Glyphward

Supply chain AI · Logistics AI · Freight audit

Multimodal prompt injection in supply chain and logistics AI — freight invoices, goods inspection, damage claims

Supply chain and logistics AI is one of the fastest-growing applications of vision-language models, and one of the least scrutinised from an adversarial input security perspective. Freight audit and payment platforms — Cass Information Systems, enVista, and GEODIS SmartShipping AI — now use VLMs to extract payment-relevant fields from carrier-submitted freight invoice photos and bill-of-lading scans, driving automated payment decisions on billions of dollars of freight annually. Warehouse management systems with AI receiving inspection, including Blue Yonder WMS AI, Oracle Fusion WMS AI receiving inspection, and Zebra Technologies AI scanning, process dock worker–photographed shipment images to determine goods condition compliance and quantity accuracy. Freight claims platforms at DHL, XPO, and USSCO use AI to assess carrier damage evidence photos and compute claims settlement values. Trade compliance automation platforms — Flexport Classify, Descartes Visual Compliance, and the former Amber Road AI (now integrated into E2open) — process scanned commercial invoices, packing lists, and HS code determination documents to automate customs duty calculation and certificate-of-origin validation. Across all four categories, the common thread is the same: images submitted by external parties — carriers, brokers, warehouse workers, shippers, freight forwarders — are processed by AI pipelines that produce structured data driving financial decisions, compliance determinations, and legal claim settlements. None of these platforms currently deploy a dedicated adversarial image detection layer at the document intake point. Flexport, project44, FourKites, Descartes, Transplace (now Uber Freight), Turvo, One Network, Blue Yonder, Oracle Fusion SCM, and SAP IBP all have AI features that process photographed or scanned freight documents — and all share the same unaddressed image-layer injection surface. Glyphward's pre-VLM scan gate provides the missing adversarial detection checkpoint before any freight document image reaches the AI extraction pipeline.

TL;DR

Supply chain and logistics AI pipelines convert freight document photos and goods inspection images into structured data that drives payment, compliance, and claims decisions. Adversarial freight document images — carrier invoice scans with hidden injection payloads, goods photos that trick AI inspection into passing defective shipments, damage evidence photos that inflate or suppress claims AI severity assessments, customs document images with false HS code instructions — all bypass text-only prompt injection scanners because the payload lives in the image pixel layer. Scan every freight document image with POST https://glyphward.com/v1/scan before OCR or VLM extraction. Reject images with score >= 60. Free tier — 10 scans/day, no card required.

Four multimodal injection surfaces in supply chain and logistics AI

1. Freight invoice and bill-of-lading photo injection. AI-powered freight audit and payment platforms — including Cass Information Systems' AI freight audit, enVista's freight payment AI, and GEODIS SmartShipping AI — receive carrier- and broker-submitted freight invoice scans and bill-of-lading images and use OCR and VLM extraction to pull charge line items, accessorial fees, fuel surcharge calculations, and payment terms. Extracted fields feed directly into automated freight payment workflows and duplicate-invoice detection engines. The adversarial surface is significant: a fraudulent carrier or freight broker submits an invoice scan or BoL photograph with adversarial typographic injection text embedded at low opacity within the itemised charge table, the accessorial fees section, or the payment reference field. The injection payload instructs the VLM extraction model to return inflated charge amounts, add fabricated accessorial line items not present in the underlying rate contract, or suppress the duplicate-invoice detection signal by altering the invoice reference number extracted from the image. Because freight audit platforms often apply straight-through processing for invoices within contracted rate bands — to reduce manual review overhead in high-volume freight payment operations — adversarially inflated charges that fall within plausible variance ranges can trigger automated payment without human review. Duplicate-invoice fraud (submitting the same bill-of-lading twice) is a known freight fraud vector that AI duplicate detection is designed to counter; adversarial BoL image injection defeats this defence by causing the AI to extract different invoice identifiers from two images of the same document. The financial incentive for fraudulent carriers and freight brokers is direct: each successfully injected freight invoice extracts incremental payment above the contracted rate. Pre-scan with Glyphward before any freight invoice or BoL image enters the extraction pipeline.

