The claim worth examining
Private LLM is one of the most overloaded phrases in enterprise AI. Vendors use it to mean self-hosted open weights, a dedicated cloud instance, an API with a no-training data clause, or simply a chat tool with single sign-on. These are different things with different guarantees. This analysis separates the deployment models, looks at what each one actually promises about your data, and draws the practical conclusion: privacy is a property of how a model is governed in operation, not a label you can take at face value.
Four deployment models people call private
Self-hosted open weights: you run the model on infrastructure you control, so prompts never leave your environment, at the cost of operating the stack yourself. Dedicated or single-tenant cloud: a provider runs an instance isolated to you, which reduces noisy-neighbor exposure but still depends on the provider's controls. Commercial API with contractual protections: you call a shared model, and privacy rests on the terms, for example data not being used for training. Governed gateway in front of any of the above: prompts are inspected and redacted before they reach the model regardless of where it runs. The first three describe where the model lives. The fourth describes how the data path is controlled, and it composes with the others.
What each model actually guarantees
Self-hosting gives the strongest locality guarantee but no automatic guarantee about misuse, leakage between internal teams, or audit. A dedicated instance narrows the blast radius but inherits the provider's security posture. A commercial API can be appropriate when the contract is sound: major providers now state in their enterprise terms that business API and enterprise data are not used to train their models by default, which is a meaningful protection but a contractual one, not a technical boundary you operate. The recurring error is to treat the deployment location as the whole privacy story when the data leaving a prompt is the real exposure.
Where the conflation causes risk
Two failures are common. First, a team self-hosts a model and assumes the work is done, then ships prompts full of customer PII between systems with no redaction or audit, so private infrastructure still produces a governance gap. Second, a team rules out a capable commercial model on privacy grounds without reading the enterprise data terms, and ends up self-operating a weaker model with worse real security. Both come from equating private with a single deployment choice instead of asking what controls run on the data path.
The governing principle
Privacy for LLMs is best treated as a runtime property. Wherever the model runs, enforce control at the point of use: redact sensitive data before a prompt leaves your boundary, restrict which models each identity may reach, block disallowed requests fail-closed, and audit every call. This is the practice Difinity implements as a unified gateway, so the same governance applies whether the model behind it is self-hosted, dedicated, or a commercial API. The deployment choice becomes a cost and performance decision rather than the only thing standing between your data and exposure.
References
OpenAI enterprise privacy and API data usage policy (business data not used to train models by default). Anthropic commercial terms on customer data and training. NIST AI Risk Management Framework (AI RMF 1.0) on data governance and traceability. NIST SP 800-207 on zero trust as a model for per-request access control. These sources describe contractual and architectural protections that complement, rather than replace, runtime enforcement on the data path.
Frequently asked questions
Does a private LLM mean self-hosted?
Not necessarily. Private is used for self-hosted open weights, dedicated cloud instances, commercial APIs with no-training terms, and governed chat tools. They offer different guarantees, so the label alone does not tell you how your data is protected.
Is a commercial API ever private enough for the enterprise?
It can be when the contract is sound and the data path is governed. Major providers state that enterprise and business API data is not used for training by default; pairing that with redaction and audit at a gateway closes the remaining gap.
What makes an LLM deployment genuinely private?
Runtime control of the data path: redacting sensitive data before it reaches the model, restricting model access by identity, blocking disallowed requests fail-closed, and auditing every call, applied wherever the model runs.