Glyphward

Aerospace AI · NDT inspection AI · MRO maintenance AI · Defence AI

Prompt injection in aerospace and defence AI

Aerospace and defence AI operates at the intersection of the highest-consequence AI deployment environments: aircraft safety-of-flight determinations, military intelligence assessments, and airworthiness certification decisions where AI-assisted classification errors have potential loss-of-life consequences. Boeing Insight AI is Boeing’s enterprise computer vision platform deployed across MRO (maintenance, repair, and overhaul) operations at Boeing Global Services, Emirates Engineering, and partner MRO facilities — processing photographs of aircraft components, wing spar fatigue crack indicators, engine turbine blade erosion patterns, and structural inspection findings submitted through Boeing’s SCEPTRE and AMOS maintenance management systems to generate AI-assisted airworthiness assessments and work-package recommendations for licensed aircraft engineers. Airbus Skywise Predictive Maintenance, operated through the Airbus Digital Aviation Services division, ingests aircraft health monitoring data combined with engine borescope images, component wear photographs, and maintenance action photographs submitted by operators including Lufthansa Technik, Air France Industries KLM Engineering & Maintenance, and Safran Aircraft Engines to predict component replacement intervals and flag emerging airworthiness conditions before they reach mandatory maintenance limits. Siemens’ AI platforms for turbine blade inspection — deployed by StandardAero, MTU Aero Engines, and Rolls-Royce Deutschland — use automated defect recognition (ADR) deep-learning models trained on borescope images and fluorescent penetrant inspection (FPI) photographs to detect fatigue cracks, leading edge erosion (LEE), hot section oxidation, and thermal barrier coating (TBC) spallation in commercial aircraft gas turbine engines. In the defence domain, Hexagon’s AI-powered NDT analysis platforms and MISTRAS Group’s AI for non-destructive testing process phased array ultrasonic testing (PAUT), eddy current, and thermographic NDT image data from military aircraft structural inspections, submarine hull inspections, and defence equipment condition assessments. The adversarial image injection threat to aerospace and defence AI exploits the photograph and scan submission pathways that these platforms use for AI-assisted inspection: MRO maintenance portal image uploads, AMOS/SCEPTRE task card photograph submissions, borescope image transfer to predictive maintenance platforms, and NDT image upload APIs at third-party inspection service providers. This page covers four injection surfaces and how Glyphward’s pre-scan gate addresses the threat at the aerospace AI image ingestion boundary.

TL;DR

Aerospace and defence AI — Boeing Insight AI, Airbus Skywise, Siemens turbine blade ADR, Hexagon NDT AI — processes NDT inspection images, aircraft component photographs, MRO maintenance log images, and UAV intelligence imagery. Adversarially crafted images submitted through maintenance portal uploads, borescope image transfer APIs, and parts traceability systems can suppress fatigue crack detection, corrupt FAA/EASA airworthiness records, and falsify parts traceability documentation. Glyphward scans each image at the ingestion boundary with a threshold of ≥ 50 for aerospace AI inputs (aviation safety — missed defect detection or falsified airworthiness record → airworthiness risk). Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in aerospace and defence AI

