Notes from the scanner.

Latest posts

• Petroleum Refinery FCC AI Security · UOP Honeywell FCC APC AI · Shell Global Solutions FCC Optimizer AI · KBR Orthoflow Regenerator AI · Emerson DeltaV FCC AI · AspenTech DMC3 FCC AI · API RP 571 FCC Afterburn · OSHA PSM 29 CFR 1910.119 · ExxonMobil Torrance 2015 · Glyphward threshold 35 · 2026-06-22

  FCC regenerator CO afterburn AI adversarial injection: how ±8 DN in the rendered regenerator temperature display suppresses a CO afterburn approach — and why API RP 571 has no adversarial robustness criterion for FCC advanced process control AI classifying rendered regenerator monitoring displays

  A ±8 DN adversarial pixel shift in the rendered FCC regenerator dense bed temperature display suppresses 752°C — 22°C above the normal operating window upper limit, dilute phase already at 762°C and 2°C above the CO afterburn initiation threshold — to appear as 718°C: normal FCC regenerator operation, no afterburn response required, no slide valve fault correction initiated. CO afterburn proceeds unchecked; dilute phase temperature rises at 20–60°C per minute; refractory spalling begins at 900°C; cyclone anchor bars approach creep failure within 10–20 minutes of undetected initiation. The ExxonMobil Torrance California refinery FCC unit explosion of 18 February 2015 — in which an uncontrolled pressure relief event during ESP maintenance scattered fragments across the refinery and produced a near-miss with the adjacent HF alkylation unit; the CSB concluded a direct HF release could have affected up to 125,000 surrounding residents — establishes the community-scale consequence potential of FCC unit monitoring boundary failures. API RP 571 and OSHA PSM 29 CFR 1910.119 have no adversarial robustness criterion for AI classifying rendered FCC regenerator monitoring displays. Glyphward threshold 35.

  Read the full post →

• Petroleum Refinery CDU AI Security · UOP Honeywell CDU Overhead AI · Yokogawa Centum VP CDU AI · Emerson DeltaV APC Overhead AI · AspenTech DMC3 AI · API RP 571 HCl Corrosion · API RP 584 Integrity Operating Windows · OSHA PSM 29 CFR 1910.119 · NACE SP0403 · Chevron Richmond 2012 · Glyphward threshold 35 · 2026-06-21

  Crude oil CDU overhead HCl corrosion AI adversarial injection: how ±8 DN in the rendered bootstrap water pH display suppresses a corrosion approach — and why API RP 584 Integrity Operating Windows has no adversarial robustness criterion for CDU overhead monitoring AI

  A ±8 DN adversarial pixel shift in the rendered CDU overhead bootstrap water pH display suppresses pH 4.3 — 1.2 units below the NACE SP0403 lower specification limit of 5.5, approaching the API RP 584 Critical IOW limit of 5.0, corresponding to a carbon steel corrosion rate of 8–15 mm/year — to appear as pH 5.8: controlled, within specification, no IOW limit approach detected. Aqueous HCl continues to corrode carbon steel overhead piping at 8–15 mm/year undetected. The Chevron Richmond refinery fire of 6 August 2012 — 19 workers directly exposed, approximately 15,000 community members sought medical attention, refinery shut down 8 months — was caused by a structurally identical CDU corrosion monitoring failure: corrosion data existed but the classification layer did not map it to the API RP 571 damage mechanism threshold. API RP 571, API RP 584, OSHA PSM 29 CFR 1910.119, and NACE SP0403 have no adversarial robustness criterion for AI classifying rendered CDU overhead monitoring displays. Glyphward threshold 35.

  Read the full post →

• Offshore Drilling Well Control AI Security · Transocean WITS-ML AI · Halliburton DecisionSpace Well Control AI · Baker Hughes BEACON AI · NOV RigSense AI · BSEE Well Control Rule 30 CFR Part 250 · API RP 96 · NORSOK D-010 · BP Macondo 2010 · Glyphward threshold 30 · 2026-06-21

  Subsea wellhead NPT AI adversarial injection: how ±8 DN in the rendered negative pressure test chart suppresses a definitively failed well integrity test — and why BSEE Well Control Rule 30 CFR Part 250 has no adversarial robustness criterion for well control monitoring AI

  A ±8 DN adversarial pixel shift in the rendered NPT drill pipe pressure chart causes well control monitoring AI to classify a definitively failed negative pressure test as a passed test — the same failure mode that preceded the BP Macondo Deepwater Horizon blowout (11 killed, 17 injured, 4.9 million barrels, $65B+ total costs). Transocean WITS-ML well control monitoring AI, Halliburton DecisionSpace Well Control AI, Baker Hughes BEACON AI, NOV RigSense AI in scope. BSEE Well Control Rule 30 CFR Part 250 requires NPT procedures but specifies no adversarial robustness criterion for AI classifying rendered NPT chart displays, pit volume trend monitors, or mud weight return displays. Four surfaces: NPT drill pipe pressure chart AI; kill line pressure display AI; pit volume totaliser trend AI; gas-cut mud weight return display AI. Glyphward threshold 30.

