137AI > Risks & Management > Data Risks > Telemetry Capture Integrity
Telemetry Capture Integrity
Telemetry capture integrity is the discipline of ensuring that the sensor data leaving an AI agent is the data the sensor actually produced. Every downstream protection of that data depends on this assumption. Transit security, storage encryption, training data validation, model integrity, and operational decision-making all operate on the input the sensor delivered. If the sensor itself is producing falsified data, every downstream control is protecting corrupted input from the beginning.
This page treats capture as the foundation stage of the OTA loop. The closed-loop dynamic that propagates corruption introduced at capture forward through every subsequent stage is covered in The OTA Loop as Attack Surface. The stage-specific treatment here addresses what can go wrong at the sensor and what defenses operate at the capture point.
The Foundation Problem
Capture is the foundation of the entire data lifecycle. A sensor that produces accurate data feeds downstream systems that can be protected through conventional means. A sensor that produces falsified data feeds downstream systems that are protecting the falsification.
The defensive challenge is that a sensor returning falsified data does not look broken to the agent. It looks normal. The data passes whatever validation the agent applies at the sensor level, flows through the agent's processing, and reaches downstream systems with no indication that anything is wrong. Detection has to happen at the sensor itself, through cross-validation against other sensors, through physical-model consistency checks, or through downstream pattern analysis that can identify when the data does not behave like genuine sensor output.
The foundation property has direct consequences for control design. Strong encryption of data in transit does not protect against falsified data at the source. Robust training procedures do not detect well-crafted falsification in the training data. Operational monitoring catches some patterns but not others. Capture integrity requires defenses at the capture stage, not just at the stages that depend on it.
Two Compromise Patterns
Capture compromise arrives through two distinct patterns that produce the same downstream effect but require different defensive approaches.
Sensor compromise involves direct tampering with the sensor itself or its immediate processing pipeline. The sensor hardware may have been physically modified, the firmware may have been replaced with a malicious variant, the edge processing software may have been compromised, or the calibration data may have been tampered with. In each case, the sensor produces data that does not correspond to the physical environment the sensor is observing, and the cause is internal to the sensor system.
Environment manipulation involves the attacker controlling what the sensor perceives. The sensor is operating correctly; the environment it observes has been manipulated to produce the attacker's preferred reading. Examples include placing adversarial patterns in a camera's field of view, transmitting spoofed GNSS signals into a receiver's antenna, projecting acoustic content into a microphone's range, or chemically altering the environment a chemical sensor measures.
The defensive implications differ. Sensor compromise is addressed through hardware integrity, secure firmware, cryptographic attestation, and supply chain security. Environment manipulation is addressed through sensor diversity, physical-model consistency, and cross-validation against sources that are harder to spoof simultaneously. Effective defense requires both because each compromise pattern has its own attack landscape.
Per-Sensor-Category Attack Patterns
Different sensor categories have different physical principles and different attack surfaces. The defensive approach has to be sensor-aware.
| Sensor Category | Common Attack Patterns | Where Defenses Concentrate |
|---|---|---|
| Optical (cameras, lidar) | Adversarial patches, projected images, laser interference, environmental obscuration, retroreflector spoofing for lidar | Sensor fusion with non-optical modalities, adversarial robustness training, physical-model consistency checks |
| RF (radar, GNSS, cellular, wireless) | GNSS spoofing, radar jamming and deception, signal substitution, replay attacks | Multi-constellation positioning, signal authentication where available, inertial cross-validation, anomaly detection in expected signal characteristics |
| Acoustic (microphones) | Ultrasonic command injection (DolphinAttack-style), audio adversarial examples, ambient noise injection | Frequency filtering, liveness detection, multi-microphone consistency, command-context validation |
| Inertial (IMU, accelerometer, gyroscope) | Acoustic injection into MEMS sensors, EMI manipulation, sensor saturation | Cross-modal consistency with other motion-sensing modalities, physical-model bounds, anomaly detection |
| Biometric (heart rate, ECG, gaze, fingerprint) | Presentation attacks, signal replay, synthetic biometric injection | Liveness detection, multi-modal biometric fusion, behavioral pattern analysis |
| Environmental (temperature, humidity, chemical, gas) | Local environmental modification, sensor heating or cooling, chemical interference with detector chemistry | Sensor placement security, redundant sensors in different physical locations, cross-validation with independent measurement |
| Specialized (industrial sensors, medical sensors) | Domain-specific physical manipulation, calibration drift exploitation, sensor substitution | Sector-specific calibration discipline, sensor integrity certification, regulatory testing programs |
Each pattern has been demonstrated in research literature and in some cases in operational settings. The defenses listed are mature in some sensor categories and uneven in others. Operators deploying AI agents at scale generally face a sensor portfolio that combines multiple categories, with the per-category defensive practices integrated into the overall capture integrity discipline.
Cryptographic Sensor Attestation
The emerging discipline that addresses the foundation problem most directly is cryptographic sensor attestation. The principle is that the sensor itself signs the data it produces with a key tied to a hardware root of trust. Downstream consumers can verify that the data came from the sensor it claims to come from, at the time it claims to come from, and has not been modified since signing.
The implementation requires sensor hardware with a cryptographic identity, key management infrastructure for the sensor population, signed metadata that travels with the captured data, and verification infrastructure at the consuming end that can validate the signatures. The full stack is mature in some specific sensor categories (notably some defense and aviation sensors) and early in most consumer and commercial AI agent contexts.
