Public safety AI · Wildfire detection AI · Emergency dispatch AI · Disaster response AI

Prompt injection in public safety AI

Public safety AI sits at the highest-consequence end of the AI deployment spectrum, where AI-assisted decisions directly influence life-safety outcomes: wildfire evacuation order timing, emergency resource dispatch priority, evidence integrity in criminal proceedings, and disaster damage assessment that determines aid allocation after major natural disasters. Pano AI operates a network of high-resolution 360-degree panoramic cameras combined with AI smoke and fire detection models deployed across US states (California, Oregon, Washington, Colorado) to provide automated wildfire detection for CAL FIRE, Oregon Department of Forestry, and utility companies (PG&E, Pacific Power, Xcel Energy) — providing early fire detection that has supported evacuation order decisions affecting tens of thousands of residents. OroraTech’s Wildfire Solution uses satellite thermal infrared data with AI anomaly detection to provide global wildfire monitoring for government agencies, forestry services, and reinsurance companies, operating daily monitoring over 320 million km² of land surface. RapidSOS operates an emergency data platform that integrates with 9-1-1 call centres, combining AI-assisted data analysis of emergency caller photographs, structured incident data, and sensor feeds to enrich emergency dispatcher situational awareness — used by over 5,000 emergency communications centres across the United States. Axon’s AI—powered evidence management platform (Axon Evidence, Axon Respond, Axon Auto-Tagging AI) processes body camera video frames, drone footage, and crime scene photographs submitted through the Axon Evidence cloud platform by law enforcement agencies including 70% of US law enforcement agencies, UK police forces, and law enforcement in 20+ countries. The adversarial image injection threat to public safety AI exploits photograph and image submission pathways in wildfire monitoring camera networks, emergency dispatch integration APIs, body camera evidence upload systems, and disaster assessment satellite data portals. This page covers four injection surfaces and how Glyphward’s pre-scan gate addresses the threat at the public safety AI image ingestion boundary.

TL;DR

Public safety AI — Pano AI wildfire detection, OroraTech satellite thermal AI, RapidSOS emergency dispatch AI, Axon body camera AI — processes wildfire detection camera images, emergency incident photographs, body camera evidence frames, and disaster damage satellite imagery. Adversarially crafted images submitted through wildfire camera networks, emergency dispatch integrations, body camera upload systems, and disaster assessment portals can suppress fire detection alerts, corrupt emergency severity flags, falsify evidence classification, and under-report disaster damage scores. Glyphward scans each image at the ingestion boundary with a threshold of ≥ 50 for public safety AI inputs (life-safety — delayed wildfire evacuation or misallocated emergency resources → potential fatalities). Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in public safety AI

1. Wildfire detection AI adversarial thermal image injection (Pano AI, OroraTech, AlertWildfire)

Wildfire early detection AI combines optical and thermal camera feeds with smoke detection deep-learning models and satellite thermal anomaly detection to identify ignition events before they expand to catastrophic scale — a detection window measured in minutes for rapidly spreading grassland and chaparral fires in high-wind conditions. Pano AI’s panoramic camera network operates high-resolution 360-degree cameras on towers, ridgelines, and utility infrastructure at 5–minute pan cycle intervals, processing each panoramic image frame through a multi-stage AI smoke and fire detection pipeline that runs plume segmentation, thermal anomaly detection, and cross-station triangulation before generating a verified detection event for human dispatcher review. AlertWildfire operates a similar camera network across the western United States, providing University of Nevada / University of Oregon partnerships for early detection research alongside operational detection support for state forestry agencies. OroraTech processes Copernicus Sentinel-3 and commercial thermal infrared satellite data through its wildfire AI backend to provide daily and sub-daily fire perimeter mapping and new ignition detection for government fire agencies and reinsurance clients. The adversarial injection surface involves supplementary image submissions to wildfire AI platforms: utility companies (PG&E, SDG&E, Pacific Power), state forestry agencies, and fire weather researchers submit additional camera images — from portable cameras, weather station cameras, drone overflights — through Pano AI’s partner portal and AlertWildfire’s camera network integration APIs to augment coverage in camera gap areas. An adversarially crafted smoke or thermal camera image — in which pixel-level perturbations applied to a visible smoke column, a thermal plume feature, or a flame illumination region in a camera frame reduce the apparent intensity or extent of the fire signature — submitted through a partner camera integration API can suppress a detection event that the wildfire AI would otherwise have generated. For rapidly spreading fires in dry vegetation under high-wind conditions (Diablo winds, Santa Ana winds), a detection delay of even 15–30 minutes — the period during which an adversarial suppression attack maintains the fire below the AI detection threshold — can represent a fire perimeter expansion of 500–2,000 acres that changes the evacuation order area from a manageable voluntary evacuation to an emergency mass evacuation, or that causes loss-of-life in zones that were passable minutes earlier. The Camp Fire (Paradise, California, 2018) killed 85 people in part because the fire’s rate of spread was faster than early warning systems supported. The adversarial motivation is potentially tied to fire weather reporting manipulation for insurance or real estate fraud, arson concealment, or hostile nation-state disruption of critical infrastructure response systems.

