News · OpenAI ships Privacy Filter, an open-weight PII redaction model under Apache 2.0
OpenAI ships Privacy Filter, an open-weight PII redaction model under Apache 2.0
A 1.5B-parameter token classifier for masking personal data, built to run locally and released on Hugging Face and GitHub.
A discriminative model from a company known for generative ones
OpenAI released Privacy Filter on April 22, 2026 as an open-weight model for detecting and redacting personally identifiable information in text. It is available under the Apache 2.0 license on Hugging Face and GitHub, cleared for experimentation, customization, and commercial deployment.
The notable thing is what kind of model it is. OpenAI describes a bidirectional token-classification model with span decoding. It starts from an autoregressive pretrained checkpoint, then replaces the language-modeling head with a token-classification head and is post-trained with a supervised classification objective. Instead of generating text token by token, it labels every token in a single forward pass and decodes coherent spans with a constrained Viterbi procedure.
That is a different shape of product than the generative systems OpenAI usually ships. Privacy Filter does not write anything; it tags spans across eight categories — private_person, private_address, private_email, private_phone, private_url, private_date, account_number, and secret — using BIOES span tags to produce cleaner masking boundaries.
The numbers OpenAI actually reports
The released model has 1.5B total parameters with 50M active parameters, supports up to 128,000 tokens of context, and exposes configurable operating points so developers can trade recall against precision. That active-parameter figure is what makes the single-pass, high-throughput claim plausible for local execution.
On the PII-Masking-300k benchmark, OpenAI reports an F1 of 96% (94.04% precision, 98.04% recall). On a corrected version of the benchmark that accounts for annotation issues the team says it identified during review, F1 rises to 97.43% (96.79% precision, 98.08% recall). The correction is worth reading carefully: it is OpenAI evaluating against its own re-annotation of a public dataset, so the headline number depends on accepting those corrections.
On adaptation, OpenAI reports that fine-tuning on a small amount of data moved F1 from 54% to 96% on a domain-adaptation benchmark and approached saturation. The 54% starting point signals that out-of-distribution domains need tuning, not that the base model transfers cleanly everywhere.
Keeping unfiltered data on the machine
The design centers on local execution. OpenAI's argument is that data which has not yet been filtered can remain on device rather than being sent to a server for de-identification — a smaller model means the redaction step itself does not become a new exfiltration point.
OpenAI positions this against traditional PII tooling that relies on deterministic rules for formats like phone numbers and email addresses. Those rules work for narrow cases but miss subtler references. The pitch here is context awareness: the language prior lets the model distinguish information that should be preserved because it is public from information that relates to a private individual and should be masked.
OpenAI also states it uses a fine-tuned version internally in its own privacy-preserving workflows, and frames the release inside a stated goal: "Our goal is for models to learn about the world, not about private individuals."
What OpenAI explicitly says it is not
The limitations section is unusually direct. OpenAI states Privacy Filter is not an anonymization tool, not a compliance certification, and not a substitute for policy review in high-stakes settings. It is one component in a privacy-by-design system.
The behavior reflects the taxonomy it was trained on, and OpenAI warns that different organizations will want different masking policies, that performance varies across languages, scripts, and naming conventions, and that the model can over- or under-redact when context is limited, especially in short sequences. For legal, medical, and financial workflows it says human review and in-domain evaluation remain important.
This framing is a claim about accountability. A team that treats Privacy Filter's output as certified de-identification is using it against OpenAI's stated intent.
The implication: privacy tooling gets an inspectable, fine-tunable baseline
For teams building training, indexing, logging, and review pipelines, the concrete change is that a strong context-aware PII redactor now exists with open weights, an Apache 2.0 license, and documented decoding controls — something you can run in your own environment, benchmark, and fine-tune to your taxonomy.
The practical work is not adopting the model but validating it. Because the strong benchmark numbers rest on OpenAI's own annotation corrections, and because the 54%-to-96% jump shows domain sensitivity, any serious deployment means building an in-domain evaluation set and tuning operating points before trusting the masks. Privacy Filter lowers the cost of starting; it does not remove the obligation to verify what it misses on your data.
Find this story relevant to you?
Contact us to find a unique solution
Need an AI engineering partner that can actually build?
We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.
Related reading
More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.