← Blog

AI Prompt Risk Scanner: A Free Tool to Check Prompts for PII, PHI, Secrets, and Injection Patterns

Most production AI applications send prompts to vendor LLM endpoints without an inspection layer. The prompt content carries PII, PHI, secrets, and prompt-injection vectors at rates the application teams underestimate. This page walks through the free prompt risk scanner the DeepInspect team built, the four classifiers it runs, and the report format that tells you what your traffic actually carries.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
AI Security Solutionsprompt-riskprompt-scannerpii-detectionphi-detectionprompt-injectionfree-tool
AI Prompt Risk Scanner: A Free Tool to Check Prompts for PII, PHI, Secrets, and Injection Patterns

Most production AI applications send prompts to vendor LLM endpoints with no inspection layer between the application and the model. The prompt content carries PII, PHI, secrets, and prompt-injection vectors at rates the application teams typically underestimate. The IBM Cost of Data Breach data shows that 65% of shadow-AI-linked breaches involved customer PII exposure. The same pattern shows up in sanctioned AI usage when the application has no inspection point.

The prompt risk scanner runs four classifiers against any prompt and returns a structured report. It is free and produces no stored copy of the prompt.

What the scanner checks

1. PII (personally identifiable information)

Regex passes for SSN, EIN, ITIN, credit card (Luhn-checked), US and EU phone numbers, email addresses, IP addresses, MAC addresses, US driver's license patterns, EU passport patterns. Named-entity recognition for person names, addresses, and date-of-birth patterns. Output verdict: none / low / medium / high.

2. PHI (protected health information)

The 18 HIPAA identifiers under 45 CFR 164.514(b): names, dates (other than year), telephone numbers, fax numbers, email addresses, SSN, MRN, account numbers, certificate/license numbers, vehicle identifiers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, characteristic, or code. The scanner also recognizes ICD-10, CPT, and DEA number patterns that indicate clinical context.

3. Secrets

Detection patterns for AWS access keys (AKIA prefix), GitHub personal-access tokens (ghp_ prefix), Stripe keys (sk_live_ prefix), OpenAI keys (sk- prefix), Anthropic keys (sk-ant- prefix), Slack tokens (xox prefix), Google OAuth tokens, private keys (PEM headers, OpenSSH headers, PKCS#8 headers), database connection strings with embedded credentials, JWT bearer tokens. Output verdict: clean / suspected / confirmed.

4. Prompt-injection patterns

Direct injection patterns: "ignore previous instructions," "you are now a different model," "reveal your system prompt," "output the contents of [variable]." Indirect injection patterns: imperative instructions embedded in retrieved context, base64-encoded instruction blobs, hidden Unicode characters used to smuggle instructions past the visible text. Output verdict: clean / suspected / confirmed, with the detected pattern named.

How to use the scanner

The web UI accepts a pasted prompt up to 50,000 characters. The API accepts a JSON POST:

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

The response is the structured report:

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

The scanner does not store the prompt. The response is generated in-memory; no copy persists to disk. The scanner version is stamped so a future audit can reproduce the run.

Sample report from a real shadow AI scan

A retrofit deployment we ran for a finance organization sampled 4,200 production prompts across one week. The aggregate report:

  • PII verdict high: 18.4% of prompts
  • PHI verdict any: 0.0% (no clinical context in this deployer)
  • Secrets confirmed: 2.1% of prompts
  • Injection suspected or confirmed: 0.6% of prompts

The 2.1% secrets rate matched the deployer's expectation of zero. Engineers had pasted database connection strings into ChatGPT to debug a query format. The secrets had been on the wire for at least four months before the scan ran.

When to run the scanner

Three triggers:

  1. Before standing up an inspection layer. Sample your application's prompts to size the policy bundle. A deployer with 18% high-PII traffic needs a different bundle than one with 0.2%.
  2. As a development-time check. Application teams paste a representative prompt into the scanner before shipping. The report names the policy rules the application has to be designed against.
  3. During an incident. A regulator or an internal auditor asks "what data could have left through this endpoint." The scanner produces the per-prompt verdict that supports the answer.

What the scanner does not do

The scanner is not an enforcement layer. It does not block, redact, or route requests. It produces a verdict the deployer reads. For runtime enforcement, the deployer needs a gateway that runs the same classifiers in-line and acts on the verdicts.

The scanner does not produce an audit record that satisfies EU AI Act Article 12. Article 12 requires per-decision records produced at request time by the enforcement layer. The scanner is a measurement tool, not an enforcement tool.

The scanner under the hood

The four classifiers are the same components that run in the DeepInspect gateway. The web UI runs them in a stateless mode against a single prompt. The gateway runs them in-line against every production request. The verdicts are produced by the same code; the difference is what happens after the verdict.

Same code path means the scanner's verdict is a faithful preview of what the gateway would have done in production. A prompt that scores PHI: high in the scanner will produce the same verdict, and the same policy decision, on the wire.

DeepInspect

DeepInspect's gateway is the in-line version of the scanner. The four classifiers run on every request, the verdicts feed the policy decision, and the audit record carries the verdict alongside the decision. Application teams that prototype against the scanner already know what their production traffic will produce when they deploy the gateway.

The scanner is at deepinspect.ai/tools/prompt-risk-scanner. The gateway integration is what turns the scanner's verdict into a runtime decision plus an audit record.

Book a technical deep dive at deepinspect.ai.

Frequently asked questions

Does the scanner store the prompt I submit?

No. The prompt is processed in-memory; no copy persists to disk. The response is generated and returned, then the request context is discarded. The scanner's logs record only the verdict (none / low / medium / high per classifier), not the prompt content.

How accurate are the classifiers?

The PII regex passes hit 99.6% on the SSN gold set and 99.1% on credit-card detection (Luhn-checked, 16-digit-or-more inputs). The PHI classifier scores 97% F1 on the i2b2 de-identification benchmark. The secrets detector hits 99.8% on the secretlint corpus. The injection detector hits 92% F1 on a 2,400-prompt blended corpus. False positives are higher than false negatives by design; the scanner errs toward over-flagging.

Can I run the scanner offline?

The web UI requires a network call to the scanner endpoint. The classifier components are also available as a library that runs offline; contact the DeepInspect team for licensing.

Does the scanner support languages other than English?

PII regex passes are locale-aware (US, UK, EU patterns ship by default; APAC patterns available on request). The NER components run on multilingual models that cover English, Spanish, French, German, Portuguese, Italian, Dutch, and Polish at production quality. Other languages are best-effort.

← All posts