2. Emergency evidence photo injection in CAD AI (RapidSOS AI, Priority Dispatch ProQA, Axon Respond)

Emergency dispatch AI processes photographs and images submitted by emergency callers and first responders through 9-1-1 text/photo integrations and first responder mobile applications to provide dispatchers with enhanced situational awareness about the nature, location, and severity of emergency incidents. RapidSOS’s Harmony platform processes caller-submitted photographs, medical device data, and structured incident information received through 9-1-1 carrier integrations (AT&T Enhanced 9-1-1, T-Mobile Emergency Data Service) to augment the dispatcher’s CAD (Computer-Aided Dispatch) record with AI-classified incident severity enrichment. Axon Respond processes drone footage and first responder mobile camera images submitted by law enforcement through the Axon platform during active incidents to provide real-time AI-assisted situational awareness for incident commanders. Priority Dispatch’s ProQA AI and National Academies Emergency Dispatch (NAED) AI products provide AI-assisted call classification and resource recommendation based on structured incident data combined with caller-submitted visual information. The adversarial injection surface involves the public-facing photograph submission channels: 9-1-1 text-to-9-1-1 services and emergency platform integrations accept photographs submitted by members of the public reporting incidents. An adversarially crafted incident photograph — in which pixel-level perturbations applied to a structure fire, a medical emergency scene, or a vehicle collision scene reduce the apparent severity of the incident — submitted through a text-to-9-1-1 photo integration can cause the RapidSOS AI severity classifier to assign a lower priority code to the incident, potentially delaying the dispatch of higher-capability resources (aerial platform, advanced life support unit, hazmat team) by routing the incident to a lower-tier initial response. For time-critical emergency scenarios — structure fires in multi-family residential buildings, out-of-hospital cardiac arrest, major trauma from motor vehicle accidents — a resource dispatch delay of even 3–5 minutes caused by an adversarially downgraded AI severity assessment has direct outcome consequence: for cardiac arrest, each minute without defibrillation reduces survival probability by approximately 10%; for structure fires, the doubling time for fire spread in modern lightweight residential construction is 2–4 minutes. The adversarial motive for emergency dispatch AI injection includes insurance fraud (reducing the documented severity of an incident to limit property damage and liability claims), law enforcement evasion (suppressing the apparent severity of a crime scene to reduce the initial response resource level), and potential hostile disruption of emergency response infrastructure.

3. Body camera evidence AI injection (Axon Auto-Tagging AI, Motorola Solutions VideoManager AI, Getac AI)

Law enforcement body camera evidence AI processes video frames and still image captures from Axon Body 3/4, Motorola Solutions V700, and Getac BC-08 body cameras uploaded through evidence management platforms to perform automated tagging, redaction, evidence categorisation, and incident flagging that feeds criminal case management workflows. Axon’s Auto-Tagging AI — deployed by police forces including Seattle PD, Denver PD, West Midlands Police, and the Metropolitan Police Service — classifies uploaded body camera footage frames to identify persons, objects (weapons, vehicles), and scene elements relevant to criminal investigation categories, generating suggested evidence tags and scene descriptions that feed the Evidence.com case file for prosecutor and defence disclosure. Motorola Solutions’ VideoManager AI and Genetec Security Center Clearance AI perform similar automated evidence classification for Motorola-equipped law enforcement agencies. The adversarial injection surface involves body camera footage uploaded through evidence platform APIs: body cameras upload footage through docking station sync or cellular upload to the evidence platform immediately after an incident. An adversarially crafted body camera video frame — in which pixel-level perturbations applied to a weapon, a vehicle registration plate, or a subject’s face reduce the AI classification confidence below the threshold for an evidence tag, or cause an AI object detection model to misclassify a weapon as a non-weapon object — could in principle be inserted into a body camera upload stream by a compromised docking station, a compromised evidence platform integration, or a post-hoc manipulation of the uploaded footage before the AI evidence tagging run. For criminal cases where body camera AI auto-tagging is used to identify key evidence frames in large volumes of footage — a 12-hour patrol shift producing 8+ hours of footage — an adversarial manipulation that causes the AI to miss a critical evidence frame affects the evidence available to prosecutors and defence counsel. In Brady v. Maryland contexts (US constitutional obligation to disclose exculpatory evidence), a missed exculpatory frame — caused by adversarial AI manipulation that suppresses the AI evidence tag for a scene showing officer misconduct or an exculpatory subject location — creates a due process violation risk independent of the AI adversarial attack itself. The National Institute of Justice (NIJ) Body Camera Policy and Implementation Program and CJIS (Criminal Justice Information Services) Security Policy establish data integrity requirements for law enforcement digital evidence; adversarial manipulation of evidence AI input data falls within the “data integrity” and “audit trail” requirements of CJIS Security Policy v5.9.

