Contraband detection AI · Disciplinary incident video review AI · Gang affiliation visual classification AI · Electronic monitoring supervision AI

Prompt injection in correctional facility and incarceration monitoring AI

American correctional facilities house approximately 2.3 million incarcerated individuals across more than 7,000 jails, prisons, and detention centers, and the operational management of that population has become deeply dependent on AI-assisted decision systems that consume image and video data at a scale no human workforce could individually review. Motorola Solutions Video Management System AI analytics, deployed across 13,000+ facilities globally, continuously extracts video frames from facility camera networks and routes them through vision-capable inference pipelines for incident detection, use-of-force classification, and perimeter alerting. Evolv Technology AI weapon and contraband screening systems, operational at 1,500+ correctional facilities, generate millimeter wave scan display images and X-ray equivalent density maps that AI classifiers assess for prohibited items before an officer makes a clearance decision. Securus Technologies AI communication monitoring, serving 3,400+ correctional facilities and processing hundreds of millions of inmate communications annually, cross-references visual identity from video visitation feeds and submitted images against watchlists and case files. Tyler Technologies Odyssey Jail Management System AI, running in 1,000+ county jails, ingests inmate booking photographs, tattoo documentation imagery, and insignia display images as inputs to gang affiliation classification and housing security level assignment workflows. SuperCom GPS electronic monitoring AI and the competing STOP (Satellite Tracking of People) platform collectively supervise more than 300,000 individuals on community supervision — probation, parole, pretrial release — through software dashboards that display GPS track overlays, geo-fence boundary status images, and ankle bracelet tamper indicator alerts, all of which are processed by AI anomaly detection layers. Across every one of these deployments, the architectural pattern is the same: a raw visual artifact — a scanner display image, a video frame, a booking photograph, a GPS dashboard rendering — is passed to an AI inference engine, and the AI’s output directly shapes a consequential decision about an individual’s liberty, safety, housing, or supervision status. The constitutional and statutory framework governing these decisions is among the most demanding in American law: the Eighth Amendment’s deliberate indifference standard from Farmer v. Brennan, 511 U.S. 825 (1994), the Fourteenth Amendment due process requirements from Wolff v. McDonnell, 418 U.S. 539 (1974), the Prison Rape Elimination Act under 34 USC §30301 and 28 CFR Part 115, CRIPA under 42 USC §1997, the First Step Act PATTERN risk assessment under 34 USC §60541, and civil rights liability under 42 USC §1983 collectively create a legal environment where an AI misclassification is not merely a technical error but a potential constitutional violation. The volume of visual data flowing through these systems — thousands of scanner display images per day per facility, continuous multi-camera video streams, millions of booking photograph comparisons annually — makes individual human review of every AI inference input impracticable. The adversarial prompt injection surface this creates is not a theoretical concern: any image artifact that reaches an AI vision encoder is potentially an injection vector, and correctional systems are operated by counterparties — incarcerated individuals, their associates, and adversarial third parties — who have strong incentives to subvert AI-assisted decisions affecting their liberty. No text-layer defense, system-prompt hardening, or output filter addresses this attack class; the perturbation is in the pixel layer, upstream of all downstream defenses.

TL;DR

Motorola Solutions VMS AI, Evolv Technology AI, Securus Technologies AI, Tyler Technologies Odyssey JMS AI, and SuperCom GPS monitoring AI — process contraband scanner display images, disciplinary incident video frames, gang affiliation booking photographs, and GPS location display images. Adversarially crafted images can cause AI to clear weapon-carrying individuals, misattribute use-of-force initiation, suppress gang affiliation flags affecting housing assignment, and fail to detect geo-fence violations triggering supervision revocation — at thresholds of 65 for contraband detection scanner display images, 60 for disciplinary incident video frame review, 55 for gang affiliation visual classification inputs, and 70 for GPS electronic monitoring anomaly display images. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in correctional facility and incarceration monitoring AI

