Detection

Regex for known secret formats (AWS keys, GitHub tokens). Entropy-based for high-entropy strings. ML classifier for context.

Advertisement

Tools

TruffleHog, gitleaks, detect-secrets. Originally for code scan. Extended for AI outputs.

Advertisement

Action

Detect → block output → alert. Never let secret reach user.

Provider role

OpenAI + Anthropic sometimes filter leaked keys pre-response. But not comprehensive — deploy own layer.