4. Disaster damage satellite image injection in claims and response AI (One Concern, Intermap, FEMA AI)

Disaster damage assessment AI processes satellite imagery from commercial earth observation providers (Maxar Technologies, Planet Labs, Airbus Defence & Space, Satellogic) combined with building footprint data and damage classification AI to generate post-disaster damage assessment products used by government emergency management agencies, humanitarian aid organisations, and insurance companies to allocate response resources and settle insurance claims. One Concern’s Domino AI platform processes satellite imagery and sensor data to generate hazard and impact assessment products for government agencies and public utilities in earthquake and wildfire scenarios. Intermap Technologies’ disaster assessment AI and FEMA’s Rapid Damage Assessment (RDA) programme use AI-assisted satellite image interpretation to produce Initial Damage Estimates (IDEs) and Preliminary Damage Assessments (PDAs) that underpin federal disaster declaration requests and Individual Assistance (IA) program disbursement. The adversarial injection surface involves satellite imagery submitted through damage assessment portals: disaster response organisations, municipal emergency managers, and insurance carriers submit satellite image tiles through damage assessment platforms for AI classification of structural damage severity (FEMA damage classification: Affected/Minor/Major/Destroyed). An adversarially crafted post-disaster satellite image tile — in which pixel-level perturbations applied to collapsed or heavily damaged structures reduce the apparent structural damage severity in the colour and texture features that the AI damage classifier uses — submitted through a damage assessment portal can cause the AI to under-report structural damage in a specific geographic area, reducing the AI-generated damage estimate for that zone. For FEMA Individual Assistance determinations, an AI damage assessment that under-reports damage in a geographic zone affects the eligibility threshold for federal disaster assistance for residents in that zone — a consequence that has direct financial and humanitarian impact on affected populations. For private insurance carriers using AI-assisted satellite damage assessment for rapid claims settlement (Verisk Geomatics, CoreLogic, Swiss Re iptiQ AI), adversarially crafted satellite images that under-report property damage reduce AI-generated claim estimates below actual loss — creating a systematic claims underpayment that affects policyholders in the adversarially targeted area while the manipulation is effectively invisible until physical inspection reveals the discrepancy. The insurance fraud adversarial motion — a policyholder or public adjuster who manipulates the satellite AI assessment to support a higher or lower claim than the actual loss — is the most accessible threat model because satellite image tiles are submitted through adjuster and public-agency portals with authentication but without image content integrity verification.

Integration: public safety AI image ingestion with Glyphward pre-scan

Public safety AI image ingestion flows from wildfire camera network partner APIs, 9-1-1 text/photo integrations, body camera evidence upload platforms, and disaster assessment satellite image portals into AI processing queues. Insert Glyphward’s pre-scan at the ingestion boundary before images reach the wildfire detection, dispatch severity, evidence tagging, or damage assessment AI:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Strictest threshold: life-safety — delayed wildfire evacuation, missed
# emergency resource dispatch, or suppressed disaster damage flags have
# direct fatality and humanitarian consequence.
THRESHOLD_PUBLIC_SAFETY_AI = 50


class PublicSafetyAIContext(str, Enum):
    WILDFIRE_DETECTION = "wildfire_detection"       # Pano AI, OroraTech, AlertWildfire
    EMERGENCY_DISPATCH = "emergency_dispatch"       # RapidSOS, Priority Dispatch, Axon Respond
    EVIDENCE_REVIEW = "evidence_review"             # body camera, crime scene, dashcam
    DISASTER_ASSESSMENT = "disaster_assessment"     # satellite damage, claims AI


async def scan_public_safety_image(
    image_source: str | Path | bytes,
    context: PublicSafetyAIContext,
    incident_id_hash: str,     # SHA-256 of incident identifier (not raw CAD number)
    source_system: str,        # e.g. "pano-ai", "rapidsos", "axon-evidence"
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan a public safety AI image for adversarial injection payloads before
    forwarding to wildfire detection, dispatch severity, evidence review, or disaster AI.
    Audit record: incident_id_hash only — no raw CAD numbers, case numbers, or PII.
    """
    if isinstance(image_source, (str, Path)):
        image_bytes = Path(image_source).read_bytes()
    else:
        image_bytes = image_source

    image_b64 = base64.b64encode(image_bytes).decode()
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    scan_id = str(uuid.uuid4())