1. Contraband detection image bypass (PREA 28 CFR §115.15, 8th Amendment Farmer v. Brennan)

Evolv Technology AI weapon and contraband screening systems are deployed at more than 1,500 correctional facilities, juvenile detention centers, and courthouse security checkpoints in the United States. The Evolv Express platform uses millimeter wave sensor arrays to generate dense scan images that capture the shape, density, and material composition of concealed objects on a subject’s body or in their carried items. These millimeter wave scan display images are not raw sensor output — they are processed visual representations designed to be consumed both by human security officers for secondary screening decisions and by Evolv’s AI classification layer, which assigns threat scores to detected object shapes in real time. Bag X-ray equivalent display images generated by companion X-ray screening equipment at the same facility checkpoints follow the same dual-consumption pattern: human-readable visual artifacts that an AI classifier also processes to flag metallic object density signatures, weapon silhouette matches, and prohibited item profiles. In county jails and state prisons running Tyler Technologies Odyssey JMS AI in combination with Evolv screening, the AI threat classification output at the entry checkpoint feeds directly into the JMS incident record for the individual passing through screening, creating a chain of AI-mediated decisions from entry through classification. The scale of this system means that at a medium-security facility processing 200 visitor screenings and 150 contractor entries per day, an individual officer reviews AI-assisted scan assessments hundreds of times per shift, with the AI classification result displayed prominently and coloring the officer’s secondary screening decision.

The adversarial attack against Evolv Technology AI contraband detection targets the pixel layer of the millimeter wave scan display image or the bag X-ray equivalent image at the moment it is passed to the AI classification engine. An attacker with knowledge of the display image format — obtainable through public documentation of Evolv system interfaces, security conference presentations, or insider access — can apply adversarial pixel perturbations to the weapon silhouette region of a scan display image, or to the metallic object shape characteristic rendering, or to the contraband item density map representation. These perturbations are imperceptible to the human officer viewing the display on the scanning station monitor but cause the Evolv AI classifier to output a threat-free classification for an image containing a weapon or prohibited item shape. The human officer, seeing a clean AI assessment, clears the individual through secondary screening. The adversarial perturbation does not require physical access to the hardware; if the scan display image is transmitted over a network path — to a central monitoring station, to a JMS integration endpoint, or to a cloud AI inference backend — the perturbation can be injected at any transmission point or pre-loaded into the scanning station display software by a malicious actor with network access.

The regulatory consequences of a successful contraband detection AI bypass in a correctional facility are severe and multiply compounded. The Prison Rape Elimination Act (PREA) under 34 USC §30301 and its implementing national standards at 28 CFR Part 115 impose mandatory cross-gender strip search protocols at 28 CFR §115.15, with facilities required to demonstrate that their search and screening procedures adequately detect prohibited items that could be used to facilitate sexual abuse. A facility that relies on AI-assisted screening to satisfy its PREA detection obligation, and whose AI can be bypassed by adversarial perturbation, has a compliance gap that could constitute a failure to maintain adequate safeguards under PREA. Under the Eighth Amendment’s deliberate indifference standard established in Farmer v. Brennan, 511 U.S. 825 (1994), facility administrators who knew or should have known of a substantial risk of serious harm to incarcerated individuals — including harm enabled by contraband that AI screening failed to detect — face personal liability. Civil rights lawsuits under 42 USC §1983 against facility officials for constitutional violations are the primary enforcement vehicle; the Department of Justice may also initiate CRIPA investigation under 42 USC §1997 where systemic screening failures affect the incarcerated population at a facility or system level. Penalty exposure from 42 USC §1983 judgments in correctional AI failure contexts has reached millions of dollars in individual cases.

2. Disciplinary incident video AI misclassification (14th Amendment Wolff v. McDonnell, First Step Act PATTERN)

Motorola Solutions Video Management System AI is the dominant video analytics platform in correctional facility deployments worldwide, operating in facilities that collectively process millions of hours of security camera footage annually. In a modern correctional deployment, Motorola Solutions VMS AI continuously analyzes video streams from dozens to hundreds of cameras across a facility, using AI-assisted analytics to detect motion events, classify incidents, and flag footage segments for human review. Securus Technologies AI, operating in 3,400+ correctional facilities, extends this video intelligence to video visitation sessions and communication monitoring contexts — analyzing visual content from inmate interactions with visitors and, in some deployments, from facility camera networks shared with the communication monitoring platform. In disciplinary proceedings, video frame images extracted from these camera networks serve as primary evidence: when a disciplinary hearing officer is adjudicating an alleged rule violation, the video evidence package submitted to the hearing typically consists of AI-curated frame sequences identified by the VMS AI as depicting the relevant incident. The AI classification layer determines which frames are flagged as incident frames, who is identified as an active participant, and in some deployments, what role participants are assigned in the event taxonomy — aggressor, responder, bystander. Tyler Technologies Odyssey JMS AI integrates this video evidence into the inmate disciplinary record, which in turn feeds the PATTERN risk and needs assessment tool mandated by the First Step Act under 34 USC §60541 for federal inmates and increasingly adopted by state systems for parole and release decisions.

