SecureGate: Learning When to Reveal PII Safely via Token-Gated Dual-Adapters for Federated LLMs

TL;DR

SecureGate introduces a dual-adapter framework with token-controlled gating for federated LLM fine-tuning, balancing privacy preservation of PII with high task utility.

Contribution

It presents a novel dual-adapter LoRA architecture and gating mechanism that enable controlled information disclosure during inference without retraining.

Findings

Reduces inference attack accuracy by up to 31.66X.

Achieves a 17.07X reduction in extraction recall for unauthorized requests.

Maintains 100% routing reliability with minimal overhead.

Abstract

Federated learning (FL) enables collaborative training across organizational silos without sharing raw data, making it attractive for privacy-sensitive applications. With the rapid adoption of large language models (LLMs), federated fine-tuning of generative LLMs has gained attention as a way to leverage distributed data while preserving confidentiality. However, this setting introduces fundamental challenges: (i) privacy leakage of personally identifiable information (PII) due to LLM memorization, and (ii) a persistent tension between global generalization and local utility under heterogeneous data. Existing defenses, such as data sanitization and differential privacy, reduce leakage but often degrade downstream performance. We propose SecureGate, a privacy-aware federated fine-tuning framework for LLMs that provides fine-grained privacy control without sacrificing utility. SecureGate employs a dual-adapter LoRA architecture: a secure adapter that learns sanitized, globally shareable representations, and a revealing adapter that captures sensitive, organization-specific knowledge. A token-controlled gating module selectively activates these adapters at inference time, enabling controlled information disclosure without retraining. Extensive experiments across multiple LLMs and real-world datasets show that SecureGate improves task utility while substantially reducing PII leakage, achieving up to a 31.66X reduction in inference attack accuracy and a 17.07X reduction in extraction recall for unauthorized requests. Additionally, it maintains 100% routing reliability to the correct adapter and incurs only minimal computational and communication overhead.