2. Goods receiving inspection photo injection. Warehouse management systems with AI receiving inspection capabilities — Blue Yonder WMS AI, Oracle Fusion WMS AI receiving inspection, and Zebra Technologies AI scanning and verification — process photographs taken by warehouse receiving dock workers of incoming shipments to assess goods condition, verify product labels and SKU identities, count items against the purchase order, and identify damage or short-count discrepancies before accepting the delivery. The adversarial attack vector here is the photographed goods themselves: a shipper or third-party logistics provider can prepare adversarially crafted physical labels, packing inserts, or printed overlays placed on shipment packages before they are photographed at the receiving dock. When the dock worker photographs the adversarially prepared shipment and the image enters the WMS AI inspection pipeline, the injection payload embedded in the physical label or printed material causes the VLM to classify the shipment as compliant even when goods are damaged, SKU labels are incorrect, or item counts fall short of the purchase order quantity. For AI-enabled receiving inspection systems integrated with Oracle Fusion SCM or SAP IBP inventory replenishment workflows, a successful injection that causes the AI to accept a short-count shipment as fully compliant results in immediate inventory shrinkage — the ERP records the full purchase order quantity as received, while the warehouse actually holds fewer units. The downstream effects propagate through demand planning models in SAP IBP and Blue Yonder Luminate Planning if incorrect received quantities influence safety stock calculations. FourKites and project44 real-time freight tracking data can confirm a shipment arrived; it cannot verify whether the AI receiving inspection was manipulated at the dock. Glyphward's pre-scan gate applied to every dock worker–captured inspection photo before it enters the WMS AI pipeline intercepts adversarially crafted shipment images at the point of camera upload.

3. Carrier damage documentation image injection. Freight claims AI platforms — including USSCO freight claims processing, DHL freight claims AI, and XPO freight claims AI — use VLMs and image analysis to assess shipper- and carrier-submitted damage evidence photos and compute damage severity scores that inform claims settlement value recommendations. The adversarial surface cuts both ways: shippers and carriers both have financial incentives to manipulate damage AI assessments in opposite directions. A shipper filing a high-value damage claim may submit adversarially crafted damage photo evidence — a genuine photograph of damaged goods with an injection payload embedded in the image — that causes the claims AI to classify the damage as more severe than it appears, inflating the settlement recommendation. Conversely, a carrier contesting a legitimate damage claim may submit adversarially crafted counter-evidence photos that cause the claims AI to downgrade the damage severity assessment, suppressing the settlement value. Freight claims AI platforms at large carriers process thousands of claims images monthly; the scale at DHL, XPO, and USSCO means that even low-success-rate adversarial injection attempts across a high volume of claims submissions produce material financial distortion in aggregate claims settlement totals. The claims AI severity score is typically the most influential input to the settlement recommendation, and in automated low-value claims processing (claims under a threshold amount that are settled without human adjudicator review) the AI score directly determines the settlement amount paid. Cargo insurance underwriters relying on AI damage assessment scores to validate claims against policy limits face the same vulnerability: adversarially manipulated damage photos submitted as insurance evidence can falsify the basis for a coverage determination. Glyphward pre-scan of every damage evidence image at claims submission time provides the adversarial detection gate missing from all current freight claims AI platforms.

4. Customs and trade compliance document image injection. AI-powered customs and trade compliance platforms — Flexport Classify (automated HS code determination), Descartes Visual Compliance (denied-party screening integrated with document image analysis), and the Amber Road AI capabilities now within E2open's Global Trade Management suite — process scanned commercial invoices, packing lists, certificates of origin, and shipper's export declarations to automate Harmonized System (HS) code classification, duty rate calculation, and certificate-of-origin validation. These documents originate from external parties: exporters, freight forwarders, customs brokers, and foreign suppliers — the same parties with financial incentives to minimise assessed duty liability or falsify origin determinations to qualify for preferential tariff rates under trade agreements such as USMCA, CPTPP, or GSP. An adversarially crafted commercial invoice image — a genuine invoice scan with injection text embedded in the goods description field, the country-of-origin field, or the HS code pre-classification column — can instruct the customs AI to extract a lower-duty HS code than the correct classification for the goods, omit dutiable charges from the assessed customs value, or generate a false certificate-of-origin determination qualifying a shipment for preferential tariff treatment it does not legitimately qualify for. The duty evasion value at stake scales with both the goods value and the applicable tariff rate: for high-tariff product categories (e.g., apparel, electronics, steel products) with duty rates of 15–30%, adversarial HS code reclassification on a high-value commercial invoice can eliminate tens of thousands of dollars in duties per shipment. Government customs oversight (CBP in the United States, HMRC in the UK, EU customs authorities) relies on importer declarations and AI-assisted classification for the vast majority of low-risk shipments — a pre-classified AI determination submitted with documentation is rarely re-examined for the document image layer. Glyphward pre-scan of every customs document image before it enters the Flexport Classify, Descartes, or E2open AI classification pipeline provides the adversarial detection layer that no current trade compliance AI vendor has deployed.