The adversarial attack against disciplinary incident video AI targets the pixel layer of individual video frame images at the point they are extracted from the camera stream and processed by the VMS AI classification engine. Adversarial perturbations applied to the pixel layer of a video frame can cause the Motorola Solutions VMS AI to misclassify a staff-initiated use-of-force event as an inmate-initiated assault, or to misidentify which individual in a multi-person altercation struck first, or to fail to flag a use-of-force frame entirely, removing it from the evidence package presented at a disciplinary hearing. The perturbation does not need to be applied to every frame in a sequence — a sufficiently adversarial perturbation on the critical event frame that establishes the incident narrative can shift the entire AI-generated evidence package in a direction favorable to an attacker. Because the AI-curated evidence package is what the disciplinary hearing officer reviews, and because officers typically lack the time or technical capacity to review all raw footage independently, the adversarial misclassification in the AI layer directly shapes the hearing outcome. The same adversarial video frame evidence, when imported into the Tyler Technologies Odyssey JMS AI for PATTERN score recalculation, propagates the AI misclassification into the risk assessment that determines programming access, good-time credits, and release eligibility.

The Fourteenth Amendment due process requirements for prison disciplinary proceedings, established in Wolff v. McDonnell, 418 U.S. 539 (1974), include the requirement for an impartial decision-maker, written notice of charges, an opportunity to call witnesses and present documentary evidence, and a written statement of the evidence relied upon. Where the “documentary evidence relied upon” is an AI-curated video evidence package that has been adversarially manipulated, the hearing outcome fails the Wolff impartiality and evidence reliability requirements. An inmate who can demonstrate that AI misclassification tainted the evidence used in their disciplinary proceeding has a cognizable due process claim under 42 USC §1983. The First Step Act PATTERN tool, codified at 34 USC §60541, requires that risk and needs assessments be evidence-based and validated; PATTERN scores corrupted by adversarially manipulated disciplinary records fail this standard, creating vulnerability to challenge in compassionate release proceedings and sentence modification motions. CRIPA investigations under 42 USC §1997 triggered by patterns of procedurally defective disciplinary proceedings — including proceedings relying on AI-generated evidence — can result in DOJ consent decrees requiring facilities to implement independent verification of AI-generated evidence before its use in disciplinary hearings.

3. Gang affiliation visual classification bypass (ACA housing classification, DOJ BJA Security Threat Group standards)

Tyler Technologies Odyssey Jail Management System AI, running in more than 1,000 county jails across the United States, and Motorola Solutions VMS AI, in state prison deployments, together constitute the primary platforms for AI-assisted gang affiliation classification in correctional facilities. The Tyler Technologies Odyssey JMS AI processes inmate booking photograph images taken at intake, tattoo documentation photographs captured by booking officers and updated throughout incarceration, and clothing or insignia display images from facility camera networks or evidence intake. These images are submitted to AI classification workflows that compare tattoo imagery against databases of documented gang-affiliated symbols, insignia, and patterns; compare facial recognition outputs against watchlists of known gang-affiliated individuals; and assess clothing color patterns and symbolic imagery against gang identifier databases maintained by the facility, the state corrections department, and DOJ Bureau of Justice Assistance Security Threat Group program resources. The output of this classification — a gang affiliation flag and associated confidence score — directly determines housing assignment: documented gang members are separated from rival gang members, assigned to specific housing units, and may be placed in restrictive housing or protective custody depending on the classification outcome. Motorola Solutions VMS AI supplements this initial classification with ongoing monitoring of facility camera footage for gang-affiliated insignia display and group activity patterns, feeding continuous updates into the JMS housing classification record.