  Read the full post →

• Arc Flash AI Security · Flir Arc Flash Thermal Camera AI · Schneider Electric EcoStruxure Power Advisor AI · Eaton Power Xpert AI · SKM PTW Arc Flash AI · NFPA 70E-2021 · IEEE 1584-2018 · OSHA 29 CFR 1910.333 · Glyphward threshold 35 · 2026-06-21

  Arc flash incident energy AI adversarial injection: how ±8 DN in the rendered PPE category display misclassifies a Category 3 arc flash hazard as Category 2 — and why NFPA 70E-2021 has no adversarial robustness criterion for the IEEE 1584-2018 arc flash analysis AI

  A ±8 DN adversarial pixel shift in the rendered arc flash study PPE category display causes arc flash analysis AI — Flir Systems arc flash thermal camera AI, Schneider Electric EcoStruxure Power Advisor AI, Eaton Power Xpert arc flash management AI, SKM Systems PTW arc flash report AI — to misclassify a 480 V switchgear position with 18.4 cal/cm² calculated incident energy (Category 3, minimum arc rating 25 cal/cm²) as Category 2 (minimum arc rating 8 cal/cm²). The worker dons a Category 2 arc flash suit rated at 8 cal/cm² for an energised switching task. When an arc flash event occurs, the 8 cal/cm² arc suit is exposed to 18.4 cal/cm² — the energy breakopen threshold (EBT) is exceeded by 10.4 cal/cm², the arc-rated fabric develops holes in milliseconds, cotton underlayers ignite in direct contact with the skin, and third-degree contact burns result. ESFI (Electrical Safety Foundation International) documents approximately 400 arc flash fatalities per year and 2,000 arc flash burn injuries requiring hospital treatment per year in the United States. Four adversarial injection surfaces: PPE category calculation display AI (±8 DN shifts Category 3 orange cell to Category 2 yellow → worker in 8 cal/cm² PPE at 18.4 cal/cm² event → EBT exceeded → third-degree burns), arc flash thermal camera incident energy monitoring AI (±8 DN suppresses 145°C hot-spot from critical to normal → PPE upgrade suppressed → arc flash probability underestimated), flash protection boundary display AI (±10 DN compresses 6.1 m MV switchgear boundary to 2.1 m → bystander at 3.5 m not relocated → 3–4 cal/cm² exposure on unprotected skin), incident energy trend display AI (±8 DN suppresses Category 2→3 transition → PPE upgrade alert suppressed → workers continue in Category 2 PPE at above-EBT positions). NFPA 70E-2021 Section 130.5 and IEEE 1584-2018 have no adversarial robustness criterion for AI classifying rendered arc flash displays. Glyphward threshold 35.

  Read the full post →

• Underground Mining AI Security · Strata Worldwide VentSim AI · MSA Safety gas detection AI · Honeywell BW Technologies · MineARC Systems · MSHA 30 CFR 75.323 · MINER Act 2006 · Sago Mine 2006 · Westray 1992 · Upper Big Branch 2010 · Glyphward threshold 30 · 2026-06-20

  Underground coal mine ventilation AI adversarial injection: how ±8 DN in the rendered methane monitor display suppresses a CH₄ reading above the MSHA 30 CFR 75.323 action level — and why MSHA has no adversarial robustness criterion for the sole-barrier methane detection AI

  A ±8 DN adversarial pixel shift in the rendered methane (CH₄) monitor display suppresses a CH₄ reading above the MSHA 30 CFR 75.323 1.0% action level — the structural parallel to the methane accumulation that preceded the Sago Mine 2 January 2006 explosion (12 miners killed, 1 survivor found after 41 hours, carbon monoxide asphyxiation). Strata Worldwide VentSim AI, Howden Ventilation on Demand AI, MSA Safety fixed gas detection AI, and Honeywell BW Technologies area monitoring AI classify rendered CH₄ monitor displays, CO trend charts, strata extensometer outputs, and refuge chamber atmospheric panels to manage underground coal mine ventilation safety. MSHA 30 CFR Part 75 specifies methane monitoring action levels (1.0%, 1.5%, 2.0%) and the MINER Act 2006 requires refuge alternatives with 96-hour atmospheric capability — but neither specifies adversarial robustness criteria for AI classifying rendered monitor outputs. Westray Mine Nova Scotia 1992 (26 killed; Westray Law / Bill C-45 corporate criminal liability response), Upper Big Branch West Virginia 2010 (29 killed; MSHA documented systematic methane reading manipulation — the human analogue of adversarial AI injection) as supporting precedents. Four adversarial surfaces: CH₄ display AI (±8 DN suppresses 1.2% to 0.8%, blocking de-energisation while stratified roof-level concentration may already be above the LEL), CO trend display AI (±8 DN suppresses spontaneous combustion CO rise → heating coal body develops undetected → secondary methane release), strata extensometer display AI (±10 DN suppresses 8 mm/day displacement to 2 mm/day → roof fall hazard not detected → miners not withdrawn from unstable heading), refuge chamber atmospheric monitoring AI (±8 DN suppresses O₂ depletion or CO above IDLH → survivors remain in refuge without SCBA → CO asphyxiation; Sago parallel). Glyphward threshold 30.