1. Aircraft NDT inspection AI adversarial image injection (Siemens ADR, Hexagon AI, MISTRAS AI)

Non-destructive testing AI in aerospace performs automated defect recognition on inspection images from borescope cameras (turbine blade and combustion chamber inspection), phased array ultrasonic testing (PAUT) C-scan images (wing spar and fuselage skin crack detection), fluorescent penetrant inspection (FPI) photographs (landing gear, engine mounts, high-stress structural fittings), and thermographic inspection images (composite structure delamination detection). Siemens’ automated defect recognition (ADR) AI deployed by StandardAero and MTU Aero Engines processes borescope video frames and still images submitted by borescope inspection technicians through turbine shop management systems to classify turbine blade defects against serviceable limits defined in the Engine Shop Manual (ESM) and Component Maintenance Manual (CMM). The adversarial injection surface is the borescope image transfer workflow: borescope inspection technicians at MRO facilities transfer borescope video and still images from the borescope recording system to the turbine shop management platform through USB file transfer, network share upload, or direct API integration. An adversarially crafted borescope image — in which pixel-level perturbations are applied to the leading edge or pressure face region of a turbine blade image to reduce the apparent depth of an erosion groove or the apparent length of a fatigue crack — submitted through the image transfer workflow can cause the Siemens ADR AI to classify the blade as “serviceable” when the physical defect dimension exceeds the ESM rejection limit. For high-bypass turbofan engines (CFM56, LEAP-1A/1B, PW1000G, GE90) used on commercial aircraft carrying 150–400 passengers, a turbine blade returned to service with an undetected defect that the AI classified as within serviceable limits creates a potential uncontained engine failure risk — the failure mode associated with engine-related fatal accidents. The FAA Special Airworthiness Information Bulletin (SAIB) and EASA Safety Information Bulletin (SIB) frameworks require MRO organisations to validate computerised inspection aids against physical measurement; adversarial attacks on borescope AI create a validation gap where the AI produces a false passing classification that will be inconsistent with a subsequent physical measurement — but the MRO workflow may not require independent physical verification if the AI classification is accepted as the primary finding. MISTRAS Group’s AI NDT platforms process PAUT C-scan images submitted by NDT Level II/III technicians through their DataView NDT data management platform; the same pixel-perturbation attack technique applied to PAUT C-scan images — which represent signal amplitude and time-of-flight data as a 2D colour map — can cause the AI to misclassify an indication that exceeds the engineering rejection threshold as a sub-threshold scatter indication.

2. Aviation maintenance log image injection in predictive maintenance AI (Boeing Insight AI, Airbus Skywise, StandardAero DaVinci AI)

Aviation predictive maintenance AI ingests maintenance event photographs — task card completion photographs, component removal photographs, observed wear condition photographs, and fluid sample analysis images — submitted by aircraft engineers through Electronic Technical Log (ETL) and AMOS/SCEPTRE maintenance management system photograph upload workflows to augment sensor-based predictive models with visual condition evidence. Boeing Insight AI processes maintenance photographs submitted through Boeing’s SCEPTRE mobile application and integrated MRO customer portals at Emirates Engineering, SIA Engineering, and Jetblue Tech Ops, using computer vision to classify component condition severity and recommend maintenance actions. Airbus Skywise’s Digital Services platform ingests borescope images, maintenance action photographs, and component condition photos submitted by airline operators through Airbus’s AirN@v and AirNavX operator technical portals to build component-level health models that feed prognostic maintenance interval recommendations. The adversarial injection surface is the maintenance photograph upload workflow: aircraft engineers at line and base maintenance facilities submit task card completion photographs and component condition photographs through AMOS, SCEPTRE, or airline-specific MRO portal mobile applications as part of standard digital task card sign-off procedures. An adversarially crafted maintenance photograph — in which pixel-level perturbations applied to a hydraulic fitting, a carbon brake wear indicator, or a landing gear oleo strut corrosion area cause the AI condition classifier to assign a “normal wear — within limits” classification rather than an “approaching limit — schedule at next check” or “exceeded limit — remove from service” classification — can delay a required maintenance action that the predictive model would otherwise have flagged. For life-limited parts (LLPs) tracked under FAA Order 8110.112 and EASA AMC 20-29, a missed wear indication that delays a maintenance action has direct airworthiness consequence if the part reaches its design life limit before the scheduled removal action. StandardAero’s DaVinci AI platform — used in CFM56, CF34, and PT6 engine overhaul operations — has a specific compressor and turbine blade condition photograph classification workflow where the adversarial injection risk is highest: blade condition photographs submitted through the DaVinci portal influence work-scope decisions that determine whether an engine is returned to service in a “light” versus “heavy” overhaul configuration — a decision with direct airline customer cost and engine safety margin implications.

3. Airframe and engine parts traceability AI injection (Rolls-Royce IntelligentEngine, GE Aviation digital twin, PTC Windchill AI)

