Chain-of-Sanitized-Thoughts: Plugging PII Leakage in CoT of Large Reasoning Models
Arghyadeep Das, Sai Sreenivas Chintha, Rishiraj Girmal, Kinjal Pandey, Sharvi Endait
TL;DR
This work tackles the privacy risk of PII leakage in chain-of-thought reasoning by LRMs and proposes a privacy-first paradigm. It introduces PII-CoT-Bench, a dataset pairing synthetic PII with privacy-aware reasoning traces, and a category-balanced evaluation suite to diagnose leakage across realistic and adversarial scenarios. Through systematic experiments on open-source LRMs, the authors show a capability-dependent effect: strong models benefit most from prompt-based controls, while weaker models require supervised fine-tuning to meaningfully reduce leakage, with minimal utility loss. The study demonstrates that privacy-preserving reasoning can be achieved without sacrificing performance and outlines directions for extending privacy protections through RLHF, architecture-level analyses, and inference-time interventions like activation steering.
Abstract
Large Reasoning Models (LRMs) improve performance, reliability, and interpretability by generating explicit chain-of-thought (CoT) reasoning, but this transparency introduces a serious privacy risk: intermediate reasoning often leaks personally identifiable information (PII) even when final answers are sanitized. We study how to induce privacy-first reasoning, where models reason without exposing sensitive information, using deployable interventions rather than post-hoc redaction. We introduce PII-CoT-Bench, a supervised dataset with privacy-aware CoT annotations, and a category-balanced evaluation benchmark covering realistic and adversarial leakage scenarios. Our results reveal a capability-dependent trend: state-of-the-art models benefit most from prompt-based controls, whereas weaker models require fine-tuning to achieve meaningful leakage reduction. Across models and categories, both approaches substantially reduce PII exposure with minimal degradation in utility, demonstrating that private reasoning can be achieved without sacrificing performance. Overall, we show that private CoT reasoning can be achieved with minimal utility loss, providing practical guidance for building privacy-preserving reasoning systems.