Integration: freight document intake with Glyphward pre-scan

import asyncio
import base64
import hashlib
import enum
from dataclasses import dataclass, field
from datetime import datetime, timezone
from typing import Optional
import aiohttp

GLYPHWARD_KEY = "<your-glyphward-api-key>"
GLYPHWARD_ENDPOINT = "https://glyphward.com/v1/scan"
GLYPHWARD_THRESHOLD = 60


class FreightDocType(enum.Enum):
    INVOICE = "invoice"
    BOL = "bill_of_lading"
    DAMAGE_PHOTO = "damage_photo"
    CUSTOMS_DOC = "customs_document"


@dataclass
class FreightDocAuditRecord:
    carrier_id: str
    load_number: str
    doc_type: FreightDocType
    image_sha256: str
    scanned_at: str
    scan_status: Optional[str] = None
    scan_id: Optional[str] = None
    scan_score: Optional[float] = None
    error_detail: Optional[str] = None


async def scan_freight_document(
    image_bytes: bytes,
    doc_type: FreightDocType,
    carrier_id: str,
    load_number: str,
) -> FreightDocAuditRecord:
    """
    Async Glyphward pre-scan gate for freight document images.

    Applies to all external-party-submitted freight document images:
    carrier invoice scans, BoL photos, damage evidence photos, and
    customs document scans. Fail-closed: scan API error holds the
    document for manual review rather than allowing auto-processing.

    Args:
        image_bytes:  Raw image bytes from document intake upload.
        doc_type:     FreightDocType enum identifying document category.
        carrier_id:   Carrier or broker identifier for audit trail.
        load_number:  Load or shipment reference number for audit trail.

    Returns:
        FreightDocAuditRecord with scan result; persist to audit log.

    Raises:
        RuntimeError: Glyphward API unavailable — document held.
        ValueError:   Adversarial content detected — document blocked.
    """
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    encoded = base64.b64encode(image_bytes).decode()

    audit = FreightDocAuditRecord(
        carrier_id=carrier_id,
        load_number=load_number,
        doc_type=doc_type,
        image_sha256=image_sha256,
        scanned_at=datetime.now(timezone.utc).isoformat(),
    )

    try:
        async with aiohttp.ClientSession() as session:
            async with session.post(
                GLYPHWARD_ENDPOINT,
                headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
                json={"image": encoded},
                timeout=aiohttp.ClientTimeout(total=8),
            ) as resp:
                if resp.status != 200:
                    # Fail-closed: hold for manual freight audit review
                    audit.scan_status = "api_error_held"
                    audit.error_detail = f"HTTP {resp.status}"
                    await persist_freight_audit(audit)
                    raise RuntimeError(
                        f"Glyphward unavailable for {doc_type.value} "
                        f"load={load_number} carrier={carrier_id} — "
                        "document held for manual review"
                    )

                scan = await resp.json()

    except aiohttp.ClientError as exc:
        # Network error — fail-closed, do not auto-process
        audit.scan_status = "network_error_held"
        audit.error_detail = str(exc)
        await persist_freight_audit(audit)
        raise RuntimeError(
            f"Glyphward network error for {doc_type.value} "
            f"load={load_number} — document held for manual review"
        ) from exc

    audit.scan_id = scan["scan_id"]
    audit.scan_score = scan["score"]

    if scan["score"] >= GLYPHWARD_THRESHOLD:
        audit.scan_status = "adversarial_blocked"
        await persist_freight_audit(audit)
        await trigger_freight_fraud_alert(audit)
        raise ValueError(
            f"Adversarial freight document blocked: "
            f"doc_type={doc_type.value} carrier={carrier_id} "
            f"load={load_number} score={scan['score']} "
            f"scan_id={scan['scan_id']}"
        )

    audit.scan_status = "clean_passed"
    await persist_freight_audit(audit)
    return audit


async def scan_freight_batch(
    documents: list[tuple[bytes, FreightDocType, str, str]],
) -> list[FreightDocAuditRecord]:
    """
    Batch async scan for freight document ingestion pipelines.

    Args:
        documents: List of (image_bytes, doc_type, carrier_id, load_number).

