Privacy boundary testing for hybrid local/cloud AI
A practical test architecture for hybrid local/cloud AI systems where privacy depends on data classification, routing policy, trace redaction, and egress verification.
Whether executable route tests can detect unauthorized egress through prompts, embeddings, traces, caches, model calls, and tool arguments before a workflow is deployed.
- Data classification matrix
- Egress path inventory
- Boundary test suite
- Redaction coverage report
Create synthetic restricted-data fixtures and run them through model routing, trace emission, cache, and tool-call paths to identify boundary violations. The output should include an egress-path inventory, a redaction coverage report, and a failure list showing exactly which boundary was crossed and by which step.
Privacy assurance for hybrid AI requires executable boundary tests that classify data, trace every egress path, and fail builds when sensitive fields cross an unauthorized model, tool, log, telemetry, or storage boundary.
Hybrid AI creates invisible data paths
A hybrid AI system often mixes local inference, cloud models, vector databases, observability tools, browser agents, email APIs, and analytics. Sensitive data can leave the intended boundary through obvious paths such as model prompts, but also through traces, cache keys, embedding inputs, tool arguments, screenshots, exception logs, and debugging exports.
The privacy control should therefore be executable. A policy document is not enough; the system needs tests that simulate sensitive inputs and prove that routing, redaction, and telemetry behavior match the declared boundary.
Classify data before testing egress
| Data class | Allowed execution | Disallowed paths |
|---|---|---|
| Public | Local or controlled cloud | None, subject to normal retention policy |
| Internal | Approved cloud or local | Unauthorized vendors, public logs, unmanaged exports |
| Confidential | Local or controlled private cloud | General-purpose SaaS models, raw telemetry, browser screenshots |
| Restricted personal data | Local-only unless explicit controlled route exists | Embeddings, prompts, traces, support logs, third-party tools |
| Secret/regulated | Isolated environment only | Network egress, model API calls, external observability |
Policy tests should run against routes, not promises
const restrictedFixture = {
userText: "Patient: Jane Example. Diagnosis: simulated restricted condition.",
classification: "restricted_personal_data",
};
test("restricted data never routes to public cloud model", async () => {
const run = await executeWorkflow(restrictedFixture);
expect(run.modelCalls).toEqual(
expect.not.arrayContaining([
expect.objectContaining({ providerBoundary: "public_cloud" }),
]),
);
expect(run.traceEvents.every((event) => !event.rawPayload)).toBe(true);
expect(run.egressEvents).toHaveLength(0);
});What evidence should be reviewable
- A current inventory of model, tool, telemetry, cache, and storage endpoints.
- A classification policy tied to runtime routing decisions.
- Synthetic sensitive fixtures that exercise every critical workflow.
- Negative tests proving unauthorized egress fails closed.
- Trace samples showing redaction/minimisation behavior.
- Change-detection tests for new tools, vendors, and model routes.
Related research
View allPrompt injection and tool misuse in agentic workflows
How should agentic systems be tested against prompt injection, tool misuse, and excessive agency?
A measurement model for AI deployment readiness
How should teams measure whether an AI system is ready for controlled production deployment?
Trace semantics for tool-using agents
What trace semantics are needed to explain failures in tool-using AI agents?