All posts
June 16, 20263 min read

PII/PHI redaction for AI agents on MySQL

The end-state you want is simple to state and hard to retrofit: an AI agent can query your MySQL database all day and never once hold a real patient record, social security number, or card number in its context. The agent gets structure, counts, and the non-sensitive fields it needs to do its job. The regulated values stay in the database. PII/PHI redaction for AI agents on MySQL is the control that makes that end-state real. Most teams arrive at this backward. They give the agent read access,

Free White Paper

AI Agent Security + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

The end-state you want is simple to state and hard to retrofit: an AI agent can query your MySQL database all day and never once hold a real patient record, social security number, or card number in its context. The agent gets structure, counts, and the non-sensitive fields it needs to do its job. The regulated values stay in the database. PII/PHI redaction for AI agents on MySQL is the control that makes that end-state real.

Most teams arrive at this backward. They give the agent read access, notice later that result sets carry regulated data straight into prompts and logs, and then try to scrub after the fact. By then the value has already left the database. Redaction has to happen before the row reaches the agent, not after.

The end-state, concretely

  • Columns you classify as PII or PHI come back redacted on every query, for every agent, by default policy.
  • The agent still runs real queries against real data, so its reasoning stays correct.
  • No regulated value enters the agent's context, logs, or any downstream prompt.
  • The redaction rule lives outside the agent, so the agent cannot turn it off.

Why redaction has to sit on the connection

MySQL stores the regulated data; it has no idea the caller is an AI agent that should never see it in plaintext. Views and column-level grants can hide fields, but you would maintain a parallel schema for every agent and use case, and a single missed view leaks. The redaction belongs on the connection between MySQL and the agent, where one policy covers every query regardless of how it is written.

How to reach the end-state

hoop.dev proxies the MySQL wire protocol. Result sets flow back through the gateway, where the masking plugin streams content to a DLP provider (Presidio or Google DLP) for classification and redacts the matched entities before rows reach the client. Because this runs in the gateway, not in the agent's process, PII/PHI redaction is a property of the connection the agent cannot reconfigure.

Continue reading? Get the full guide.

AI Agent Security + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Register the MySQL connection in hoop.dev with HOST, PORT, USER, PASS, and DB.
  2. Attach a DLP provider so the masking plugin has a classifier.
  3. Define the regulated entity types to redact: names, national IDs, medical record numbers, payment data, contact details.
  4. Point the agent's MySQL client at the gateway endpoint.
  5. Run a query that would normally return regulated fields and confirm they come back redacted while the rest of the row is intact.

Pitfalls

  • Redacting reads but allowing unmasked writes. An agent that can copy a PHI column into a new table sidesteps read-side redaction. Route risky writes for approval.
  • Assuming redaction implies a compliance certification. Redaction generates evidence you can use in your HIPAA or PCI DSS program; it is not a certification of the database or the agent.
  • Empty policy. Masking on MySQL runs natively, but it only redacts the entities you configure. No entities defined means no redaction.

One more thing worth checking is the long tail of free-text columns. Regulated data does not only live in tidy fields named ssn or email. It hides in notes, comments, and description columns where someone typed a phone number or a record ID by hand. Because the masking plugin classifies streaming content rather than matching column names, it can catch a national ID buried in a free-text field, not just the columns you expected. Test against your messiest table, the one with a notes column, and confirm the entities are redacted wherever they actually appear.

FAQ

Does PII/PHI redaction break the agent's queries?

No. Queries run against real MySQL data; only the returned values for classified fields are replaced. Joins, filters, and counts still work.

Does this make my database HIPAA compliant?

No tool makes a database compliant on its own. Redaction and per-session records generate evidence that supports your HIPAA or PCI DSS program; they are not a certification.

Can the agent see around the redaction?

Not when redaction runs in the gateway. The agent holds no database credential and no masking config, so it cannot bypass the policy.

Pair redaction with least-privilege access so the agent reaches fewer regulated tables and see the broader model for agent data access. Run the open-source gateway against a test database: hoop.dev on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot