Docento.app Logo
Docento.app
Humanoid robot reading a document
All Posts

Using AI to Redact PDFs Safely

AIRedactionAI
April 8, 2026·8 min read

AI can speed up PDF redaction dramatically, finding every SSN, credit card, email address, and personal name in a stack of documents in seconds. It can also fail in subtle ways that leak the exact data you tried to hide. This guide covers what AI redaction does well, where it falls short, and how to combine AI speed with the safety guarantees that proper redaction requires.

What "redaction" really means

A common misunderstanding: covering text with a black rectangle is not redaction. The text is still in the PDF; anyone can copy it, search it, or read it from the underlying stream. See PDF redaction failures and how to avoid them.

True redaction:

  1. Removes the underlying text from the PDF content stream.
  2. Replaces it with opaque content (a black rectangle, or the redaction reason).
  3. Strips associated metadata (tags, structure-tree entries, annotations).
  4. Strips related artifacts (thumbnails, bookmarks, comments).

A reliable AI redaction tool does all four. A naive one only covers the visual layer.

Where AI helps

The hard part of redaction is finding the sensitive content, not removing it. Traditional regex scans catch SSNs and credit cards reliably. They struggle with:

  • Names. "Sarah Chen" is a name; "Sarah" alone is ambiguous; "Chen Industries" is a company.
  • Addresses. Many formats; partial addresses; international.
  • Contextual PII. "Born 1985 in Liverpool" is identifying even though no field is itself a strict PII pattern.
  • Free-form fields. A medical note that includes "patient mentioned visiting Dr. Johnson on Tuesday."
  • Indirect identifiers. Job titles, demographic combinations, dates of unique events.

AI models that understand language identify these reliably. Modern named-entity recognition (NER) catches names, organizations, locations, dates, monetary amounts. LLM-based scanners go further: they understand context.

AI redaction tools in 2026

Two broad categories.

Specialized redaction services with AI backends:

  • Microsoft Purview (Information Protection).
  • AWS Macie / Comprehend.
  • Google Cloud DLP.
  • Skyflow, BigID, OneTrust, Privacera.
  • PDF-specific: Adobe Acrobat AI redaction, iManage, Litera, Foxit PhantomPDF.

These services know about regulatory categories (HIPAA PHI, GDPR personal data, PCI-DSS payment data) and produce audit logs. Expensive but auditable.

General LLMs as redactors:

  • Send the text to GPT-4o, Claude Sonnet, or Gemini with a prompt: "Find every instance of PII in this document. Return as JSON with type, value, and position."
  • Use the result to drive proper redaction in your PDF tool.

Cheaper for low volume, less battle-tested for compliance.

How AI gets it wrong

Specific failure modes worth memorizing:

Missed entities. AI misses about 1 to 5 percent of PII in real documents, depending on model and category. The miss rate is higher for unusual names, non-English entities, and creative spellings.

False positives. AI flags non-sensitive content. Annoying but safe. The fix is review.

Position errors. The model identifies "John Smith" but reports the wrong character range. The redaction tool then redacts the wrong text. Always verify the redacted text in the output.

Hallucinated entities. Rare with modern models, but possible. The AI claims "John Smith" appears at page 4 line 12 when it does not.

Context loss. "Patient John was..." gets redacted. "Patient John was great" in a customer review does not need redacting. AI without context flag both.

Multi-line entities. A name that wraps across a line break may be partially redacted. Same for addresses.

OCR errors. AI redaction on scanned documents inherits OCR mistakes. A misread SSN becomes invisible to a regex but visible in the OCR text.

For high-stakes redaction (legal discovery, regulatory submissions), AI is a starting point, not the final answer.

A robust hybrid workflow

The pattern that actually works in production:

  1. Run regex scanners first. SSNs, credit cards, phone numbers, email addresses. High precision.
  2. Run NER models for names, organizations, locations, dates, money amounts. Medium precision.
  3. Run an LLM pass for contextual PII (medical history, demographics in free text, indirect identifiers).
  4. Aggregate candidates. Combine all hits into a single list with type, location, and source method.
  5. Human review. A reviewer approves or rejects each candidate. The UI shows the document with highlights.
  6. Apply proper redaction. Remove the underlying text and stamp the visual.
  7. Strip metadata. Author, title, comments, hidden data. See how to strip metadata from PDF.
  8. Verify the output. Search for the redacted strings in the output PDF; they should not appear.