Aerospace parts traceability AI processes photographic documentation of aircraft parts — part number label photographs, dataplate images, certification tag photographs, and incoming inspection images — submitted through digital parts tracking systems to verify part identity, authenticity, and documentation completeness before installation. Rolls-Royce’s IntelligentEngine digital twin platform and GE Aviation’s Engine Digital Twin (OptiFleet) process component removal photographs, parts documentation scan images, and teardown inspection photographs submitted by airline operators and MRO partners through their respective digital service portals. PTC Windchill’s AI-augmented quality management module — deployed by Airbus, Safran, and UTC Aerospace Systems (now Collins Aerospace and Pratt & Whitney) — processes incoming inspection photographs of purchased parts and components against approved supplier qualification records. The adversarial injection surface involves parts certification documentation: aircraft parts must be accompanied by FAA Form 8130-3 or EASA Form 1 airworthiness approval tags that certify the part as airworthy and legally released for installation. In the secondary aerospace parts market — where used serviceable material (USM) trades between airline asset management divisions, MRO parts brokers, and independent parts distributors — parts certification documents are routinely submitted as scanned images or PDF photographs through parts brokerage portals and MRO incoming inspection systems. An adversarially crafted FAA Form 8130-3 scan image — in which pixel-level perturbations applied to the part number, serial number, or approval authority fields cause the AI document classifier to read the wrong part number or classify an unapproved counterfeit 8130-3 as a legitimate approved document — submitted through a parts brokerage portal or MRO incoming inspection upload API can enable a counterfeit or unapproved part to pass the AI document verification step and be forwarded for installation. The FAA Suspected Unapproved Parts (SUP) programme and EASA Suspected Unapproved Parts bulletin framework explicitly identify falsified documentation as the primary enabler of unapproved parts entering the certified aviation parts supply chain — making parts documentation AI a high-value attack target for organised counterfeit parts operations.

4. UAV and defence intelligence imagery AI injection (military ISR AI, GEOINT AI, autonomous systems)

Defence intelligence AI processes imagery from unmanned aerial vehicles (UAVs), satellite reconnaissance, and ground surveillance systems to perform automated target recognition (ATR), battle damage assessment (BDA), force deployment analysis, and environmental threat assessment. Palantir’s AIP (Artificial Intelligence Platform) defence product, Anduril Industries’ Lattice AI fusion platform, and Shield AI’s autonomy stack process imagery submitted through intelligence analyst workstations, forward operating base ISR uplinks, and secure data transfer systems to generate AI-assisted intelligence products. The adversarial injection surface involves intelligence imagery submitted through analyst workstations and data transfer portals: intelligence analysts at forward operating locations submit UAV image captures, overhead reconnaissance imagery tiles, and sensor fusion images through classified and unclassified network workstations into AI analysis queues. An adversarially crafted ISR image — in which pixel-level perturbations applied to a vehicle, structure, or terrain region cause the AI ATR model to misclassify a military vehicle as a civilian vehicle, suppress a weapons system identification flag, or misassess structural damage in a BDA image — submitted through an analyst workstation can corrupt an AI intelligence product with consequences ranging from erroneous targeting assessments to force deployment planning errors. The ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) frameworks govern the control of defence AI systems; the adversarial attack surface for classified defence AI is subject to JSIG (Joint Special Access Program Implementation Guide) and NIST SP 800-171 security control requirements that include integrity verification of AI input data — requirements that adversarial image detection directly addresses. For commercial UAV platforms used in dual-use applications — border surveillance, maritime domain awareness, critical infrastructure monitoring — the adversarial injection threat extends to government contractor AI platforms (Leidos, Booz Allen Hamilton AI, SAIC AI) that are not subject to ITAR but process sensitive government imagery through commercial cloud submission pathways with lower physical security controls than classified defence networks.

Integration: aerospace AI image ingestion with Glyphward pre-scan

Aerospace AI image ingestion flows from borescope inspection systems, maintenance portal photograph uploads, parts documentation scan portals, and intelligence analyst workstations into AI processing queues. Insert Glyphward’s pre-scan at the ingestion boundary before images reach the inspection, predictive maintenance, or parts traceability AI:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Strictest threshold: aviation safety-of-flight + airworthiness record integrity.
# A missed defect or falsified airworthiness record has catastrophic failure modes.
THRESHOLD_AEROSPACE_AI = 50


class AerospaceAIContext(str, Enum):
    NDT_INSPECTION = "ndt_inspection"               # borescope, PAUT, FPI, thermographic
    MAINTENANCE_PHOTO = "maintenance_photo"         # task card, component condition photos
    PARTS_DOCUMENTATION = "parts_documentation"    # 8130-3, Form 1, incoming inspection
    DEFENCE_ISR = "defence_isr"                     # UAV, reconnaissance, surveillance


async def scan_aerospace_image(
    image_source: str | Path | bytes,
    context: AerospaceAIContext,
    component_id_hash: str,    # SHA-256 of component serial number (not raw)
    aircraft_reg_hash: str,    # SHA-256 of aircraft registration (not raw)
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan an aerospace AI image for adversarial injection payloads before
    forwarding to NDT inspection, predictive maintenance, or parts traceability AI.
    Audit record: no raw PII or aircraft identifiers — only hashed references.
    """
    if isinstance(image_source, (str, Path)):
        image_bytes = Path(image_source).read_bytes()
    else:
        image_bytes = image_source

    image_b64 = base64.b64encode(image_bytes).decode()
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    scan_id = str(uuid.uuid4())