    Returns:
        List of FreightDocAuditRecord for clean documents only.
        Documents raising ValueError (adversarial) are excluded.
        Documents raising RuntimeError (API error) are excluded and held.
    """
    tasks = [
        scan_freight_document(img, dtype, cid, lnum)
        for img, dtype, cid, lnum in documents
    ]
    results = await asyncio.gather(*tasks, return_exceptions=True)

    clean_records = []
    for result in results:
        if isinstance(result, FreightDocAuditRecord):
            clean_records.append(result)
        # ValueError (adversarial) and RuntimeError (held) are already
        # persisted to audit log inside scan_freight_document()
    return clean_records


async def persist_freight_audit(record: FreightDocAuditRecord):
    """Persist to append-only freight audit log (WORM or insert-only table)."""
    pass


async def trigger_freight_fraud_alert(record: FreightDocAuditRecord):
    """Alert freight audit / compliance team on adversarial detection."""
    pass

Persist every FreightDocAuditRecord to an append-only audit table — PostgreSQL with an insert-only service role, or AWS S3 with Object Lock WORM storage — alongside the extracted freight data. The scan_id from Glyphward is the cryptographic reference proving the document was adversarial-content-checked before any extraction ran, providing the audit evidence required for freight payment compliance, carrier contract dispute resolution, and customs entry audit trails. For freight claims workflows, attach the FreightDocAuditRecord to the claims file as processing evidence; for customs document processing, attach it to the entry filing record. The image_sha256 field links the audit record to the exact image bytes that were scanned, enabling post-incident forensic verification that no document substitution occurred between scan and extraction. Get early access

Coverage matrix

Mitigation layer Invoice photo injection Goods receiving injection Damage photo injection Customs doc injection
Freight contract rate validation (contracted rate vs. extracted charge comparison) Partial — catches charges significantly above contracted rates; adversarially inflated charges within plausible variance bands pass rate validation No — rate validation applies to freight charges, not goods condition or quantity accuracy No No
Duplicate invoice detection (BoL reference matching, invoice hash deduplication) Partial — catches exact-duplicate BoL submissions; adversarial BoL image injection causes AI to extract different reference identifiers from the same document, defeating hash-based deduplication No No No
Human adjudicator review (freight claims manual review, customs entry examination) Partial — manual review catches gross anomalies; adversarial injection payloads are invisible to human reviewers examining the document image Partial — physical goods inspection catches obvious defects; adversarial image injection misleads the AI before a human re-examines the shipment Partial — adjudicator reviews damage photos; adversarial payloads imperceptible to human review but detected by Glyphward Partial — CBP/HMRC examination selects a fraction of entries; most AI-pre-classified entries are not re-examined at the image layer
AI document vendor anomaly detection (Flexport Classify, Descartes, enVista) No — vendor AI detects format deviations and template mismatches; not adversarial pixel-level injection content No — WMS AI quality inspection models are not designed to detect adversarial payloads in inspection photos No — claims AI damage severity models score visible damage; not adversarial embedding detection No — trade compliance AI classifies HS codes from document content; does not detect adversarial injection in the document image layer
Glyphward pre-VLM image scan (multimodal PI detection) Yes — invoice and BoL image pre-scan; adversarial charge inflation and duplicate-detection bypass blocked before extraction Yes — dock inspection photo pre-scan; adversarially prepared shipment images blocked before WMS AI compliance assessment Yes — damage evidence photo pre-scan; adversarial severity inflation and suppression blocked before claims AI scoring Yes — customs document image pre-scan; adversarial HS code reclassification and duty suppression blocked before trade compliance AI extraction

Related questions

Can freight invoice photo injection really go undetected in AI audit systems?

Yes, and the detection gap is structural rather than a matter of implementation quality. AI freight audit platforms like Cass Information Systems and enVista are designed to detect semantic anomalies in extracted freight data — charges outside contracted rate bands, duplicate invoice reference numbers, implausible fuel surcharge calculations — not adversarial content in the pixel layer of the document image that produces the extracted data. The adversarial invoice image looks visually identical to a legitimate invoice when a human reviews the scanned document; the injection payload is rendered at low opacity, in micro-font, or using steganographic techniques imperceptible to the naked eye. The VLM or OCR extraction model reads and acts on the injection instruction, returning modified charge amounts or altered invoice identifiers; the downstream freight audit logic then validates the extracted data against contract parameters. If the adversarial payload inflates charges to a level that still passes contract rate validation — for example, inflating accessorial charges by amounts within the normal variance band for that carrier lane — the payment workflow processes the inflated invoice without a human ever seeing an anomaly flag. Traditional freight fraud (billing for services not rendered, using paper documentation) requires insider access or forged paperwork; adversarial freight invoice image injection requires only the ability to submit a digitally prepared invoice scan. The financial incentive is real, the detection gap is real, and the only control that addresses the pixel-layer attack surface is a dedicated adversarial image scanner applied at the invoice upload point.