  Read the full post →

• Battery Manufacturing AI Security · CATL electrode coating AI · LG Energy Solution AI · Panasonic Gigafactory AI · KLA SURFmonitor · IEC 62619:2022 · EU Battery Regulation 2023/1542 · Samsung Note 7 2016 · Boeing 787 APU 2013 · 2026-06-20

  Li-ion gigafactory electrode coating AI adversarial injection: how ±6 DN in the XRF coating weight heatmap suppresses a thin-zone precursor to Li-plating, dendrite growth, and internal short circuit — and why IEC 62619:2022 has no adversarial robustness criterion for the CATL/LG Energy/Panasonic electrode inspection AI layer

  A ±6 DN adversarial pixel shift in the rendered XRF coating weight heatmap image suppresses a thin-zone defect — coating weight below the lower process control limit — preventing the electrode inspection AI from detecting the manufacturing precursor to Li-plating, dendrite growth, separator penetration, and internal short circuit (ISC) leading to thermal runaway. Samsung Note 7 September–October 2016 (2.5 million units recalled, approximately $17 billion in costs, FAA Emergency Order banning the device from all US aircraft) and Boeing 787 Dreamliner APU battery January 2013 (GS Yuasa LCO/graphite cell lithium plating identified as most probable initiating mechanism, FAA Emergency AD 2013-02-51, 4-month worldwide fleet grounding) establish the consequence envelope. CATL, LG Energy Solution, Panasonic Energy, Samsung SDI, and SK On deploy KLA SURFmonitor, Manz AG Coating Quality Analysis, Cognex electrode inspection AI, and Teledyne Dalsa linescan AI at every electrode line stage. Four adversarial surfaces: XRF coating weight heatmap AI (±6 DN, thin-zone escape), NIR binder composition AI (±8 DN, binder migration escape), calendering density AI (±8 DN, over-calendering escape), slitting linescan burr AI (±10 DN, metallic burr escape). IEC 62619:2022, UL 9540A, UN 38.3, and EU Battery Regulation 2023/1542 digital passport have no adversarial robustness criterion for the electrode inspection AI layer. Glyphward threshold 35.

  Read the full post →

• Hydroelectric Dam AI Security · Voith Hydro spillway AI · GE Vernova hydroelectric AI · ABB hydroelectric SCADA AI · FERC Part 12 · FEMA P-94 · Oroville Dam 2017 · spillway chute erosion CCTV AI · Glyphward threshold 30 · 2026-06-19

  Large hydroelectric dam spillway AI adversarial injection: how ±8 DN in the rendered spillway chute CCTV camera image suppresses a developing erosion crater — and why FERC Part 12 has no adversarial robustness criterion for the sole-barrier spillway chute AI

  A ±8 DN adversarial pixel shift in the rendered spillway chute CCTV camera image suppresses a developing concrete erosion cavity — the structural parallel to the operator misclassification that allowed the Oroville Dam February 2017 spillway crater to develop to 45 m depth, 50 m width, and 90 m length before the emergency spillway was activated for the first time since 1968 and 188,000 downstream residents were evacuated. Voith Hydro spillway AI, GE Vernova hydroelectric management AI, ABB hydroelectric SCADA AI, and ANDRITZ Hydro spillway AI classify rendered images from spillway chute CCTV cameras, reservoir water level rate-of-rise displays, radial gate position cameras, and tailwater energy dissipator displays. FERC Part 12 dam safety inspection and FEMA P-94 inflow design flood framework have no adversarial robustness criterion for AI classifying rendered spillway monitoring images. The Oroville Dam Incident Investigation Panel identified monitoring classification failure — not instrument failure — as a root cause: the same misclassification that an adversarial pixel injection exploits. Glyphward threshold 30.