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "aerospace_context": context.value,
                "component_id_hash": component_id_hash,
                "aircraft_reg_hash": aircraft_reg_hash,
                "client_scan_id": scan_id,
                "image_sha256": image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "component_id_hash": component_id_hash,
        "aircraft_reg_hash": aircraft_reg_hash,
        "aerospace_context": context.value,
        "scan_id": result["scan_id"],
        "client_scan_id": scan_id,
        "image_sha256": image_sha256,
        "score": result["score"],
        "flagged_region": result.get("flagged_region"),
        "threshold": THRESHOLD_AEROSPACE_AI,
        "action": "blocked" if result["score"] >= THRESHOLD_AEROSPACE_AI else "allowed",
    }
    await write_aerospace_audit_record(audit_record)

    if result["score"] >= THRESHOLD_AEROSPACE_AI:
        raise AdversarialAerospaceImageError(
            f"Aerospace AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"component={component_id_hash[:8]}..."
        )
    return result


async def scan_inspection_batch(
    image_paths: list[Path],
    context: AerospaceAIContext,
    component_id_hash: str,
    aircraft_reg_hash: str,
) -> dict:
    """Scan a batch of inspection images concurrently before AI processing."""
    allowed, blocked, errors = [], [], []

    async with httpx.AsyncClient() as client:
        tasks = [
            scan_aerospace_image(p, context, component_id_hash, aircraft_reg_hash, client)
            for p in image_paths
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)

    for path, result in zip(image_paths, results):
        if isinstance(result, AdversarialAerospaceImageError):
            blocked.append({"path": str(path), "error": str(result)})
        elif isinstance(result, Exception):
            errors.append({"path": str(path), "error": str(result)})
        else:
            allowed.append({"path": str(path), "scan_id": result["scan_id"]})

    return {
        "component_id_hash": component_id_hash,
        "context": context.value,
        "total": len(image_paths),
        "allowed": len(allowed),
        "blocked": len(blocked),
        "errors": len(errors),
        "blocked_items": blocked,
    }


async def write_aerospace_audit_record(record: dict) -> None:
    """Persist audit record to your airworthiness-grade audit log (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialAerospaceImageError(Exception):
    """Raised when an aerospace AI image exceeds the adversarial injection threshold."""
    pass

The component_id_hash and image_sha256 fields provide the airworthiness-grade evidence chain: a blocked NDT inspection image record links scan_id + component_id_hash + image_sha256 for post-incident investigation without storing raw aircraft registration or component serial numbers in the audit log. For NDT inspection contexts (borescope, PAUT, FPI), route blocked images to an immediate safety alert — an adversarially crafted NDT image should trigger independent physical re-inspection before the component is returned to service. Get early access

Coverage matrix

Control NDT inspection AI injection Maintenance photo AI injection Parts documentation AI injection Defence ISR AI injection
Text-only PI scanner (Lakera, LLM Guard) No — pixel payloads not seen No — pixel payloads not seen No — pixel payloads not seen No — pixel payloads not seen
FAA/EASA airworthiness inspection requirements Requires independent physical measurement alongside AI; adversarial attack exploits reliance on AI classification Requires licensed engineer sign-off; does not inspect photographs for adversarial content before AI Requires 8130-3/Form 1 document; does not inspect scanned documents for adversarial pixel manipulation Not applicable to defence AI domain
MRO access controls and audit trails Controls system access; authenticated image uploads not inspected for adversarial content Controls portal access; maintenance photographs not scanned for adversarial perturbation Controls portal access; parts document images not inspected for adversarial manipulation Controls network access; imagery not scanned for adversarial perturbation at submission
Glyphward Yes — threshold 50; component_id_hash + scan_id + image_sha256 airworthiness audit trail Yes — threshold 50; component_id_hash + aircraft_reg_hash + scan_id provenance Yes — threshold 50; image_sha256 + scan_id; FAA SUP-compatible audit record Yes — threshold 50; aerospace_context tag; scan_id integrity chain

Related questions

How does adversarial injection in aerospace AI relate to FAA and EASA AI regulatory frameworks?