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "safety_context": context.value,
                "incident_id_hash": incident_id_hash,
                "source_system": source_system,
                "client_scan_id": scan_id,
                "image_sha256": image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "incident_id_hash": incident_id_hash,
        "source_system": source_system,
        "safety_context": context.value,
        "scan_id": result["scan_id"],
        "client_scan_id": scan_id,
        "image_sha256": image_sha256,
        "score": result["score"],
        "flagged_region": result.get("flagged_region"),
        "threshold": THRESHOLD_PUBLIC_SAFETY_AI,
        "action": "blocked" if result["score"] >= THRESHOLD_PUBLIC_SAFETY_AI else "allowed",
    }
    await write_public_safety_audit_record(audit_record)

    if result["score"] >= THRESHOLD_PUBLIC_SAFETY_AI:
        raise AdversarialPublicSafetyImageError(
            f"Public safety AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"system={source_system}"
        )
    return result


async def scan_wildfire_camera_batch(
    frame_paths: list[Path],
    incident_id_hash: str,
    source_system: str,
) -> dict:
    """Scan a wildfire camera frame batch concurrently before fire detection AI."""
    allowed, blocked, errors = [], [], []

    async with httpx.AsyncClient() as client:
        tasks = [
            scan_public_safety_image(
                p,
                PublicSafetyAIContext.WILDFIRE_DETECTION,
                incident_id_hash,
                source_system,
                client,
            )
            for p in frame_paths
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)

    for path, result in zip(frame_paths, results):
        if isinstance(result, AdversarialPublicSafetyImageError):
            blocked.append({"path": str(path), "error": str(result)})
        elif isinstance(result, Exception):
            errors.append({"path": str(path), "error": str(result)})
        else:
            allowed.append({"path": str(path), "scan_id": result["scan_id"]})

    return {
        "source_system": source_system,
        "context": PublicSafetyAIContext.WILDFIRE_DETECTION.value,
        "total": len(frame_paths),
        "allowed": len(allowed),
        "blocked": len(blocked),
        "errors": len(errors),
        "blocked_items": blocked,
    }


async def write_public_safety_audit_record(record: dict) -> None:
    """Persist audit record to your CJIS-compatible public safety audit log (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialPublicSafetyImageError(Exception):
    """Raised when a public safety AI image exceeds the adversarial injection threshold."""
    pass

The incident_id_hash and source_system fields provide the CJIS-compatible evidence chain: a blocked evidence review image links scan_id + incident_id_hash + image_sha256 for post-incident investigation without storing raw CAD numbers or case identifiers in the audit log. For wildfire detection contexts, route blocked camera images to an immediate human dispatcher review — a blocked detection image should not suppress a potential fire event; the conservative action is to escalate for human assessment. Get early access

Coverage matrix

Control	Wildfire detection AI injection	Emergency dispatch AI injection	Body camera evidence AI injection	Disaster assessment AI injection
Text-only PI scanner (Lakera, LLM Guard)	No — pixel payloads not seen	No — pixel payloads not seen	No — pixel payloads not seen	No — pixel payloads not seen
CJIS Security Policy v5.9 (evidence platform)	Not applicable to wildfire detection	Not applicable to emergency dispatch AI inputs	Requires audit trails and access controls; does not mandate adversarial image content validation	Not applicable to disaster assessment AI
Human dispatcher review (wildfire, dispatch)	Reviews AI-generated detection events; does not independently validate camera images for adversarial manipulation before AI	Reviews AI severity enrichment; does not independently assess caller photos for adversarial content before AI	Not applicable to real-time dispatch	Reviews AI damage grids; does not independently validate satellite tiles for adversarial manipulation
Glyphward	Yes — threshold 50; incident_id_hash + scan_id + image_sha256 wildfire audit trail	Yes — threshold 50; source_system + scan_id; CAD integration audit record	Yes — threshold 50; incident_id_hash + scan_id; CJIS-compatible audit trail	Yes — threshold 50; incident_id_hash + scan_id; FEMA/insurance audit record

Related questions

How does the wildfire detection adversarial injection threat compare to traditional wildfire monitoring failures?

