Sanitisation Engine

The Boundary Problem

When a role holder goes about their work, personal and institutional knowledge are intertwined. A meeting about a vendor contract might include sensitive personal opinions. A project retrospective might reference individual performance. A workaround discovered through painful personal experience might carry private context that does not belong in a shared memory store.

The Sanitisation Engine is responsible for resolving this boundary — extracting the institutional signal while protecting the personal, sensitive, and confidential content that should not persist in the role memory.

PII Detection and Removal

The first layer of sanitisation is automated detection and removal of personally identifiable information. This includes names in contexts where they represent individuals rather than roles, contact details, performance-related content, medical or personal circumstances, and any information that could identify a specific individual in ways that go beyond their professional role.

Sanitisation distinguishes between "James Okafor approved the vendor contract" (institutional — the role holder's decision is captured without personal identification) and "James mentioned he is considering leaving" (personal — flagged and excluded from the institutional memory).

Sensitivity Classification

Beyond PII, the Sanitisation Engine applies a sensitivity classification to all memory candidates:

• Institutional — safe to store: Decisions, lessons, and processes that belong to the role and are safe for successors to inherit.
• Sensitive — restricted access: Content that carries institutional value but requires restricted access controls — for example, details of a confidential negotiation or a commercially sensitive vendor arrangement.
• Personal — excluded: Content that belongs to the individual rather than the role and should not be stored in the institutional memory.
• Ambiguous — human review required: Content where the personal/institutional boundary is unclear, routed to the Human Validation Loop for a determination.

Personal Opinion vs Institutional Stance

A particularly important distinction is between personal opinion and institutional stance. A role holder's personal view of a vendor ("I find them difficult to work with") is not the same as the role's documented relationship with that vendor ("the vendor has a track record of missing SLA commitments — see incidents in Q2 and Q4"). The Sanitisation Engine is designed to preserve the latter while discarding or depersonalising the former.

Audit Trail

Every sanitisation decision — what was removed, what was retained, and what was sent for human review — is recorded in an audit trail. This supports regulatory compliance, allows for review and correction, and gives organisations visibility into what the sanitisation process is doing with the content it processes.