM traces. A single multi-turn conversation with retrieved context and tool call arguments can easily reach tens of kilobytes per interaction. At production volume, that math changes the storage cost curve significantly enough to require explicit planning before the logging infrastructure scales.

The Model Registry adds another dimension: when the underlying model changes, the trace schema and the evaluation baselines both need to change with it. An LLM observability stack that is tightly coupled to a specific model version will produce breaks — not errors, but silent schema drift — every time the model registry promotes a new version.

Rule of thumb: instrument at the gateway, filter at the collector, store selectively, and treat the compliance floor as the floor — not the ceiling.

The Data Says

LLM logging is not a configuration problem. It is a constraint satisfaction problem with three variables that cannot all be maximized simultaneously. The mechanism — sampling, redaction, retention — is well understood; the challenge is that each mechanism introduces a failure mode in the domain it is trying to protect. Tail sampling preserves signal at the cost of buffering infrastructure. Probabilistic redaction reduces exposure at the cost of completeness guarantees. Append-only storage satisfies compliance at the cost of mutability. Understanding these tradeoffs as engineering constraints, not implementation details, is what separates an observability stack that survives a compliance audit from one that fails silently until the audit arrives.

AI-assisted content, human-reviewed. Images AI-generated. Editorial Standards · Our Editors

Share: