In early 2026, one developer shipped a local privacy firewall on Hacker News with a simple explanation: they'd "recently caught myself almost pasting a block of logs containing AWS keys into Claude." The solution was a local interceptor that scanned data before it reached any cloud model. Around the same time, OpenAI launched Privacy Filter — an open-weight model for detecting and redacting PII in text that developers can run locally or integrate into their pipelines. Two products, the same instinct — something is reaching the model that shouldn't. Both reflect the same architectural assumption: PII will get to the AI system, and the job is to catch it in transit or label it afterward. For single-turn LLM interactions with bounded scope, this is a reasonable posture. For agentic systems, it is not. Why Detection Works for Chatbots and Fails for Agents A single-turn LLM interaction is bounded in scope. A user sends a message. The model processes it. A response returns.…