Sensitive AI workflow Ho Bae

Local Token Vault: Keeping the Mapping Inside the Boundary

capsule thumbnail local mapping inside boundary

A local token vault is the component that keeps the mapping between your real values and their structure-preserving stand-ins inside your own environment, so an AI workflow can run on substituted data while the key to restore it never crosses the enterprise boundary.

When AI runs on confidential data by substitution, one detail decides whether the approach is sound or theater: where the mapping lives. Send the model stand-ins for the sensitive values, and you still hold a table that links each stand-in back to the real thing. If that table travels, the substitution was pointless. The local token vault is where it stays put. The obligation is already written down: GDPR Article 32 requires technical and organizational measures appropriate to the risk, and names pseudonymization and encryption explicitly, and where the mapping lives decides whether the pseudonymization is real. The EU cybersecurity agency ENISA sets out the pseudonymisation techniques and best practices this relies on, where the protection is only as strong as the control kept over the mapping. Standards exist for exactly this substitution: NIST’s format-preserving encryption (SP 800-38G) transforms a value while keeping its original shape, so a stand-in still fits the field it came from.

Diagram: Mapping stays local

What a local token vault holds

During substitution, each sensitive value is swapped for a stand-in that keeps its shape: a company name becomes a consistent company-shaped token, a figure becomes a figure that holds its place in the table. Something has to remember that “Token 4471” was a specific counterparty and that a placeholder amount maps to a real one. That record is the mapping, and the local token vault is where it is stored and resolved.

The vault is deliberately narrow. It is not a general data store and not a place the model reaches into. It holds the correspondence between originals and stand-ins, nothing more, and it answers exactly one kind of request: given these stand-ins in a returned result, resolve them back to the real values, here, inside the environment that owns them.

Why the mapping has to stay local

The whole point of substitution is that the work leaves and the values do not. The mapping is the values, in a different form. A stand-in table you can resolve is functionally the sensitive data, so if it sits in an external service, you have simply moved the exposure one hop and called it safe.

Keeping the vault local closes that hop. The model receives structure it can reason over and never receives the key that would turn structure back into identities. Substitution on the way out and reconstruction on the way back both read from a vault that lives where your data already lives, whether that is a cloud tenant, an on-prem cluster, or an air-gapped network.

Design question Mapping held externally Local token vault
Does the key to real values leave? Yes No
Model reads a coherent task? Yes Yes
Result reconstructs in your context? Depends on the service Yes, locally
Works in an air-gapped network? No Yes

The vault and the enterprise boundary

The enterprise boundary is the line your data is not supposed to cross without a reason. Substitution lets useful work cross it while the values stay behind, and the local token vault is what makes that split honest rather than aspirational. Structure flows outward to the model; the mapping and the originals flow nowhere. Reconstruction happens on the inside, so the boundary is not a wall the workflow bounces off but a membrane that lets the task through and keeps the identities home.

This is what turns the pattern into a restorable AI data boundary. The result comes back inside and resolves against the real context, rather than leaving for good in a form someone has to translate by hand. Without a local vault, there is nothing to resolve against, and the returned answer stays keyed to tokens nobody recognizes.

Does your AI workflow keep the key at home?

Run your current confidential AI setup through these questions:

  • When you substitute sensitive values, where does the mapping physically live?
  • Could that mapping be resolved by anyone outside your environment?
  • Does reconstruction happen inside your systems, or in a third-party service?
  • Could the same workflow run unchanged in an air-gapped network?
  • If the mapping leaked, would the substitution still mean anything?

If the mapping lives anywhere but inside your boundary, the substitution is only as local as its weakest hop.

Where the local token vault fits

The local token vault is one piece of the mechanism behind sensitive AI workflow enablement. It holds the mapping created during substitute, execute, reconstruct, so the substitution step has somewhere safe to record its stand-ins and the reconstruction step has something to resolve against. In production these steps are delivered by a Context-Preserving Data Layer for AI, in CUBIG’s case LLM Capsule, which keeps the vault inside your environment and runs on the CUBIG Syntitan platform.

Diagram: External mapping vs local mapping
Diagram: Result resolves inside

In LLM Capsule the vault is not a diagram, it is where your real values live. The stand-ins go to the model while the originals never leave, and the mapping restores them locally when the result returns.


External AI. Originals never leave. CUBIG builds your AI data boundary. Contact CUBIG.

FAQ

What is a local token vault?

It is the component that stores and resolves the mapping between your real values and their structure-preserving stand-ins, kept inside your own environment so the key to restore identities never leaves the enterprise boundary.

Why must the mapping stay local?

The mapping is the sensitive data in another form. If it sits in an external service, the exposure has only moved one hop. Keeping the local token vault inside your boundary is what makes substitution honest.

Does a local token vault work in an air-gapped network?

Yes. Substitution and reconstruction both read from the vault where your data already lives, so the same workflow runs in cloud, on-prem, or air-gapped environments without change.

How does the vault relate to reconstruction?

Reconstruction resolves the model's stand-in result against the local token vault, turning tokens back into real values in their real context so the output is a finished document.