The adversarial attack against gang affiliation visual classification targets the pixel layer of tattoo documentation images, facial recognition comparison images, and insignia display images submitted to the Tyler Technologies Odyssey JMS AI or Motorola Solutions VMS AI classification engine. Adversarial pixel perturbations applied to a tattoo pattern display can cause the AI classifier to fail to match the tattoo against known gang symbol databases, even when the tattoo is visually a close match to a documented gang symbol to a human reviewer. The perturbation exploits the gap between the AI’s feature extraction pathway — optimized for speed and throughput across large image databases — and the human visual system’s pattern recognition capability. Similarly, adversarial perturbations on facial recognition comparison images can cause the AI to fail to match an individual against a gang-affiliated identity in the watchlist, suppressing the affiliation flag even when the biometric match score would otherwise be positive. An individual with knowledge of how the booking photograph and tattoo documentation workflow operates can introduce adversarial perturbations at the point where images are captured — through clothing, skin-applied patterns, or even adversarially structured tattoo designs — causing the AI classification to return a gang-affiliation-negative result. This incorrect classification results in a housing assignment that does not account for the individual’s actual affiliation, placing them and others in physical danger from rival group violence.

The American Correctional Association accreditation standards for housing classification require that facilities maintain documented, evidence-based classification processes for inmate housing assignment, including threat group identification procedures that meet reasonably current standards. DOJ Bureau of Justice Assistance Security Threat Group management program standards, referenced in state correctional policy across more than 40 jurisdictions, require that gang identification procedures be reliable and consistently applied. A facility whose AI-assisted gang affiliation classification can be bypassed by adversarial pixel manipulation has a classification procedure that fails both ACA and BJA standards. Under CRIPA at 42 USC §1997, the DOJ Civil Rights Division has authority to investigate and file suit against correctional facilities where systemic failures in classification result in a pattern of inadequate protection from harm — including harm from gang violence enabled by classification failures. Eighth Amendment deliberate indifference claims under 42 USC §1983 are available to incarcerated individuals placed at risk by a classification failure the facility knew or should have known was occurring. Where the gang affiliation bypass results in a protective custody denial for an individual at known risk from a gang, the facility’s ADA obligation under 42 USC §12132 to provide program access without disability-related discrimination may also be implicated where the at-risk individual has a qualifying condition.

4. Electronic monitoring GPS anomaly display bypass (First Step Act 34 USC §60541, 18 USC §3583 supervised release)

SuperCom GPS electronic monitoring AI and the STOP (Satellite Tracking of People) AI platform together supervise more than 300,000 individuals on community supervision — probation, parole, and pretrial release — across 200+ agencies in the United States. SuperCom’s OneStop monitoring platform uses AI anomaly detection to process GPS track display images, geo-fence boundary status visualization images, and ankle bracelet tamper indicator alert display images generated by the monitoring software interface. When a supervising probation officer’s or pretrial services officer’s dashboard generates a geo-fence boundary alert, that alert is represented as a visual artifact — a rendered map tile with overlaid GPS track data, geo-fence boundary polygon, and alert indicators — that the AI anomaly detection layer classifies as either a confirmed violation event or an artifact of GPS signal degradation, signal bounce, or device error. The AI classification output determines whether the alert escalates to a revocation referral or is dismissed as a false positive. At scale, where a single supervising officer may carry a caseload of 80 to 150 monitored individuals, the AI anomaly detection layer performs the initial triage of every alert, with human officer review focused on the events the AI flags as confirmed violations. Ankle bracelet tamper indicator display images, generated when the monitoring device detects strap cut attempts, magnetic interference, or waterproofing compromise, follow the same AI-first triage pattern: the AI assesses the tamper alert display image and classifies it as a genuine tamper event or a device malfunction signal before the officer reviews.

The adversarial attack against GPS electronic monitoring AI targets the pixel layer of the geo-fence boundary alert display image or the tamper indicator alert display image at the point it is rendered by the monitoring software and processed by the SuperCom AI anomaly detection layer. Adversarial pixel perturbations injected into the GPS track overlay image — achievable by an attacker who has access to the GPS data stream fed to the dashboard rendering engine, or who can introduce perturbations at the dashboard rendering layer itself — can cause the AI anomaly detection layer to classify a genuine geo-fence boundary crossing as a GPS artifact and dismiss the alert without escalation. The perturbation exploits the AI’s learned distinction between the visual signature of a genuine boundary violation track (a GPS point cluster showing boundary proximity with temporal consistency) and the visual signature of GPS signal degradation (scattered, non-directional point distribution). A perturbation that shifts the visual representation of a genuine violation toward the noise signature of GPS error suppresses the AI’s violation classification, causing the event to be logged as a dismissed false positive. Similarly, adversarial perturbations on ankle bracelet tamper indicator display images can cause the AI to classify a genuine tamper event as a device malfunction rather than an intentional removal attempt.