  Read the full post →

• FCEV Heavy Truck AI Security · Nikola Tre FCEV AI · Hyundai XCIENT Fuel Cell AI · Bosch PEM stack AI · SAE J2578 · FMVSS 303 · NFPA 2:2023 · Sandvika Kjørbo 2019 · 2026-06-19

  Hydrogen fuel cell heavy truck AI adversarial injection: how ±10 DN in the rendered PEM stack thermal image suppresses a hot-spot precursor to H₂ crossover and thermal runaway — and why SAE J2578 has no adversarial robustness criterion for the FCEV stack monitoring AI layer

  A ±10 DN adversarial pixel shift in the rendered Nikola Tre FCEV or Hyundai XCIENT Fuel Cell Truck PEM stack thermal camera image suppresses a developing stack hot-spot — the sole early indicator of membrane dehydration progressing toward H₂ crossover, MEA-level combustion, and stack thermal runaway. The Sandvika (Kjørbo) Norway H₂ station explosion on 10 June 2019 — a plug failure in a 700-bar storage assembly deploying airbags in Toyota Mirai FCEVs 150 metres away and shutting down 20 H₂ stations across Norway and Denmark — establishes the BLEVE consequence envelope. SAE J2578, FMVSS 303/304/305, and NFPA 2:2023 define FCEV safety design requirements but have no adversarial robustness criterion for AI classifying rendered stack thermal images, CPV pressure/temperature displays, cabin H₂ concentration displays, or HV interlock crash sensor traces. HV crash detection AI suppression and first responder electrocution risk at 650–900 VDC also covered. Glyphward threshold 30.

  Read the full post →

• Nuclear I&C AI Security · Westinghouse PIAM AI · Framatome Teleperm XS AI · GE Hitachi NUMAC AI · NRC 10 CFR Part 50 GDC 13 · IEEE Std 603-2018 · TMI-2 1979 · Fukushima 2011 · 2026-06-19

  Nuclear power plant digital I&C AI adversarial injection: how ±8 DN in the rendered RPS trip parameter display suppresses a reactor protection system trip — and why NRC 10 CFR Part 50 Appendix A GDC 13 has no adversarial robustness criterion for the AI classification layer

  A ±8 DN adversarial pixel shift in the rendered Westinghouse PIAM AI or Framatome Teleperm XS AI RPS trip parameter display suppresses the apparent exceedance of a reactor trip setpoint — structurally mirroring the TMI-2 1979 misleading pressuriser level indicator that caused operators to suppress emergency core cooling for 90 minutes and produced 50% core damage. NRC 10 CFR Part 50 Appendix A GDC 13 (instrumentation and control) and GDC 20–24 (protection system single-failure criterion) define the most rigorous I&C qualification framework in any industrial sector — but neither extends to the AI classification layer operating on rendered display images. IEEE Std 603-2018 single-failure criterion, NEI 08-09 Rev. 6 cybersecurity baseline, and NUREG-0800 Standard Review Plan all leave the rendered-image AI boundary unaddressed. Neutron flux monitor AI (Fukushima hydrogen explosion pathway), PCP vibration trend AI (small-break LOCA), and containment H₂ monitor AI also covered. Glyphward threshold 25 — lowest in the portfolio.

  Read the full post →

• Mining and Geotechnical AI Security · Klohn Crippen Berger AI · SRK Consulting AI · ROCTEST SmartPiezo AI · TRE ALTAMIRA PSInSAR AI · GISTM 2020 · Brumadinho B1 2019 · 2026-06-18

  Tailings dam AI adversarial injection: how ±8 DN in the rendered VWP piezometric level trend display suppresses a phreatic surface rise precursor — and why GISTM 2020 Global Industry Standard on Tailings Management has no adversarial robustness criterion for the sole-barrier TSF monitoring AI

  A ±8 DN adversarial pixel shift in the rendered vibrating wire piezometer (VWP) piezometric level trend display suppresses a rising phreatic surface trajectory in an upstream-raised tailings dam from the TARP action-level classification to within-design-envelope. The Brumadinho B1 dam failure (25 January 2019 — 270 killed in under 4 minutes from a 12 Mm³ static liquefaction flow slide at Vale’s Córrego do Feijão iron ore mine) establishes the consequence envelope. GISTM 2020 Requirement 12, ANM Resolution 4/2020, and ANCOLD Guidelines require continuous monitoring but specify no adversarial robustness requirement for AI systems classifying rendered sensor images. Seepage face camera AI (Fundão 2015 40 Mm³), InSAR deformation map AI (Mount Polley 2014 24 Mm³), and freeboard camera AI secondary surfaces also covered. Klohn Crippen Berger AI, SRK Consulting AI, ROCTEST SmartPiezo AI, TRE ALTAMIRA PSInSAR AI in scope. Glyphward threshold 30.

  Read the full post →

• Hydrogen Energy AI Security · Nel Hydrogen AI · Siemens Energy Silyzer AI · thyssenkrupp nucera AI · NFPA 2 Hydrogen Technologies Code · UV invisible flame · Kjørbo 2019 · 2026-06-18

  Hydrogen electrolysis AI adversarial injection: how ±10 DN in the rendered UV flame camera image suppresses a 2,254°C invisible H₂ fire — and why NFPA 2 Hydrogen Technologies Code has no adversarial robustness criterion for the sole-barrier UV detection AI