How does this differ from traditional freight fraud (duplicate invoices, overbilling)?

Traditional freight fraud operates at the data and document layer: a fraudulent carrier submits a duplicate paper invoice hoping the payment team will not match it against a previously paid document, or bills for premium services (refrigerated transport, expedited delivery) that were not actually provided. These fraud types are detectable by humans examining the documents, by duplicate invoice matching systems comparing invoice numbers and amounts, and by cross-referencing invoices against shipment tracking data from platforms like project44, FourKites, and Turvo. Adversarial freight invoice photo injection operates at the image pixel layer, which sits beneath every existing fraud detection control. The adversarial payload is not visible in the document; it is not in the extracted data before the injection runs; it does not appear as a document anomaly to a human reviewer; it does not show up in amount-based anomaly detection. The attack exploits the VLM extraction step that converts the document image to structured data — a step that did not exist in traditional freight audit workflows and that existing fraud controls were not designed to address. One Network and Turvo visibility platforms log shipment events and payment milestones but have no window into the image extraction step where adversarial injection occurs. The attack is also qualitatively different in scale: traditional duplicate invoice fraud requires creating a second document; adversarial image injection can be templated and applied to high volumes of submitted invoices, making detection through statistical payment anomaly analysis much harder because individual instances appear within normal parameters.

Are customs document image attacks feasible given government oversight?

The feasibility is higher than it might appear, for reasons rooted in how AI-assisted customs processing actually works. Platforms like Flexport Classify and Descartes Visual Compliance do not submit AI-extracted data directly to customs authorities as the declaration; the importer or customs broker submits the declaration, with AI-assisted classification used to pre-populate HS codes and duty calculations. When a customs broker uses Flexport Classify to pre-classify a commercial invoice and the AI returns an adversarially injected lower-duty HS code, the broker incorporates that classification into the customs entry filing. CBP and other customs authorities examine a risk-targeted subset of entries — historically around 3–5% of commercial entries receive intensive examination. Adversarial customs document injection is not a guaranteed duty evasion tool (the entry may be selected for examination), but it does not need to succeed on every attempt to be financially viable. For high-value, high-tariff shipments where the duty liability on a single entry can exceed tens of thousands of dollars, the expected-value calculation for adversarial HS code reclassification is favourable to an importer willing to accept examination risk. Certificate-of-origin document injection — causing the AI to validate a false origin claim that qualifies a shipment for a preferential tariff rate under a trade agreement — has particularly high incentive given that preferential tariff rates can reduce duties by 50–100% on qualifying goods. Government oversight catches some of these attempts through post-entry audit programmes; adversarial image detection at the AI input layer is the control that catches them before any erroneous classification is ever incorporated into a filed entry.

What threshold should freight audit platforms use?

Glyphward recommends a threshold of 60 for freight document image pre-scanning, which is lower than the 65 threshold commonly used in financial services document AI contexts. The lower threshold reflects the specific risk profile of freight document injection: the financial incentive per successful injection event is lower than in direct payment injection (inflated freight charges are typically thousands of dollars rather than six-figure wire transfer amounts), which means an adversary optimising for undetectability may craft payloads at lower injection intensity to reduce visual detectability. A threshold of 60 catches lower-intensity adversarial content that a threshold of 65 would pass, at the cost of a marginally higher false-positive rate on unusual but legitimate freight documents. For freight invoice and BoL image scanning specifically, the false-positive cost (holding a legitimate invoice for manual review) is lower than the false-negative cost (paying an adversarially inflated freight charge), so erring toward sensitivity is appropriate. For goods receiving inspection photo scanning, the stakes are different — a false positive (blocking a legitimate inspection photo) delays receiving confirmation and can hold up a put-away workflow, so platforms with tight warehouse throughput requirements may prefer to tune to 65 and accept slightly more adversarial content risk. Customs document image scanning should use 60 or lower given the regulatory and financial exposure from a successful HS code reclassification attack. Glyphward's API returns both the score and the contributing signal categories, enabling freight audit platforms to apply different downstream handling rules — automatic hold vs. immediate reject vs. alert-and-proceed — based on both the score magnitude and the detected payload type.

Further reading