Quiz Entry - updated: 2026.07.14
Why do the privacy techniques that work for tabular data break down for LLMs?
LLM data is unbounded text with unbounded per-document influence, sequential dependencies, interactive multi-turn use, and two attack surfaces (training and inference) — none of which classical DP assumptions hold for.
Classical privacy assumed tabular data: fixed rows/columns, fixed schemas, clear numerical/categorical bounds. LLMs violate every assumption:
| Structured data | LLM data | Privacy impact |
|---|---|---|
| Fixed records (rows) | Unbounded text (any sentence) | Can't enumerate the outcome space |
| Known sensitivity (±1) | Unbounded influence (one doc → ?) | Can't calibrate noise precisely |
| Independent records | Sequential dependencies | Can't randomize independently |
| Query once | Interactive (multi-turn) | Privacy budget depletes rapidly |
| Static data | Training + inference | Two attack surfaces |
The result: everything that made differential privacy tractable becomes intractable for LLMs.
Tip: A single document can change an LLM's behaviour in unbounded ways, and a multi-turn chat burns privacy budget fast. That's why "just add DP" doesn't save LLMs.