The redaction layer: how expert networks are building MNPI-aware transcript masking for LLM ingestion

Expert networks spent 2025 and 2026 wiring their transcript libraries into the agent stack. Guidepoint opened a Model Context Protocol server exposing more than 100,000 transcripts to Anthropic's Claude. GLG routed expert content into Bloomberg's ASKB. Aiera assembled a consortium platform pushing broker research and expert calls into agent surfaces. Each integration is technically a retrieval connector. Operationally, it is a regime change for how material non-public information gets governed.

We read this shift as the emergence of a new layer in the expert-network technology stack: automated, policy-tagged redaction applied at ingestion time, with its own vendors, schemas, and audit artifacts. The old compliance question, was this call properly moderated, is being displaced by a harder one. What gets masked before the chunk reaches the model, and can the masking be re-applied per client entitlement at retrieval time. The answer to that question is the precondition for the next wave of MCP rollouts, not a downstream cleanup.

The artifact that does not survive retrieval

For most of the post-Galleon decade, expert-network compliance was an artifact problem. A human moderator joined the call, flagged anything that smelled material and non-public, and the post-call transcript was scrubbed before client delivery. The compliance posture lived inside that single document. Either the transcript was clean, or it was not delivered.

That model assumed a one-to-one relationship between a call and a reader. An analyst at a hedge fund asked for the transcript of one call on one company, and the compliance team's job was to make sure that one artifact was defensible.

MCP breaks the assumption. When 100,000 transcripts sit behind a retrieval endpoint that Claude can query, no single artifact is being delivered to any single reader. The agent pulls fragments. It recombines them across calls, across companies, across quarters. A question about supply-chain stress at a specific contract manufacturer can pull a paragraph from one expert call, cross-reference it with a paragraph from another call on a different company, and surface a synthesis that neither original transcript contained.

The surface area for inadvertent MNPI synthesis expands accordingly. A paragraph that was non-material in isolation, because it lacked a company identifier, can become material when an agent joins it to another paragraph that supplies the identifier. The post-hoc redaction model has no view into that join. It cannot redact what it cannot see being assembled.

The practical consequence is that the redaction policy has to move upstream, to the point where chunks are written to the vector index, and it has to be machine-applied rather than human-moderated. The artifact is no longer a transcript. The artifact is a policy.

What the redaction layer actually does

The layer we are describing sits between transcript storage and the embedding pipeline. It is not a single product yet, and the field is unsettled enough that vendors describe their work in different vocabulary. The functional decomposition, as we read it from the publicly disclosed integrations, has four parts.

Entity detection is the first. Names of individuals, company names, tickers, product codenames, deal codenames, customer references, and supplier references all need to be identified in the raw transcript. This is where PII-redaction infrastructure from vendors such as Private AI, Skyflow, and Tonic Textual is finding adjacent demand. Their detection models were trained on healthcare and consumer financial data, but the underlying named-entity-recognition problem is structurally similar to expert-call redaction.

Materiality classification is the second and harder part. Detecting that a string is a ticker is straightforward. Deciding whether the surrounding paragraph contains material information about the issuer behind that ticker requires either rule sets that encode the expert network's compliance policy or a classifier trained on labeled examples. Networks that have spent years building human-moderator playbooks have a corpus advantage here, because their historical redaction decisions are training data.

Policy tagging is the third. A given chunk is not simply redacted or not redacted. It is tagged with the policy that applies , which clients can see the unredacted version, which see a partial mask, which see only a fully redacted version. Entitlement varies. A long-standing client with a tested compliance relationship may have access to material that a new client does not. The tagging schema becomes part of the retrieval layer's authorization model.

Audit logging is the fourth. Every retrieval needs to record which client, which agent, which query, which chunks were returned, which masking version was applied. Regulators have not yet asked for this in the form an agent surface produces, but the historical pattern from FINRA's expert-network guidance is that audit expectations track operational reality with a lag. The networks building MCP surfaces today are building the audit infrastructure they will be asked about in 2027.

Why this is now a vendor category

Three forces are converging to make redaction-at-ingestion a distinct technical category with its own buyers, sellers, and budgets, rather than a feature inside the compliance team.

The first is the volume problem. Human moderators scale linearly with calls. A network running tens of thousands of calls a year can staff a moderation function. A network exposing a transcript library to an agent that may issue millions of retrievals a year cannot staff a moderation function for every retrieval. The cost structure has to shift to a one-time-at-ingestion model where the policy is encoded once and applied automatically per retrieval.

The second is the entitlement problem. Different clients have different access. A retrieval surface that returns the same chunks to every querying agent collapses the entitlement model that the network's commercial relationships rely on. The redaction layer becomes the place where entitlement is enforced at chunk granularity, which is finer than the per-transcript granularity the old delivery model used.

The third is the regulatory documentation problem. The EU AI Act's general-purpose model transparency rules, with key obligations taking effect in August 2026, impose documentation duties on the datasets used to train and ground large models. Expert-network transcripts feeding a retrieval system fall inside that scope when the consuming model is offered in the EU. The networks need a defensible record of what was in the index, what policy was applied, and which chunks were available to which downstream agent.

The combination of those three forces is why the layer is becoming a category rather than a feature. A feature is something a compliance team builds once. A category is something procurement evaluates, contracts annually, and benchmarks against alternatives.

The vendor map, as we read it

The market is forming around three clusters, and the boundaries between them are still moving.

The networks themselves , Guidepoint, Third Bridge, AlphaSights , have published compliance posture updates through 2025 and 2026 framing their internal moderation tooling as a defensible artifact for MCP exposure. Their advantage is the corpus of historical moderation decisions and the institutional knowledge of the policy nuance that distinguishes a material disclosure from a colorable one. Their disadvantage is that internally-built tooling is hard to sell as a standalone product, and their commercial incentive is to embed the layer inside their network rather than to offer it as infrastructure to peers.