FAA’s AI/ML Framework (FAAAI/ML-2023-001) and EASA’s Artificial Intelligence Roadmap 2.0 (2024) both address the integrity of AI systems used in aviation — with specific requirements for AI system trustworthiness, explainability, and the ability to detect AI system performance degradation. The EASA ANNEX IV (Part-CAMO) and Part-145 maintenance organisation requirements already cover computerised maintenance management systems under “quality system” and “competence management” requirements that include data integrity controls for maintenance records. Adversarial injection in aerospace AI — particularly in NDT inspection AI and maintenance log AI — falls within the scope of “intentional interference with AI system performance” that FAA and EASA are beginning to address in emerging airworthiness cybersecurity guidance (FAA Order 8110.105 Aircraft Cybersecurity; EASA ED Decision 2024/012/R). Current regulatory guidance focuses primarily on flight control and avionics AI cybersecurity, but the expanding use of AI in MRO and inspection creates regulatory exposure for MRO organisations that rely on AI-assisted inspection without adversarial input validation controls. An adversarial attack on MRO inspection AI that later causes an airworthiness event — in-service failure of a component that was returned to service based on a corrupted AI inspection classification — would likely result in NTSB/AAIB investigation scrutiny of the AI system’s input validation controls and data integrity procedures. MRO organisations and AI vendors that can demonstrate adversarial image detection controls at inspection AI ingestion boundaries will have a stronger regulatory compliance posture when FAA/EASA AI guidance for MRO applications is formalised.

Is NDT AI inspection adversarial robustness different from standard AI adversarial robustness?

NDT inspection AI has several characteristics that affect adversarial robustness compared to standard computer vision AI. First, NDT images — particularly PAUT C-scans, phased array amplitude maps, and thermographic images — are not natural photographs but are signal-processed data representations where pixel values represent physical measurement quantities (reflection amplitude, time of flight, temperature differential). Adversarial perturbations optimised for standard photographic image classifiers (FGSM, PGD on RGB images) are not directly transferable to NDT data representations; attacks must be calibrated to the specific signal-to-pixel mapping of the NDT modality. Second, NDT inspection AI models are typically trained on very small datasets compared to general computer vision models — a turbine blade ADR model may be trained on 500–5,000 borescope images per defect class, versus millions of images for ImageNet-trained models — making them potentially more susceptible to adversarial perturbations because the decision boundary is less redundantly defined. Third, NDT inspection AI is often deployed in offline batch processing mode rather than real-time inference, giving an adversary more time to craft a highly optimised attack than in real-time camera systems. The combination of small training datasets, offline batch processing, and high-consequence classification (serviceable/reject determination for safety-critical components) makes NDT inspection AI an attractive adversarial target with potentially lower attack complexity than general computer vision AI.

How does Glyphward’s threshold of 50 interact with NDT inspection AI that already has built-in confidence thresholds?

NDT inspection AI systems — Siemens ADR, MISTRAS DataView AI — typically output a defect probability score or confidence level alongside the classification decision, and many systems provide an “uncertain” or “refer to Level III technician” classification band for images where the AI confidence falls below a configurable threshold. This built-in confidence threshold is calibrated to the AI’s nominal operating conditions: it is designed to flag images where the AI is uncertain about a genuine defect classification, not images that contain adversarial perturbations designed to maximise classification confidence in a wrong direction. An adversarially crafted borescope image that causes the AI to output high confidence in a “serviceable” classification for a defective blade will not trigger the AI’s own uncertain classification band — because the adversarial perturbation is specifically designed to push the AI into a high-confidence wrong classification, which is precisely what bypasses the AI’s self-assessed uncertainty. Glyphward’s adversarial injection detection operates at a different layer: it detects the adversarial perturbation signal in the image before the NDT AI processes it, regardless of what confidence score the NDT AI would have assigned. The threshold of 50 represents the minimum risk score at which Glyphward flags an image for human review — it is not calibrated to NDT AI confidence intervals, but to the adversarial payload signal strength in the image. Images flagged by Glyphward at threshold 50 should be routed to a licensed NDT Level III technician for independent physical measurement, bypassing the AI classification entirely.

Further reading