arXiv: OCELOT: Inference-Leakage Budgets for Privacy-Preserving LLM Agents

As a senior EU regulatory compliance analyst, I summarize the following regulatory-relevant publication for compliance professionals.

This paper, OCELOT, introduces a new framework for measuring and controlling privacy leakage from large language model (LLM) agents during inference. It proposes "inference-leakage budgets," analogous to differential privacy budgets, to quantify how much sensitive information an LLM agent might inadvertently reveal through its outputs. This is a technical publication, not a binding regulation, but it directly addresses a critical gap in the EU AI Act's requirements for transparency and data protection, particularly for high-risk AI systems that process personal data.

Organizations deploying or developing LLM agents in regulated sectors—such as healthcare, finance, legal services, and customer-facing chatbots—are most affected. Any entity subject to GDPR or the EU AI Act that uses LLM agents to handle personal or confidential data should take note. The framework provides a practical tool for operationalizing the "data minimization" and "privacy by design" principles required by these regulations.

Compliance teams should immediately assess whether their current LLM agent deployments have any mechanism to track or limit inference leakage. Next, they should review their data protection impact assessments (DPIAs) to see if this new risk category is addressed. Finally, they should begin a technical evaluation of the OCELOT framework to determine if it can be integrated into their model governance and monitoring pipelines, particularly for high-risk use cases, to demonstrate proactive compliance with the AI Act's risk management obligations.