The agent-adjacent platforms , Aiera, AlphaSense , sit between the transcript producers and the agent surfaces. Their natural position is to offer a unified retrieval layer that ingests transcripts from multiple sources and applies a normalized redaction and entitlement model. AlphaSense's existing posture as a search surface over earnings calls, broker research, and expert content gives it a head start on the heterogeneity problem. Aiera's consortium content platform extends that posture to the multi-source agent case.

The PII-redaction infrastructure layer , Private AI, Skyflow, Tonic Textual , provides the detection-and-masking primitives that the other clusters can build on. Their pitch is horizontal: the same engine that redacts patient names from medical transcripts can redact executive names from expert calls, with policy customization. The risk for them is that the materiality classification problem in finance is unlike the PII problem in healthcare, and the horizontal model may stop at entity detection while the network or the platform owns the policy.

Our read is that the equilibrium settles with PII infrastructure providing detection primitives, agent-adjacent platforms providing the policy and entitlement layer, and networks providing the policy authoring tools and the audit artifact. Whether that lands as three contracts or one bundled contract is the open commercial question.

What the integrations to date actually tell us

The public integrations are early, and reading them as finished architectures is a mistake. Guidepoint's Claude MCP server is the most visible artifact. The structural choice , exposing the transcript library through MCP rather than through a bespoke API , accepts Anthropic's protocol as the integration standard and shifts the engineering burden toward the data side of the connection.

The GLG-into-ASKB pattern is different. Bloomberg's terminal-side surface is the consumer, and GLG is the producer. The redaction policy presumably lives somewhere between the two, and the commercial terms encode who is responsible for what version of the masking. The Aiera consortium model is different again: multiple producers, one platform, one agent-facing surface, with the redaction layer presumably normalized across producers.

Three integration patterns, three different placements of the redaction layer. The layer is the same architectural problem in each case, but the commercial and operational geometry differs. That divergence is what tells us the category is forming. A mature category has one or two dominant patterns. A forming category has three patterns competing for the standard position.

Three scenarios for how this plays out

We see three plausible paths over the next 18 to 24 months.

The first is consolidation around a horizontal standard. A redaction-layer specification emerges, possibly as an extension of MCP or a sibling protocol, that lets any transcript producer expose policy-tagged chunks to any agent consumer with a normalized entitlement and audit format. This is the cleanest engineering outcome and the slowest commercial one, because it requires the networks to agree on a schema for materiality tags, which has historically been the layer where they differentiate.

The second is network-owned silos. Each major network exposes its transcripts only through its own MCP surface, with its own redaction policy and its own audit artifact. Agents wire in to each surface separately. This is the path of least short-term resistance and the highest long-term integration cost for the consuming side. It also concentrates the audit risk in the network, which may not be where the network wants it.

The third is platform aggregation. A small number of agent-adjacent platforms , AlphaSense, Aiera, possibly Bloomberg , emerge as the de facto redaction-and-entitlement layer, ingesting transcripts from multiple networks and exposing a single surface to agents. The networks become content suppliers to a small number of distribution platforms. Margin shifts toward the platform layer. This is the pattern that other content categories , broker research, market data, news , have already followed.

The base case, in our reading, is closest to the third path with elements of the second. Networks retain direct MCP surfaces for their largest clients, where the commercial relationship justifies the integration cost, and aggregate through platforms for the long tail. The redaction layer ends up implemented twice: once inside each network for the direct path, once inside each platform for the aggregated path, with overlapping but non-identical policy schemas.

Who carries the regulatory weight

The regulatory frame is bilateral and asymmetric. On the US side, the SEC and FINRA have flagged expert-network MNPI risk repeatedly since the Galleon-era cases, and the framework is enforcement-driven rather than prescriptive. A network exposing transcripts via MCP is not subject to a new rule. It is subject to the existing rules applied to a new operational reality, with enforcement risk concentrated on whichever participant in the chain is judged to have controlled the disclosure.

On the EU side, the AI Act's general-purpose model rules are prescriptive and documentation-heavy. From August 2026, model providers face obligations on training data documentation, and a chain that grounds Claude on expert-network transcripts implicates both the model provider and the transcript supplier. The redaction layer's audit artifact becomes part of how a supplier demonstrates that the chunks released for grounding were appropriately scoped.

The two regimes pull the layer in compatible but not identical directions. The US frame pushes toward defensible policy authoring and traceable enforcement decisions. The EU frame pushes toward documented dataset scoping and dataset-level transparency. A redaction layer that satisfies both is heavier than one that satisfies either, and the networks building today are building for the heavier specification.

What we would ask a network's head of compliance

A research analyst evaluating an expert-network MCP relationship today should be asking specific operational questions rather than accepting general posture statements. Five we would put on the list:

• At what point in the pipeline is materiality classification applied, and is the classifier rule-based, model-based, or hybrid? A network that cannot describe the architecture has not built one.
• How is the entitlement model expressed at chunk granularity, and can a client audit which chunks were available to its agent on a given date?
• What is the policy versioning model? When the redaction policy changes, does the existing index get reprocessed, or do older chunks retain their original masking?
• How is the audit log surfaced to the client and to regulators, and what retention applies?
• Which retrieval surfaces is the transcript library exposed through, and is the redaction policy normalized across them, or does each surface carry its own policy?

The quality of the answers maps closely to the maturity of the redaction layer. A network that can answer all five with specificity has built a real layer. A network that answers in generalities has not yet, regardless of which MCP surface it has lit up.