Under 18 USC §3583, a federal court may revoke a term of supervised release and impose a prison term when an individual has violated a condition of supervision, with the procedural predicate for revocation being a supervising officer’s referral based on documented violation evidence. An AI anomaly detection layer that systematically dismisses genuine geo-fence violations as false positives — due to adversarial perturbation of the alert display images it classifies — fails to generate the violation documentation required for a revocation referral under 18 USC §3148 (pretrial release revocation) or 18 USC §3583. For individuals supervised under the First Step Act’s provisions at 34 USC §60541 — including individuals in home confinement or graduated supervision programs — the failure to detect supervised release violations due to AI anomaly bypass also corrupts the PATTERN risk assessment input that determines continued program eligibility. Probation officer supervisory liability for failure to detect violations that a properly functioning AI monitoring system should have flagged is an emerging area of liability under federal supervision law. At the state level, parole violation detection failures traceable to AI monitoring bypass can generate CRIPA-adjacent state analogues and tort liability for supervising agencies where individuals on supervision commit new offenses during a period of AI-assisted monitoring failure.

Integration: correctional facility AI image ingestion with Glyphward pre-scan

The Glyphward scan gate belongs at the image ingestion point in each correctional AI pipeline — before the scanner display image, video frame, booking photograph, or GPS alert display is passed to the AI inference engine. The async pattern below handles all four correctional monitoring contexts through a shared scan_correctional_monitoring_ai_image function, with context-specific score thresholds and a structured audit write that satisfies correctional records requirements for incident documentation and constitutional due process evidence chains.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Per-context thresholds derived from correctional AI risk profile
CONTRABAND_DETECTION_THRESHOLD = 65   # Evolv Technology AI scanner display images
DISCIPLINARY_VIDEO_THRESHOLD    = 60   # Motorola VMS / Securus Technologies video frames
GANG_CLASSIFICATION_THRESHOLD   = 55   # Tyler Odyssey JMS booking photographs / tattoos
GPS_MONITORING_THRESHOLD        = 70   # SuperCom / STOP GPS alert display images


class CorrectionalMonitoringAIContext(Enum):
    CONTRABAND_DETECTION   = "contraband_detection"    # threshold 65
    DISCIPLINARY_VIDEO     = "disciplinary_video"      # threshold 60
    GANG_CLASSIFICATION    = "gang_classification"     # threshold 55
    GPS_MONITORING         = "gps_monitoring"          # threshold 70


_CONTEXT_THRESHOLDS: dict[CorrectionalMonitoringAIContext, int] = {
    CorrectionalMonitoringAIContext.CONTRABAND_DETECTION: CONTRABAND_DETECTION_THRESHOLD,
    CorrectionalMonitoringAIContext.DISCIPLINARY_VIDEO:   DISCIPLINARY_VIDEO_THRESHOLD,
    CorrectionalMonitoringAIContext.GANG_CLASSIFICATION:  GANG_CLASSIFICATION_THRESHOLD,
    CorrectionalMonitoringAIContext.GPS_MONITORING:       GPS_MONITORING_THRESHOLD,
}


class AdversarialCorrectionalMonitoringAIImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in a
    correctional monitoring AI input image above the context threshold.

    Attributes:
        scan_id: Glyphward scan identifier for the audit record.
        score: Adversarial signal score (0-100).
        context: The CorrectionalMonitoringAIContext in which detection occurred.
        flagged_region: Optional dict describing the pixel region containing the signal.
    """

    def __init__(
        self,
        scan_id: str,
        score: int,
        context: CorrectionalMonitoringAIContext,
        flagged_region: dict | None = None,
    ) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial correctional monitoring AI image detected: "
            f"context={context.value} score={score} scan_id={scan_id}"
        )


async def scan_correctional_monitoring_ai_image(
    image_path: Path,
    context: CorrectionalMonitoringAIContext,
    facility_entity_hash: str,
    incident_report_ref: str,
    monitoring_session_id: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a correctional facility AI input image for adversarial pixel content.

