To address the privacy risk wherein large language models (LLMs) inadvertently memorize and leak personally identifiable information (PII), this paper proposes a paradigm shift: transforming model memory from a “source of risk” into a “resource for defense.” Methodologically, we introduce the first end-to-end memory manipulation framework—leveraging gradient-based analysis to precisely localize PII-associated memory traces, performing parameter-level knowledge editing, and validating efficacy via closed-loop evaluation under privacy attacks. Our core contribution is the conceptual and technical realization of “memory-as-defense,” transcending conventional mitigation strategies reliant solely on data sanitization or full-model fine-tuning. Experiments across diverse configurations demonstrate substantial reductions in PII leakage; in several settings, adversarial PII extraction accuracy drops to zero, while language modeling performance remains fully preserved.

Large Language Models (LLMs) memorize, and thus, among huge amounts of uncontrolled data, may memorize Personally Identifiable Information (PII), which should not be stored and, consequently, not leaked. In this paper, we introduce Private Memorization Editing (PME), an approach for preventing private data leakage that turns an apparent limitation, that is, the LLMs' memorization ability, into a powerful privacy defense strategy. While attacks against LLMs have been performed exploiting previous knowledge regarding their training data, our approach aims to exploit the same kind of knowledge in order to make a model more robust. We detect a memorized PII and then mitigate the memorization of PII by editing a model knowledge of its training data. We verify that our procedure does not affect the underlying language model while making it more robust against privacy Training Data Extraction attacks. We demonstrate that PME can effectively reduce the number of leaked PII in a number of configurations, in some cases even reducing the accuracy of the privacy attacks to zero.