Traditional wildfire monitoring failures — camera outages, power failures, network connectivity loss, sensor malfunctions — are observable failure modes: when a camera goes offline or a sensor fails, the monitoring system flags the loss of coverage and emergency managers can compensate by deploying aerial reconnaissance or activating neighbouring sensor coverage. Adversarial wildfire detection AI injection is qualitatively different because it is an invisible failure: the camera is functioning, the network is connected, and the AI is receiving and processing images — but it is processing adversarially crafted images that cause it to generate a false all-clear assessment for a zone that is actually experiencing an ignition event. The monitoring operator has no indication that anything is wrong with the camera or the AI — the AI is simply reporting no detection, which is the same output it produces for a genuine no-fire condition. This invisible failure characteristic makes adversarial wildfire AI injection potentially more dangerous than observable technical failures, because the operator’s fallback procedures — deploy aerial reconnaissance when a camera goes offline — are not triggered. The detection is what is compromised, not the camera availability. Robust adversarial defence for wildfire AI therefore requires both input integrity validation (Glyphward pre-scan) and output anomaly detection: if a camera in a high-fire-risk zone under elevated fire weather conditions (HVRA — High Fire Hazard Severity Zone, Red Flag Warning) is consistently reporting no detection events when neighbouring cameras report smoke indicators, that pattern should trigger a human review regardless of whether individual images pass or fail the AI detection threshold.

What legal protections apply to adversarial attacks on emergency dispatch or body camera evidence AI?

Adversarial attacks on emergency dispatch AI and body camera evidence AI potentially engage multiple bodies of law. At the federal level in the United States, the Computer Fraud and Abuse Act (CFAA) criminalises unauthorised access to and intentional damage of protected computers — and public safety computer systems (9-1-1 CAD systems, law enforcement evidence platforms) qualify as protected computers under the CFAA’s government computer definition. An adversarial attack on RapidSOS or Axon that causes a computer to process a false emergency severity assessment or false evidence tag — even if the image is submitted through an authenticated submission pathway — could be construed as “intentionally causing damage without authorisation” under 18 U.S.C. § 1030(a)(5). For body camera evidence, tampering with or altering evidence in a criminal investigation is a federal crime under 18 U.S.C. § 1512 (tampering with a witness, victim, or informant) and § 1519 (destruction, alteration, or falsification of records in federal investigations). An adversarial image injection that causes a body camera AI evidence tagger to miss a key evidence frame could constitute obstruction of justice or evidence tampering if the injection was intentional and the evidence was material to a federal investigation. For wildfire arson scenarios — where an arsonist uses adversarial injection to suppress wildfire AI detection during an arson ignition — federal arson statutes (18 U.S.C. § 81) and state arson statutes would apply alongside CFAA charges. The legal framework is still developing for AI-specific adversarial attack cases, and prosecutions have not yet addressed adversarial image injection specifically — but the existing computer crime and obstruction frameworks are sufficiently broad to cover the conduct described on this page.

How should public safety organisations handle a Glyphward-blocked image during a live incident?

The correct response protocol for a Glyphward-blocked image during a live incident depends on the public safety context. For wildfire detection AI: a blocked camera frame during an active detection cycle should not suppress the detection event — the conservative protocol is to treat a blocked frame as a potential detection event and escalate for human dispatcher review of the affected camera zone, particularly if the block occurs under elevated fire weather conditions. The dispatcher should verify the camera feed visually and, if any ambiguity exists, contact the nearest fire watch station or aerial patrol for independent confirmation. For emergency dispatch AI: a blocked caller-submitted photograph should be routed to the dispatcher for direct human assessment without AI severity enrichment. The dispatcher treats the incident as a standard voice-only call with the default dispatch protocol for the reported incident type — which is the existing protocol for calls where no photograph is submitted. The blocked image is preserved in the audit record with scan_id + image_sha256 for post-incident investigation. For body camera evidence: a blocked video frame or still image during an evidence tagging run should be flagged for manual review by the assigned detective or evidence officer — the frame is not discarded, but is tagged as “pending manual review — adversarial content flag” in the Evidence.com case file. The manual reviewer applies the standard evidence tagging criteria to the blocked frame directly. For disaster assessment: a blocked satellite image tile should trigger a re-request of the original satellite imagery from the commercial provider to verify tile integrity before the damage assessment for the affected geographic zone is finalised.