    Args:
        image_path: Absolute path to the image file to be scanned.
        context: CorrectionalMonitoringAIContext enum value identifying the
                 AI pipeline this image is destined for.
        facility_entity_hash: SHA-256 hash of the facility identifier (do not
                              transmit raw facility PII to the scan endpoint).
        incident_report_ref: Incident or case reference number for audit correlation.
        monitoring_session_id: Session identifier for the monitoring run.
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict with keys: scan_id, score, flagged_region, modality.

    Raises:
        AdversarialCorrectionalMonitoringAIImageError: if score exceeds threshold.
        httpx.HTTPStatusError: on Glyphward API errors.
    """
    threshold = _CONTEXT_THRESHOLDS[context]
    image_bytes = image_path.read_bytes()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"correctional:{context.value}:{monitoring_session_id}",
        "metadata": {
            "facility_entity_hash": facility_entity_hash,
            "incident_report_ref": incident_report_ref,
            "image_sha256": image_hash,
        },
    }

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=5.0,
    )
    resp.raise_for_status()
    result = resp.json()  # {score: 0-100, flagged_region, scan_id, modality}

    await write_correctional_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        threshold=threshold,
        facility_entity_hash=facility_entity_hash,
        incident_report_ref=incident_report_ref,
        monitoring_session_id=monitoring_session_id,
        flagged=result["score"] > threshold,
    )

    if result["score"] > threshold:
        raise AdversarialCorrectionalMonitoringAIImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            flagged_region=result.get("flagged_region"),
        )

    return result


async def write_correctional_scan_audit(
    *,
    image_hash: str,
    scan_id: str,
    score: int,
    context: CorrectionalMonitoringAIContext,
    threshold: int,
    facility_entity_hash: str,
    incident_report_ref: str,
    monitoring_session_id: str,
    flagged: bool,
) -> None:
    """Append a structured JSON audit record to the correctional scan log.

    The audit log satisfies correctional records retention requirements and
    provides per-scan evidence for constitutional due process documentation,
    CRIPA investigation response, and 42 USC 1983 litigation discovery.
    """
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": threshold,
        "flagged": flagged,
        "facility_entity_hash": facility_entity_hash,
        "incident_report_ref": incident_report_ref,
        "monitoring_session_id": monitoring_session_id,
    }
    audit_path = Path("/var/log/glyphward/correctional_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")


# Example: scan a batch of images from different correctional AI contexts
async def process_correctional_image_batch(
    images: list[tuple[Path, CorrectionalMonitoringAIContext, str, str, str]],
) -> list[dict]:
    """Process a batch of (path, context, facility_hash, incident_ref, session_id) tuples."""
    async with httpx.AsyncClient() as client:
        tasks = [
            scan_correctional_monitoring_ai_image(
                image_path=path,
                context=ctx,
                facility_entity_hash=feh,
                incident_report_ref=irr,
                monitoring_session_id=sid,
                client=client,
            )
            for path, ctx, feh, irr, sid in images
        ]
        results = []
        for coro in asyncio.as_completed(tasks):
            try:
                results.append(await coro)
            except AdversarialCorrectionalMonitoringAIImageError as exc:
                results.append({
                    "status": "quarantined",
                    "context": exc.context.value,
                    "scan_id": exc.scan_id,
                    "score": exc.score,
                    "flagged_region": exc.flagged_region,
                })
        return results

Deploy scan_correctional_monitoring_ai_image at the image ingestion boundary of each correctional AI pipeline: at the Evolv Technology AI scanner display image export endpoint, at the Motorola Solutions VMS AI frame extraction step, at the Tyler Technologies Odyssey JMS booking photograph upload handler, and at the SuperCom GPS alert dashboard rendering output. The structured audit log produced by write_correctional_scan_audit generates per-image scan evidence that satisfies correctional records retention requirements, supports constitutional due process documentation in disciplinary proceedings under Wolff v. McDonnell, and provides discovery-ready records in CRIPA investigation response and 42 USC §1983 litigation contexts. Get early access