  Hydrogen burns at 2,254°C with no visible flame in daylight — no soot, no visible glow, no smoke. The OH* radical UV emission at 308 nm is the sole real-time automated indicator of a burning H₂ fire. A ±10 DN adversarial pixel shift at the OH* hotspot region of the rendered UV camera frame — within the combined facility UV noise floor — suppresses the flame signal from the detected-flame luminance range to background UV noise. The flame detection AI classifies background noise. Personnel remain in the facility. At H₂ minimum ignition energy of 0.017 mJ, any electrostatic source in the area escalates to a hydrogen fireball. NFPA 2 2023 Section 7.2 and OSHA 29 CFR 1910.103 have no adversarial robustness criterion for UV flame detection AI. Electrolyzer membrane DP AI, H₂ purity O₂ analyser AI, and COPV pressure trend AI secondary surfaces also covered. Kjørbo Norway 2019 HyNor explosion as consequence anchor. Glyphward threshold 35 — sole-barrier UV detection architecture.

  Read the full post →

• Pulp & Paper AI Security · Valmet DNA Recovery Boiler AI · BLRBAC Emergency Procedures · NFPA 85 Chapter 8 · FM Global DS 10-3 · 2026-06-18

  Kraft recovery boiler AI adversarial injection: how ±10 DN in the rendered steam drum level sight-glass image suppresses a BLRBAC mandatory emergency shutdown — and why NFPA 85 Chapter 8 has no adversarial robustness criterion for the sole-barrier drum level AI

  A ±10 DN upward pixel shift in the rendered Valmet DNA Recovery Boiler AI drum level sight-glass image can move a below-visible drum level into the normal-level classification range, suppressing the BLRBAC mandatory emergency shutdown trigger. BLRBAC has documented more than twenty smelt-water steam explosions in North American Kraft mills where drum level monitoring failures contributed. The downstream consequence: waterwall tube starvation, tube rupture, liquid water contacting a 100–600-tonne smelt bed at 800–900°C, and smelt-water steam explosion at 1,700:1 volumetric expansion. NFPA 85 Chapter 8 and FM Global Data Sheet 10-3 together define comprehensive Kraft recovery boiler safety requirements — neither includes adversarial robustness criteria for AI monitoring systems. Furnace floor FLIR thermal AI and char bed height AI secondary surfaces also covered. Glyphward threshold 35 — sole-barrier drum level monitoring architecture.

  Read the full post →

• Mining AI Security · Caterpillar MineStar Command AHS · WA DMIRS MH-CM3-Q2-2021 · ISO 17757:2019 · LiDAR zone render AI · 2026-06-15

  Autonomous mine haul truck AHS AI adversarial injection: how ±12 DN in the rendered LiDAR zone occupancy grid suppresses a worker’s HiVis PPE retroreflective signature — and why WA DMIRS MH-CM3-Q2-2021 has no adversarial robustness criterion

  A ±12 DN pixel perturbation in the rendered Caterpillar MineStar Command LiDAR occupancy grid can suppress a worker’s HiVis PPE retroreflective signature, causing the AHS zone AI to classify an occupied zone as clear and dispatch a 400-tonne haul truck at 52 km/h (48 MJ) into a zone containing personnel. DMIRS Boddington 2017 (investigation 2017-012) established that render-stage errors produce wrong zone-clear classifications from correct sensor data. WA DMIRS MH-CM3-Q2-2021 has no adversarial robustness criterion for zone classification CNNs. Haul road berm condition AI and AHS zone assignment intersection conflict adversarial surfaces also covered. Glyphward threshold 35 — sole safety barrier architecture.

  Read the full post →

• Oil Refinery AI Security · OSHA PSM 29 CFR 1910.119 · AspenONE APC AI · Texas City BP 2005 · 2026-06-15

  Oil refinery APC AI adversarial injection: how ±10 DN in the rendered raffinate splitter level gauge image replicates the Texas City BP 2005 instrument-misread failure mode — and why OSHA PSM 29 CFR 1910.119 has no adversarial robustness criterion

  AspenONE APC AI and Honeywell Profit Controller now classify rendered sight-glass camera images as distillation column level states. A ±10 DN pixel perturbation at the rendered image ingestion boundary shifts the visible meniscus from High-High to Normal — the same misread that caused Texas City BP 2005 (15 fatalities, 180 injured, CSB 2005-04-I-TX). OSHA PSM 29 CFR 1910.119 Process Hazard Analysis identifies ‘level indicator failure’ as a credible cause for raffinate splitter High Level deviations but has no adversarial AI classifier robustness criterion. Also covers FCC regenerator false-colour thermal AI afterburn suppression, fired heater tube API 530 temperature limit AI, and compressor vibration spectrogram AI. Glyphward threshold 35 with OSHA PSM 1910.119(j)(4) MI audit trail documentation.

