David Tsao, Notion Labs, Inc.
Most LLM agents over private data have a dangerous shape: the same model reads untrusted instructions, sees sensitive context, and speaks to the outside world. It is like handing a press secretary every private email, incident note, and salary spreadsheet, then hoping a policy memo keeps secrets safe.
Causal Isolation Architecture treats leakage as a systems design failure, not a prompt-writing failure. It splits the lethal trifecta across isolated components, passes only typed abstractions across boundaries, and uses a rule-of-two release judge to preserve useful private-derived guidance while stripping exact facts based on requester trust and source sensitivity.
The key lesson: safety without utility becomes a refusal machine. In our bounded real-model matrix, claim-eligible OpenAI and Anthropic rows showed 0.0% observed secure-path leakage with 83-100% measured utility; matching single-agent baselines leaked private facts. The talk shows the demo, tradeoffs, and limits.
David Tsao is Notion's Chief Information Security Officer (CISO), leading the teams responsible for Platform Security, IT, and Security Engineering. With 20+ years of experience building security culture and risk-based security programs across high-growth SaaS and large enterprises, he partners closely with company leadership to strengthen Notion's security posture and protect customers' data. Prior to Notion, David held CISO and senior security leadership roles at Instacart, Marqeta, BYTON, and Veeva Systems, and spent more than a decade at Gilead Sciences building enterprise security and privacy programs; he is also a CISSP and advises startups as a venture advisor.