Coverage matrix

Tool	Contraband scanner display image adversarial injection	Disciplinary video frame adversarial injection	Gang affiliation image adversarial injection	GPS monitoring display adversarial injection
Lakera Guard	No (text only)	No (text only)	No (text only)	No (text only)
LLM Guard	No (text only)	No (text only)	No (text only)	No (text only)
Azure Prompt Shields	No (text only)	No (text only)	No (text only)	No (text only)
Platform-native (Evolv Technology AI, Motorola Solutions VMS AI, Tyler Odyssey JMS AI, SuperCom GPS AI)	No adversarial injection detection	No adversarial injection detection	No adversarial injection detection	No adversarial injection detection
Glyphward	Yes — scans scanner display image bytes before AI classification; threshold 65; audit trail per scan	Yes — scans video frame bytes before VMS/Securus AI inference; threshold 60; incident report ref logged	Yes — scans booking photograph and tattoo image bytes before JMS classification; threshold 55; facility hash logged	Yes — scans GPS alert display image bytes before SuperCom/STOP anomaly detection; threshold 70; session ID logged

Related questions

What is PREA and how does the 28 CFR Part 115 standard apply to AI-assisted contraband detection?

The Prison Rape Elimination Act, enacted under 34 USC §30301, establishes the national legal framework for eliminating sexual abuse in confinement settings. Its implementing regulations at 28 CFR Part 115, issued by the Department of Justice and enforced through the PREA Auditor program, impose specific operational requirements on correctional facilities that govern how searches and screenings must be conducted to detect items that could be used to facilitate abuse. The cross-gender strip search restrictions at 28 CFR §115.15 require facilities to rely on technology-assisted screening methods — including advanced screening equipment such as millimeter wave scanners — precisely to reduce the need for manual searches that raise PREA compliance concerns. When a facility uses AI-assisted contraband detection to fulfill this technological screening obligation, the reliability of that AI becomes part of its PREA compliance posture.

An AI contraband detection system that can be subverted by adversarial pixel perturbations in the scanner display image fails to provide the detection reliability that the PREA technological screening substitution rationale assumes. If the AI clears an individual carrying a prohibited item because adversarial perturbations have suppressed the weapon signature in the display image, the facility has a PREA gap: its technological screening procedure did not perform as required, and its reliance on the AI assessment to satisfy the screening obligation was misplaced. In a PREA audit or DOJ investigation context, the question is whether the facility had adequate controls to ensure its AI-assisted screening procedures were reliable — and a facility that has deployed adversarial image scanning as a pre-AI-inference control has documented evidence of due diligence that a facility relying solely on the AI vendor’s baseline reliability representations does not.

How does the First Step Act PATTERN risk assessment create adversarial injection dimensions in correctional AI?

The First Step Act of 2018, codified in relevant part at 34 USC §60541, requires the Bureau of Prisons to use a validated risk and needs assessment tool — the PATTERN (Prisoner Assessment Tool Targeting Estimated Risk and Needs) system — to classify every federal inmate’s risk level and program needs. PATTERN scores determine access to productive activities that earn time credits toward earlier release, placement in prerelease custody including home confinement, and eligibility for compassionate release consideration. A high PATTERN score can delay or prevent release; an artificially inflated score — driven by AI-misclassified disciplinary incidents — has direct consequences for an individual’s sentence. Many state correctional systems have adopted comparable risk assessment instruments that draw on similar disciplinary record inputs.

The adversarial injection dimension in PATTERN arises because disciplinary record data that feeds PATTERN score calculation is generated by AI-assisted incident review pipelines. Motorola Solutions VMS AI misclassification of a use-of-force incident — attributing staff-initiated force to an inmate due to adversarial perturbation in the video frame evidence — produces a disciplinary record that incorrectly reflects an inmate-initiated assault. That incorrect disciplinary record feeds the PATTERN scoring algorithm, inflating the individual’s risk score. The individual serves additional time or loses earned time credits because an adversarially manipulated video frame propagated an error through the AI disciplinary evidence pipeline into the risk assessment. First Step Act litigation has increasingly focused on the accuracy of the inputs to PATTERN scoring; adversarial image injection is the upstream attack vector that corrupts those inputs before the scoring algorithm ever runs.

What is CRIPA and when does the DOJ use it to investigate correctional facility AI compliance failures?

The Civil Rights of Institutionalized Persons Act, at 42 USC §1997, grants the Department of Justice Civil Rights Division authority to investigate conditions in state and local correctional facilities where there is reasonable cause to believe that incarcerated individuals are being subjected to egregious or flagrant conditions that deprive them of rights, privileges, or immunities secured or protected by the Constitution or laws of the United States. CRIPA investigations can result in findings letters, consent decrees, and court-enforceable remedial plans requiring specific operational changes. The DOJ has used CRIPA to address constitutional failures across a wide range of correctional conditions including inadequate medical care, excessive use of force, inadequate protection from harm, and deficient classification procedures.