  Read the full post →

• Airfield AI Security · FAA AC 150/5220-24 · Xsight FODetect · ASDE-X · 2026-06-14

  Airfield runway FOD detection AI: adversarial millimetre-wave radar map injection hides a 15 cm tyre fragment from Xsight FODetect — and why FAA AC 150/5220-24 does not require adversarial robustness testing

  FAA AC 150/5220-24 sets a 95% Probability of Detection criterion for runway FOD detection AI — but no acceptance test includes adversarially perturbed radar scan images. A ±10 DN perturbation in the rendered Xsight FODetect 76-77 GHz scan overlay suppresses a 15 cm tyre fragment below the detection threshold: no alert, no sweep, tyre strike risk on an active runway. Consequence envelope: Concorde Air France 4590, CDG, 25 July 2000, 113 fatalities — a 43 cm titanium strip that a certified FOD system would have detected. Also covers Vaisala RVR luminance curve injection, ASDE-X runway incursion AI map injection, and PAPI optical monitoring AI injection. Glyphward threshold 35.

  Read the full post →

• Pipeline Integrity AI Security · PHMSA 49 CFR 195.452 · API 1163 · 2026-06-14

  Pipeline integrity ILI AI: how adversarial MFL anomaly map injection suppresses SCC colony detections and blocks PHMSA 49 CFR 195.452 excavation orders — and why API 1163 does not require adversarial robustness testing

  API 1163 4th edition qualifies ILI AI systems with POD curves and ±10 %WT sizing accuracy statistics — but has no adversarial robustness criterion. A ±8 DN pixel perturbation in a rendered MFL anomaly map image — within JPEG quantisation noise — suppresses an SCC colony at 35 %WT below the detection threshold, prevents the PHMSA excavation order, and leaves a weakening pipe section in an HCA segment with no IMP flag and no scheduled reassessment. Baker Hughes FlexPIG, TDW SmartScan, ROSEN RoCorr UT AI, NDT Global Evo Series AI, and Percepto Arc drone corrosion patrol AI are all in scope. Consequence envelope: PG&E San Bruno 2010 (8 fatalities, $1.6B), Colonial Pipeline Alabama 2016 (350,000 US-gallon gasoline release), Carlsbad NM 2000 (12 fatalities). Three attack vector classes: ILI data analysis centre compromise at the rendering pipeline; pipeline operator delivery package MitM; training data poisoning targeting SCC annotation samples. Glyphward threshold 40 integration with PHMSA 49 CFR 195.452(l) IMP record-keeping and API 1163 Section 6.4 anomalous-input logging documentation.

  Read the full post →

• Aviation MRO AI Security · EASA AMC 20-16 · 2026-06-14

  Jet engine borescope AI: how adversarial pixel injection suppresses TBC spallation and passes a hazardous engine through a Part 145 inspection — and why EASA AMC 20-16 does not close the gap

  EASA AMC 20-16 Issue 2 (2023) requires human oversight when AI-assisted borescope inspection outputs low-confidence classifications. Adversarial pixel injection suppresses the TBC spallation colorimetric boundary — the RGB gradient between intact YSZ ceramic and exposed blade metal — causing the HPT classifier to output high-confidence 'serviceable' for a blade with active spallation, bypassing the oversight trigger. The certifying engineer never reviews the image. The Aircraft Maintenance Release is issued. A deep-dive into the AMC 20-16 gap, the TBC spallation adversarial surface (±12 DN channel suppression within JPEG noise floor), the QF32 consequence profile (uncontained HPT failure, 21 simultaneous system failures) as a software attack, the three attack vector classes (capture system compromise, MRO platform pipeline MitM, training data poisoning), why GE TrueCheck, Rolls-Royce IntelliEngine, and Lufthansa Technik AVIATAR are all in scope, and Glyphward threshold 40 integration with Part 145.A.55 documentation.

  Read the full post →

• Railway AI Security · ETCS / CVSR · 2026-06-13

  Railway signalling AI: how adversarial pixel injection makes a Red signal appear Green — and why SIL 4 certification does not protect against it

  Computer Vision Signal Recognition (CVSR) AI classifies trackside signal aspects from forward-facing camera frames at 200 km/h closure speed. CENELEC EN 50129 SIL 4 is the most rigorous safety certification on earth for railway electronics — it requires formal mathematical proof of correctness, random hardware failure rates below 10−9/hour, and independent Notified Body assessment. It does not cover adversarial ML attacks. A deep-dive into the CVSR classification pipeline, the asymmetric risk between Red-showing-Green and Green-showing-Red adversarial injection, why the fail-to-safe principle provides no protection against high-confidence incorrect classifications, the three attack vector classes (lineside display injection, onboard network MitM, physical adversarial patch), why US Positive Train Control under 49 CFR Part 236 has the same regulatory gap, and how a Glyphward pre-scan gate integrates with the ETCS EVC and PTC onboard architecture.

