The Privacy-Utility Tension in AI Agents

As AI agents move to production, they rely on cloud-hosted memory to maintain context. This creates a significant security risk: raw sensitive data—such as health records, financial credentials, and PII—is transmitted to and stored in cloud logs and vector databases. Traditional masking (replacing data with ***) protects privacy but destroys the semantic context required for the model to perform tasks. MemPrivacy, a framework developed by researchers from MemTensor, HONOR, and Tongji University, resolves this by decoupling privacy protection from semantic destruction.

Local Reversible Pseudonymization

MemPrivacy operates through a three-stage pipeline that keeps sensitive values on the user's device:

  1. Uplink Desensitization: An on-device model identifies sensitive spans and replaces them with typed placeholders (e.g., <EMAIL>, <PASSWORD>). The original-to-placeholder mapping is stored in a secure local database, ensuring consistency across sessions.
  2. Cloud Processing: The cloud receives semantically intact text containing placeholders. Because the placeholders retain the data type, the cloud model can still reason about the information and manage memory effectively without ever seeing the raw values.
  3. Downlink Restoration: When the cloud returns a response, the local device scans for placeholders and performs a lookup to reinsert the original values before the user sees the output.

Privacy Taxonomy and Performance

The framework categorizes data into four levels (PL1–PL4), allowing users to configure their own masking thresholds:

  • PL1: General preferences (low risk).
  • PL2: Identifiable PII (names, emails).
  • PL3: Highly sensitive data (medical records, biometrics).
  • PL4: Immediately exploitable secrets (passwords, API keys).

Experimental results show that MemPrivacy maintains high utility, with memory accuracy drops limited to within 1.6% when protecting PL2–PL4 content. In contrast, irreversible masking causes accuracy drops of up to 41.87%. The models, ranging from 0.6B to 4B parameters, provide inference speeds under two seconds, making them suitable for on-device deployment.