AI Secrets & Credentials in AI Context
Detects secrets and credentials surfaced in AI/LLM context: private-key headers (RSA / EC / OpenSSH / generic) and connection-string passwords (password= / pwd=) pasted into prompts, chat exports, or AI-generated output. Reuses the intent of built-in credential SITs, re-scoped to the AI surface.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium and precision-oriented (library target >=0.92). Private-key headers are highly specific; connection-string passwords are broader, so placeholder exclusions and AI-context corroboration remove the named FP traps (placeholder keys, hashes, GUIDs, sample configs).
- Jurisdictions
- global
- Regulations
- OWASP LLM Top 10 2025, NIST AI RMF GenAI Profile
- Frameworks
- ISO 27001
- Data categories
- emerging, security
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----Corroborative evidence keywords
private key, password, credential, secret, connection string, AI, artificial intelligence, LLM, large language model, Copilot, chatbot, assistant, agent, prompt, system prompt, tool call, completion, model
Proximity: 300 characters
Should match
In the Copilot prompt: password=Sup3rSecretPwd99; connect now— Connection-string password pasted into an AI prompt-----BEGIN RSA PRIVATE KEY-----— Private key header
Should not match
Please reset your password by clicking the link.— No password=<value> assignment present. Documentation placeholders (your-password-here, PLACEHOLDER, xxxxxxxx) are excluded by the Guard_secrets_exclude_placeholder TextMatchFilter in Purview, not by the regex.