  Read the full post →

• Aviation AI Security · 2026-06-13

  ACAS Xu: how adversarial pixel injection defeats formally verified collision avoidance in autonomous UAS

  ACAS Xu is the most formally verified AI system in operational aviation — Reluplex proved ten safety properties over its neural network policy, the first formal verification of a safety-critical deep learning system at scale. But the proof is conditional: it holds given correct values of the six state variables. In BVLOS UAS operations, those state variables come from an EO/IR camera pipeline running a deep learning object detector that has never been adversarially evaluated. Pixel injection into that pipeline corrupts range and bearing estimates upstream of the verified network, causing wrong Resolution Advisories in an autopilot-closed loop that executes in under 200ms with no pilot in the decision path. A deep-dive into the EO/IR state estimation architecture, two attack variants (intruder suppression and phantom injection), why the formal verification gap is structural rather than a verification deficiency, and how the DO-326A regulatory framework applies to EO/IR adversarial detection evidence.

  Read the full post →

• Surgical Robotics AI Security · 2026-06-13

  Adversarial pixel injection in da Vinci 5 Firefly NIR: suppressing bile duct fluorescence alerts during live robotic surgery

  The da Vinci 5 Firefly near-infrared fluorescence AI was adopted specifically for complex cholecystectomy where standard white-light anatomy is insufficient. Adversarial pixel perturbation in the NIR channel frame at the AI ingestion boundary can suppress the CBD fluorescence alert in exactly those cases — in a 50ms closed-loop actuator window that structurally prevents human interception between AI error and robotic arm response. A deep-dive into the two attack variants (suppression and phantom injection), why the Dip et al. 2020 meta-analysis makes the clinical stakes precise, how the SAGES 2022 CVS guidelines interact with AI-augmented bile duct identification, and the NIR-specific scan gate architecture using selective frame sampling with operating mode fallback.

  Read the full post →

• Healthcare AI Security · 2026-06-12

  Wearable health AI adversarial injection: why the Apple Watch ECG is the highest-volume FDA-cleared attack surface

  Apple Watch ECG (FDA K192729/K223274) runs on 100M+ wrists. The AI classifier that detects Atrial Fibrillation drives anticoagulation referral; Dexcom G7 paired with Control-IQ or Omnipod 5 closes the insulin dosing loop without user confirmation. Both operate on sensor time-series — ECG waveforms, CGM glucose Bluetooth LE packets, PPG photoplethysmography — that text-only PI scanners are structurally blind to. A deep-dive into the HealthKit write injection vector, the CGM closed-loop adversarial dosing attack, FDA SaMD cybersecurity guidance requirements for waveform-classifier input validation, and the scan gate architecture that defends each inference boundary without breaking the clinical pipeline.

  Read the full post →

• Cryptography & AI Security · 2026-06-12

  Post-quantum cryptography for AI orchestration: the harvest-now-decrypt-later threat to your system prompts

  Nation-state adversaries are archiving your LangChain, CrewAI, and AutoGen TLS traffic today. NIST FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+) were finalized in August 2024. NSM-10 sets hard federal deadlines. A deep-dive into why AI orchestration systems are uniquely exposed to harvest-now-decrypt-later — system prompts encode business logic, RAG queries reveal strategic intent, agent-to-agent delegation messages expose internal decision architecture, and chain-of-thought scratchpads leak intermediate reasoning — and the five-step PQC migration sequence for agentic pipelines from LLM provider connections through vector databases, tool APIs, inter-agent communication, and observability infrastructure.

  Read the full post →

• Aviation Security · eVTOL · 2026-06-11

  eVTOL AI security: the multimodal prompt injection attack surface in urban air mobility

  Joby, Archer, and Wisk are entering commercial passenger service in 2026. Every critical flight phase — obstacle detection, vertiport approach guidance, biometric boarding, UTM airspace management — depends on AI that processes image data. Text-only prompt injection scanners are blind to all four attack surfaces. FAA Special Conditions require DO-326A Security Risk Assessments for AI perception systems; EASA AMC20-152A requires adversarial robustness testing under CS-SC-VTOL-01. Physical adversarial patches on rooftop obstacles, vertiport approach corridor injection, biometric boarding bypass, and UTM map tile injection are all pixel-domain attacks that text scanners cannot see.

  Read the full post →

• Security Architecture · Agentic AI · 2026-06-11

  Agentic AI and multimodal prompt injection: why autonomous agents face a larger attack surface than chat models

  A chat model that processes a bad image gives one bad response. An autonomous agent may execute a dozen real-world tool calls before a human sees a result. The multimodal injection gap is the same in both cases — text scanners are blind to pixel-domain payloads — but agentic systems multiply the attack surface: images enter via retrieval, mid-loop screenshot capture, tool outputs, and subagent trust propagation. Covering only the user-facing entry point leaves the majority of an agent's image input surface unscanned. This post covers the three highest-risk agentic attack chains (computer-use screen injection, RAG corpus poisoning, multi-agent trust escalation), why text-only scanners are particularly dangerous in the agentic context, and the scan placement architecture that closes all three gaps.

