Skip to content
April 16, 2026

The Privacy-Routing Problem

A nurse checks her phone between rounds. She opens an agent that helps her flag bad lab results and draft handoff notes. It saves her twenty minutes a shift. It catches things she’d miss at 3 a.m.

Here is the problem. Some of what she asks involves patient names and drug doses. Some of it is just textbook medicine. Right now, most AI systems treat all her queries the same way. Send it all to a cloud API. Hope the contract holds up.

That is not a plan. That is a prayer.

The Wrong Debate

The AI privacy debate is stuck in a false choice. One side says keep it all on the phone. Run small models. Take the quality hit. The other side says send it all to the cloud. Sign the deal. Trust the vendor.

Both sides are wrong. Both treat every query the same.

When the nurse asks if Drug A clashes with Drug B, there is no private data in the question. It is a textbook lookup. A big cloud model will answer it fast and well.

But when she asks about Mr. Johnson’s latest test results, that has a name, a lab value, and a care choice in it. That query should never leave her phone.

The problem is not which model to use. The problem is that no one sorts the query before picking where to send it.

Sort First, Route Second

We call this the privacy-routing problem. Every query has a risk level. Some hold personal data. Some hold secrets. Some hold nothing private at all. The right system does three things in order.

First, sort the query. What kind of data is in it? Is it personal? Is it private? Is it just common facts? This step must happen on the device, before the query goes anywhere.

Second, pick which models are cleared to see this data. We call this the “cleared set.” A query with no private data might be cleared for any model. A query with health records might be cleared for the on-device model only. A query with trade secrets might be cleared for an in-house server but not a public API.

Third, route to the best model in the cleared set. Not the cheapest. Not the fastest. The best one for the task. If a big cloud model is cleared, use it. If not, use the best local option and own that tradeoff.

This sounds simple. It is not.

The sorting step alone raises hard questions. What counts as private? Does context change the answer? If the last message had a patient name in it, is the next question now private too?

And there is a deeper threat that few have thought about. Different AI models chop text into tokens in different ways. A query that is safe under one model’s token scheme can leak data under another’s, because the token cuts land in different spots. We call this the re-token threat. Any system that routes between models without checking for it has a hidden hole.

The Speed Myth

The top pushback on privacy-routing is speed. Add a sorting layer, a filter, and a router — won’t that slow things down?

We tested it. Across 7,504 live API calls to three major model vendors, a full safety stack — sorter, filter, router, and audit log — added 0.2 to 0.36 of a thousandth of a second. That is less than two hundredths of one percent of total time. Token cost was zero.

Doing this right costs less than a rounding error.

The Money Bridge

Privacy-routing fixes the data problem. But there is a second problem that counts just as much: money.

When a lawyer visits LexisNexis, the deal is clear. A subscription. A seat fee. A charge per search. The lawyer reads the results and writes the brief.

When an agent visits for the lawyer, the model breaks. The agent might run 400 queries in ten minutes. It skips the ads. It does not browse. It grabs what it needs and moves on. What do you charge for that?

Every gated data source will face this within two years. The old economy has toll booths built for people. The new economy runs on agents that blow past them.

Someone needs to build the bridge. The pricing tools, the metering systems, the payment rails that let agents access gated content in a way that pays the source fairly and scales to millions of agent calls a day.

What CARE Does

The Center of Agentic Research and Education exists to solve these problems. We work in three areas.

We measure. We run open, repeatable tests on privacy-routing systems using real work, not fake benchmarks. Every claim is backed by code. Every result can be checked.

We build. We ship open-source tools — privacy sorters, model filters, audit loggers — that any team can use. Apache 2.0 licensed. Tested in production.

We guide. We give the facts that leaders, rule-makers, and standards groups need to make good choices about agents and private data.

The agentic future is not cloud-or-local. It is a routing problem. We intend to solve it.

Last updated: April 16, 2026