Steps 6, 7, and 8 are non-negotiable. Skipping any of them is how data leaks.

Verifying redaction

After AI redaction, check:

  • Text search. Open the redacted PDF and search for an example of redacted content. Should find nothing.
  • Copy-paste check. Select-all the page text and paste into a text editor. Should not include redacted content.
  • Underlying stream. Use a tool like pdftotext to dump the raw text. Should not include redacted content.
  • Metadata. Author, title, keywords cleaned. Use how to edit PDF metadata tools.
  • Annotations and comments. Often contain comments that mirror the body. Strip or redact.
  • Form fields. May retain values even if the visual is covered. Flatten the form first. See how to flatten a PDF.
  • Bookmarks and outlines. May contain redacted text in titles.
  • Thumbnails. Some PDFs embed page thumbnails that show pre-redaction content.

The "Search for redacted text in the output" check is the single most important. Automate it.

Privacy of the AI step itself

If you send PDF text to a hosted LLM to find PII, you have sent the PII to the LLM provider. That may itself be a compliance issue.

Options:

  • On-premise LLMs. Run Llama 3, Mistral, or specialty privacy models locally. Quality is now good enough for most NER tasks.
  • Enterprise plans. OpenAI Enterprise, Anthropic Enterprise, Google Workspace Gemini contractually exclude training on inputs and add data-residency controls.
  • Regional services. EU-hosted versions of major LLMs for GDPR-bound data.
  • Specialized providers with HIPAA BAAs or other regulatory commitments.

For regulated industries this matters: see HIPAA-compliant PDF handling and GDPR and PDF documents.

Use cases

Legal discovery. Find privileged communications, attorney-client content, third-party PII in a discovery dump. AI accelerates first-pass review.

Healthcare. PHI in medical records, lab reports, imaging studies. NER tuned for medical entities. See PDF for medical records.

FOIA responses. Government records released with personal information redacted. AI plus manual review is now standard.

Customer support exports. Internal tools export support tickets that may include customer PII. Auto-redact before sharing.

Research data. De-identify documents before sharing with collaborators or releasing as datasets.

Audit trails

For compliance, every redaction action should be logged:

  • Document ID (hash of input).
  • AI model used and version.
  • Reviewer ID if human review applied.
  • Redactions applied: type, location, replacement text.
  • Verification result: pass or fail of the post-redaction search.

This trail is the difference between "we used AI to redact" and "we can prove these documents were redacted properly."

Tooling

Open source:

  • Microsoft Presidio: PII detection and anonymization library.
  • spaCy NER plus regex.
  • OCRmyPDF plus a redaction script using pikepdf or pdf-lib.

Hosted:

  • Adobe Acrobat AI redaction (Pro plan).
  • Microsoft Purview Information Protection.
  • AWS Macie for data discovery, Comprehend for entity recognition.
  • Google Cloud DLP.

For browser-based manual redaction without AI, Docento.app handles the visual and stream-level operations locally without uploading. AI is added in adjacent tools.

Practical recipe

For a one-off redaction with AI assistance:

  1. Run the document through a hosted DLP service or local Presidio.
  2. Review the candidates in a UI that highlights each location.
  3. Approve, reject, or adjust each candidate.
  4. Apply redaction in a tool that removes text from the underlying stream.
  5. Strip metadata in the same tool.
  6. Verify with a text-search check.
  7. Log the redaction set for audit.

For batch:

  1. Stand up a pipeline with NER plus LLM plus proper redaction.
  2. Sample-review 5 to 10 percent of outputs.
  3. Monitor the miss rate via periodic audits.

Takeaway

AI redaction is a major productivity gain, but only when paired with proper PDF stream removal and human review for high-stakes content. The biggest risk is treating "AI redacted" as a final answer. It is a strong starting point that needs verification. Combine AI candidate detection with a tool that does proper stream-level redaction, and you get both speed and safety. See also how to redact text in a PDF, PDF redaction failures and how to avoid them, and how to anonymize PDF documents.

Related Posts

Glowing automated pipeline visualization

Risks of Using AI on Confidential PDFs

May 2, 2026

Humanoid robot reading a document

AI OCR vs Traditional OCR: What Changed and Why It Matters

May 1, 2026

Wide desk shot with documents

Chatting With PDFs: How Document Q&A Actually Works

Apr 30, 2026