  Read the full post →

• Attack Deep-Dives · 2026-06-11

  FigStep, AgentTypo, WhisperInject — the three multimodal prompt injection attacks every text scanner gets wrong

  Three named attacks define the outer boundary of what text-only PI scanners can see. FigStep renders instructions in OCR-resistant glyph fonts the VLM decodes but OCR misses entirely. AgentTypo distorts characters so OCR produces a benign string while the VLM reads the toxic original — specifically defeating OCR-then-text-scan workarounds. WhisperInject hides commands in audio segments Whisper discards: below-VAD amplitude windows, ultrasonic frequency bands, reversed-speech segments. All three share one structural root cause, and defending against them requires scanning raw bytes before any preprocessing step runs. A deep-dive into the mechanism of each attack, why text scanners are structurally blind to all three, and what the three-layer defence stack looks like.

  Read the full post →

• Threat Research · Earth Observation · 2026-06-10

  Why satellite remote sensing AI is the newest prompt injection attack surface

  Satellite AI is no longer confined to research labs — USDA uses it to validate $10B in annual crop insurance claims, EPA uses it to detect unreported pesticide use, and FEMA uses it to map disaster damage for public assistance declarations. In every case the AI processes a multispectral pixel array with no text channel for any existing PI scanner to inspect. A deep-dive into NDVI injection for crop insurance fraud, spectral bypass for EPA FIFRA compliance evasion, SAR manipulation for FEMA Stafford Act declarations — and the four-step scanning architecture that closes the gap.

  Read the full post →

• Compliance · Healthcare · 2026-06-10

  How multimodal AI prompt injection bypasses healthcare regulatory compliance

  Healthcare AI is the sector most exposed to multimodal prompt injection — radiology AI reads DICOM pixel arrays, pathology AI processes whole-slide images, telehealth AI transcribes patient audio. Text-only PI scanners cover none of these channels. A deep-dive into how FigStep and WhisperInject-class attacks bypass HIPAA Security Rule audit controls, FDA SaMD cybersecurity guidance, and EU MDR GSPR 17.4 — with five concrete remediation steps that produce a unified compliance evidence log across all four frameworks simultaneously.

  Read the full post →

• Compliance · EU AI Act · 2026-05-31

  EU AI Act Article 15: the multimodal AI security checklist before 2 August 2026

  The Article 15 cybersecurity deadline is 63 days away. Eight checklist items for high-risk AI providers — covering who actually needs to comply under Annex III, what Article 15(5)’s “adversarial examples or model evasion” language means for multimodal systems, why OCR-before-text-scan does not satisfy the requirement for image inputs, what audit evidence looks like in practice, and what happens to providers that miss the date. Includes the evidence format an assessor reviewing your Annex IV documentation will look for per modality.

  Read the full post →

• Engineering deep-dive · 2026-04-30

  Building a prompt-injection scanner for voice agents: what Whisper drops, and why it matters

  Speech-to-text systems are lossy compressors with quality goals — clean transcripts — that conflict with the goals of a security inspection. By the time text reaches your prompt-injection filter, the bands and timings the audio PI payload was hiding in have already been filtered away. A walk through the four audio-PI subtypes at the byte level, the four-stage build pipeline you can wire in two weeks, the trade-offs we made (CNN over transformer, run-both over replace, no chaining), and what still doesn't work.

  Read the full post →

• Market analysis · 2026-04-30

  What Check Point buying Lakera means for self-serve AI-security buyers

  Big-platform acquirers of self-serve security tools almost never preserve the self-serve motion at the original price. A factual read on the Sept–Nov 2025 Check Point acquisition of Lakera, what enterprise consolidation tends to do to a SMB SKU, and what is left under $100/mo for teams who still need a prompt-injection defence in 2026.

  Read the full post →

• Architecture · 2026-04-25

  Why every text-only prompt-injection scanner misses a 30-pixel PNG

  A 900-byte image with eight rendered words on it routes around every text-only PI defender on the market. That is not a tuning failure — it is the intended scope of those products, and the gap will not close by improving them. The architectural argument, written for engineers and AppSec leads deciding whether their current defence is enough.

  Read the full post →

• Threat model · 2026-04-25

  The multimodal prompt-injection threat model for AI product teams (2026)

  Every public-API prompt-injection defender ships with the same blind spot: they inspect text and ignore the two modalities where the real-world payloads now hide. If your product accepts images or audio from anyone other than you, this is your threat model — what the attacks look like, why your current stack misses them, and a defender's playbook you can run this week.

  Read the full post →

What you can expect

• Attack deep-dives — each new payload family we add to the corpus gets a write-up with the exact signatures we detect.
• Benchmarks — confusion matrices on our FigStep / AgentTypo / WhisperInject test set, published per release.
• Integration tutorials — how to wire the scanner into avatar SaaS, voice agents, and screenshot-reading assistants.
• Incident notes — when a real customer gets hit, what we learn, what we change.

Follow day-to-day progress at @bitinvestigator, or join the waitlist and we'll email when the next post is live.