The discipline does not prevent sensor compromise or environment manipulation. It provides attribution and detection: a sensor that has been physically replaced or had its key extracted produces signed data the verifier can identify as anomalous, and an environment manipulation attack produces signed data the verifier can identify as inconsistent with cross-validating sources.
The discipline is connected to but distinct from secure boot and firmware attestation. Secure boot ensures the sensor starts in a known-good state. Firmware attestation proves that the running firmware matches a known-good version. Data attestation extends the trust chain to the data produced by the sensor. All three layers are required for end-to-end integrity.
Cross-Validation and Physical-Model Consistency
Where cryptographic attestation is unavailable or insufficient, cross-validation provides a complementary defensive approach. The principle is that real sensor data is internally consistent and consistent with physical-model expectations, while falsified data is often detectable through these consistency checks.
Sensor fusion across modalities is the most widely deployed cross-validation approach. A vehicle that integrates camera, lidar, radar, and inertial sensors produces a perception state from multiple sources. Falsifying all sources consistently is substantially harder than falsifying any one. Sensor fusion does not eliminate the risk but raises the cost and complexity of effective attack.
Physical-model consistency checks compare sensor output against what physics allows. A vehicle's reported velocity has limits set by its acceleration capability. A drone's reported position has limits set by its motion capability. A grid sensor's reported voltage has limits set by the operational state of the grid. Sensor output that violates physical-model expectations is detectable as anomalous regardless of how the attacker produced it.
Known-good baseline comparison uses prior sensor behavior to establish expected patterns. Sensor output that diverges from baseline can be flagged for investigation. The approach catches some attack patterns and not others; well-crafted attacks that mimic legitimate environmental variation can pass baseline comparison.
Temporal consistency checks look for patterns inconsistent with normal sensor operation over time, including impossible state transitions, suspicious timing patterns, and gaps in data flow that suggest tampering.
Sector-Specific Considerations
The capture integrity discipline takes on specific weight in sectors where sensor data drives consequential decisions.
In autonomous vehicles, sensor capture integrity is part of the safety case. Compromised perception leads directly to physical safety failures. Vehicle safety regulation increasingly addresses sensor integrity as part of cybersecurity requirements, with UN-R 155 conformance and emerging NHTSA expectations on perception integrity.
In OT and ICS environments, sensor capture integrity feeds both control loops and AI decision-support. Compromised sensors in industrial settings can produce operational decisions that cause physical harm or strategic impact. The discipline intersects with conventional ICS security work, with AI-specific extensions for the case where sensor data feeds AI components. The broader analysis appears in A Thousand Cuts: AI-Everywhere and CIP Threat Calculus.
In medical devices, sensor capture integrity affects patient care directly. FDA SaMD frameworks address sensor and data integrity as part of safety requirements. The emerging AI-enabled medical device landscape extends this with AI-specific considerations for sensor inputs to clinical decision-support and diagnostic AI.
In consumer AI wearables and ambient agents, sensor capture integrity intersects with privacy and surveillance considerations. A compromised wearable sensor produces falsified data that may be used in ways the user would not authorize, and the capture point is where downstream privacy and security depend.
In defense and aviation, sensor capture integrity has long-established discipline including specific requirements for GNSS authentication, sensor hardening, and attestation that the broader commercial AI agent ecosystem is beginning to adopt elements of.
Governance and Standards Landscape
The regulatory and standards framework for telemetry capture integrity is uneven across sectors and jurisdictions.
UN-R 155 for connected vehicles addresses sensor and data integrity as part of cybersecurity requirements, with applicable conformance procedures for vehicle manufacturers in markets that follow UN regulations.
The EU AI Act addresses data quality in Article 10 and cybersecurity in Article 15, with framework-level requirements that reach sensor capture integrity for high-risk AI systems. Specific harmonized standards covering capture integrity are at varying stages of development under CEN-CENELEC JTC 21.
NIST AI Risk Management Framework includes data and model integrity in the Map and Measure functions, with the expectation that operators identify and address capture-level risk.
ISO/IEC 42001 AI management system requirements include data governance and AI lifecycle controls that, properly implemented, address capture integrity as part of broader integrity discipline.
Sector-specific regulation addresses capture integrity at varying depths. Aviation has long-established sensor integrity requirements. Medical device regulation addresses sensor integrity in safety case requirements. Autonomous vehicle regulation is developing capture integrity requirements. OT/ICS sectors are extending established sensor integrity practice into AI-specific applications. Consumer AI agents operate under less specific regulatory address of capture integrity, with general personal data and consumer protection rules providing partial coverage.
The Reframe
Telemetry capture integrity is the foundation that all downstream data integrity depends on. Sensor compromise and environment manipulation are the two patterns that produce capture-stage corruption, with different defensive landscapes. Cryptographic sensor attestation, cross-validation across sensor modalities, physical-model consistency checks, and temporal baseline comparison are the practices that bound capture-level risk. The discipline is mature in some specific sensor categories and emerging in most consumer and commercial AI agent contexts. The governance frameworks address capture integrity at framework level in some jurisdictions and not at all in others. The capture stage is where every downstream defense starts; getting it right is one of the foundational engineering and governance projects the autonomous and ambient AI agent ecosystem requires.
Related Coverage
Data Risks | The OTA Loop as Attack Surface | Training Data Poisoning | A Thousand Cuts: AI-Everywhere and CIP Threat Calculus