AI compliance failures in correctional settings create CRIPA exposure when they reflect systemic patterns rather than isolated incidents. A pattern of disciplinary proceedings relying on AI-curated video evidence that has not been validated against adversarial manipulation — leading to a pattern of due process violations — is exactly the kind of systemic failure that CRIPA investigations address. Similarly, a pattern of AI-assisted gang classification failures leading to documented harm from incorrectly classified housing assignments implicates CRIPA failure-to-protect standards. CRIPA does not require individual plaintiffs; the DOJ initiates investigations on its own authority and can obtain systemic relief without the litigation costs of coordinated 42 USC §1983 class actions. Facilities that can demonstrate they have deployed pre-AI-inference adversarial image scanning controls — with documented audit trails — have a materially stronger position in responding to CRIPA investigation inquiries than facilities that cannot document any such controls.

How does the 14th Amendment disciplinary due process requirement from Wolff v. McDonnell apply to AI-assisted incident classification?

Wolff v. McDonnell, 418 U.S. 539 (1974), established that prison disciplinary proceedings implicating a serious sanction — loss of good-time credits, punitive segregation — must satisfy minimum procedural due process requirements, including advance written notice of the charges, an opportunity to call witnesses and present documentary evidence where doing so would not be unduly hazardous, and a written statement by the factfinders of the evidence relied on and the reasons for the disciplinary action taken. The requirement that the decision-maker be sufficiently impartial and that the evidence relied upon be identified in writing means that the reliability and integrity of the documentary evidence package presented at a disciplinary hearing is constitutionally material.

When the documentary evidence package consists of AI-curated video frames identified by Motorola Solutions VMS AI or Securus Technologies AI as depicting the relevant incident, the constitutional reliability of those frames depends on whether the AI curation process was protected against adversarial manipulation. An inmate who can show that the AI-selected video evidence used in their disciplinary proceeding was produced by an AI system that is susceptible to adversarial pixel injection — and that the facility had no controls to detect such injection — has a colorable argument that the evidence relied upon by the hearing officer was not constitutionally reliable, and that the proceeding violated Wolff due process requirements. This argument is available both in direct challenges to disciplinary sanctions under 42 USC §1983 and in habeas corpus proceedings where the disciplinary record has downstream effects on sentence calculation. Facilities that scan AI evidence images with Glyphward before incorporating them into disciplinary evidence packages create a documented chain of custody that supports the reliability of the evidence record.

What are the GPS electronic monitoring compliance requirements under 18 USC §3583 and the First Step Act and how do they interact with AI bypass?

18 USC §3583 governs the imposition and revocation of supervised release terms for federal offenders. Under §3583(e)(3), a court may revoke a term of supervised release and require the individual to serve additional prison time upon finding by a preponderance of the evidence that the individual violated a condition of supervised release. The evidentiary predicate for a revocation petition is typically a violation report prepared by the supervising probation officer, documenting the nature, date, and time of the alleged violation. For GPS-monitored individuals, that documentation comes from the monitoring platform — SuperCom or STOP — and the AI anomaly detection layer that classifies alert events as genuine violations versus GPS artifacts. 18 USC §3148 governs pretrial release revocation under similar evidentiary standards.

The First Step Act’s home confinement and graduated supervision provisions at 34 USC §60541 expand the use of electronic monitoring as an alternative to incarceration, making GPS monitoring AI reliability a question that now affects a larger population. Where an AI monitoring system fails to flag a genuine geo-fence violation because adversarial pixel perturbations in the GPS alert display image suppressed the anomaly classification, the supervising officer never generates a violation report, the court never receives a revocation petition, and an individual who violated their supervision conditions continues under a monitoring program that is no longer functioning as designed. The systemic failure mode is an under-enforcement gap rather than a false positive — violations that should trigger revocation do not, because the AI monitoring layer has been compromised. This creates liability exposure for supervising agencies when monitored individuals commit new offenses during a period of AI monitoring failure, and creates compliance exposure under BOP and DOJ supervision standards where home confinement is supposed to be subject to rigorous monitoring equivalent in effect to incarceration.