Delete AI Chat Session Prompts and Outputs
When a chat session is removed from an AI application, every prompt and output associated with that session is securely and unrecoverably deleted from all locations it was stored in.
Plain language
When someone deletes a chat session in an AI application, the questions they typed and the answers the model gave must not just disappear from the screen. They must be permanently and unrecoverably wiped everywhere a copy was kept. That includes caches, backups, log files, any store used to fine-tune or train the model, and any vector index or database that holds the conversation for retrieval. The aim is that no copy of the prompts or outputs can be recovered once the session is removed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
19 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
All prompts and outputs associated with chat sessions are securely deleted when chat sessions are removed from AI applications.
Why it matters
If session prompts and outputs are only removed from the visible session list but linger in caches, backups, log files, fine-tuning or training datasets, or RAG vector indexes, that data stays recoverable after a user believes it is gone. Sensitive content typed into prompts (credentials, personal information, intellectual property) can later be retrieved from those secondary stores, resurface in model outputs to other users, or be exposed in a breach of a backup or log archive, defeating the user's deletion request and the organisation's retention controls.
Operational notes
Maintain an inventory of every place chat prompts and outputs come to rest (the primary session datastore, application and inference caches, log pipelines, backup snapshots, any fine-tuning or training corpus, and RAG vector indexes or embedding databases) and tie a deletion action in each to the session-removal event. Where a store cannot be edited in place (such as immutable backups or already-trained model weights), define a compensating control such as crypto-shredding the per-session encryption key, or a backup expiry window after which the data is purged, and record this as accepted residual exposure. Re-test deletion after every change to the AI application's storage architecture, third-party model provider, or backup tooling, because new caches or replicas are easily introduced. Confirm with the model or platform provider in writing how they handle deletion of prompts and outputs they hold on your behalf, including any retention for abuse-monitoring.
Implementation tips
- Map every store that holds chat prompts and outputs (primary session database, application and inference caches, log sinks, backup snapshots, any fine-tuning/training corpus, and the RAG vector index or embedding database) then wire the session-removal action to trigger a delete in each one.
- Configure the session datastore and caches to perform a secure delete (overwrite or cryptographic erase) rather than a soft delete or flag, and set short TTLs on caches so prompt/output copies expire automatically.
- On session removal, issue a delete against the RAG vector index/embedding database keyed by the session or source identifier so embeddings generated from that conversation are removed or invalidated and can no longer surface in retrieval.
- Encrypt each session's prompts and outputs with a per-session key, and on deletion destroy that key (crypto-shredding) so any residual copies in immutable backups or replicas become unrecoverable.
- Set a bounded retention/expiry window on backups and replicas that contain session data, and document it so any copy of a deleted session is automatically purged within that window.
- Configure or contract the third-party model provider to delete the prompts and outputs they store and to exclude them from training/fine-tuning, and pull prompt/output text out of, or redact it from, application and audit logs so deletion of the session also clears those log copies.
Audit / evidence tips
- Pick a known test session, delete it, then query the primary session store, application cache and inference cache for its prompts and outputs; confirm none can be returned after deletion.
- Inspect the RAG vector index or embedding database for embeddings derived from a deleted session (search by source-document or session identifier) and confirm those vectors are removed or invalidated so the deleted content can no longer be retrieved.
- Restore the most recent backup containing a session deleted before the backup expiry window and search the restored copy for that session's prompts/outputs; where data is found, confirm a documented compensating control (crypto-shred of the per-session key or a stated expiry window) renders it unrecoverable.
- Review the log pipeline and trace whether full prompt and output text is written to application, inference or audit logs; if so, confirm those log records for a deleted session are purged or redacted on the same trigger.
- Examine the fine-tuning/training data pipeline to confirm prompts and outputs from removed sessions are excluded or scrubbed from training corpora, and check provider settings or contract terms confirming the model vendor does not retain deleted prompts for training.
Cross-framework mappings
How ISM-2123 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.10 | ISM-2123 requires that all prompts and outputs associated with AI chat sessions are securely deleted when the chat session is removed fro... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.