Water quality AI · Infrastructure inspection AI · Treatment process AI · Environmental compliance AI

Prompt injection in water treatment and environmental monitoring AI

Water treatment and environmental monitoring AI has become the operational foundation of drinking water quality verification, distribution system infrastructure assessment, treatment process optimisation, and environmental compliance reporting at thousands of water utilities and environmental agencies across the US and globally: Xylem’s Vue AI analytics platform — deployed at over 1,000 water and wastewater utilities across North America and Europe including major utilities such as DC Water, Melbourne Water, and United Utilities — processes water quality sensor images, turbidity meter output photographs, and laboratory analytical result images through AI-assisted water quality monitoring and treatment optimisation tools that determine when treatment process adjustments are required to maintain drinking water quality within EPA Safe Drinking Water Act (SDWA) maximum contaminant level (MCL) compliance, Veolia Water Technologies’ AI operations platform — deployed at municipal water treatment plants serving populations from 50,000 to 5 million in the US, France, Australia, and China — processes SCADA (Supervisory Control and Data Acquisition) system display images, water quality sampling results, and treatment chemical dosing sensor output through AI-assisted treatment process control and compliance management tools, SUEZ Water Technologies & Solutions (now Veolia) AI and Evoqua Water Technologies AI process distribution system infrastructure inspection photographs captured by CCTV (closed-circuit television) pipe inspection systems, acoustic leak detection imagery, and corrosion assessment camera images through AI-assisted pipe condition classification and infrastructure asset management tools that determine rehabilitation priority and capital investment planning decisions, and environmental compliance AI platforms including Intelex AI, Cority AI, and Enablon AI process environmental sampling result photograph images, compliance monitoring report documents, and permit limit monitoring records for municipalities and industrial water dischargers required to maintain EPA NPDES (National Pollutant Discharge Elimination System) permit compliance and state environmental agency discharge compliance reporting. These water treatment and environmental AI platforms share a structural characteristic that creates an adversarial image injection exposure: each depends on photographs, sensor output images, and compliance document scans submitted through operational or regulatory workflows where the submitting party — a water utility operator, a distribution system maintenance contractor, a treatment plant laboratory analyst, or an environmental compliance manager — has access to the AI submission pathway and an operational, financial, or regulatory interest in the AI’s water quality, infrastructure condition, treatment process, or compliance classification output. Adversarially crafted images submitted through any of these pathways can suppress drinking water contamination indicators in water quality AI, conceal distribution pipe corrosion failures in infrastructure inspection AI, mask EPA SDWA treatment process violations in process control AI, and falsify environmental compliance monitoring data in permit compliance reporting AI — with consequences spanning EPA Safe Drinking Water Act enforcement actions, public health emergency notifications, Lead and Copper Rule (LCRR) action level triggers, NPDES permit violations, and criminal prosecution under the Clean Water Act for knowing endangerment of public water supplies.

TL;DR

Water treatment and environmental monitoring AI platforms — Xylem Vue AI, Veolia Water AI operations, SUEZ AI, Evoqua Water Technologies AI, Hach Water Quality AI, YSI Xylem AI water monitoring, Grundfos iSOLUTIONS AI, Ovivo Water AI, Intelex environmental AI, Cority EHS AI, Enablon compliance AI, Trimble Cityworks AI, IBM Maximo water utilities AI — process water quality sampling result images, distribution infrastructure CCTV inspection photographs, treatment plant SCADA display images, and environmental compliance monitoring report documents through AI water quality assessment, infrastructure condition classification, treatment optimisation, and permit compliance reporting pipelines. Adversarially crafted images submitted through water quality analyser photograph APIs, pipe inspection CCTV data portals, treatment SCADA operator display interfaces, and compliance report document management systems can suppress contamination and MCL exceedance indicators, conceal pipe corrosion and structural failure risk, mask treatment process control deviations, and falsify permit compliance monitoring records. Glyphward scans each image at the ingestion boundary with a threshold of ≥ 50 for all water treatment and environmental AI contexts (EPA SDWA MCL, Clean Water Act, Lead and Copper Rule, public health emergency). Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in water treatment and environmental monitoring AI

1. Water quality sample and analyser AI injection (Xylem Vue AI, Hach Water Quality AI, YSI Xylem AI)

Water quality monitoring AI processes images from online water quality analysers — including turbidity meter displays, UV absorbance analyser output screens, total organic carbon (TOC) analyser displays, residual chlorine analyser images, and laboratory spectrophotometer output photographs — as well as photographs of grab sample collection jars and laboratory sample result printouts through AI-assisted water quality compliance monitoring tools that determine whether the treated water meets EPA Safe Drinking Water Act maximum contaminant levels (MCLs) before distribution to customers and whether the treatment process is performing within the bounds required by the Treatment Technique (TT) regulations. Xylem’s Vue AI platform processes water quality analyser output images and sensor data for utilities including DC Water, Sydney Water, and Anglian Water, generating AI-assisted water quality trend analysis and treatment optimisation recommendations that inform real-time and scheduled treatment process adjustments. Hach Company’s Water Quality AI platform processes turbidity analyser, chlorine residual analyser, and pH/conductivity analyser output photographs and digital display images for municipal water treatment plants, integrating AI-assisted compliance monitoring with the plant’s SCADA system and laboratory information management system (LIMS) for real-time MCL compliance tracking. YSI’s (a Xylem brand) EXO AI water quality monitoring platform processes multiparameter water quality sonde output images and field measurement photographs for utilities, environmental agencies, and industrial water users conducting source water quality monitoring and distribution system water quality surveillance.

The water quality analyser output image submission pathway is the adversarial injection surface: photographs of analyser display screens, laboratory spectrophotometer output printouts, and field measurement device displays captured by plant operators and field monitoring staff using smartphones or tablets and submitted through Xylem Vue AI, Hach AI, or YSI EXO AI monitoring platforms for AI water quality classification. An adversarially crafted turbidity analyser display photograph — in which pixel perturbations applied to the analyser’s displayed turbidity value cause the Xylem Vue AI or Hach AI to read a turbidity value below the EPA SDWA Surface Water Treatment Rule (SWTR) turbidity action level of 1 NTU (or 4 NTU for the turbidity MCL) when the analyser is actually displaying a turbidity reading that exceeds the action level — can suppress the treatment process alarm that would trigger the operator to increase coagulant dosing, evaluate the filter performance, or issue a Boil Water Advisory (BWA) to utility customers. The adversarial suppression motivation in water quality AI is public communication avoidance: a Boil Water Advisory is one of the most disruptive public health communications a water utility can issue — it requires customer notification within 24 hours, generates significant media attention, and imposes substantial operational burden on the utility and affected households and businesses.

EPA Safe Drinking Water Act (42 USC § 300f–300j-26) enforcement consequences for failing to comply with MCL or Treatment Technique requirements follow from the SDWA’s public notification rule (40 CFR Part 141, Subpart Q), which requires water systems to notify the public within 24 hours when a Tier 1 health-based violation (including turbidity above the SWTR action level) occurs. An adversarially manipulated water quality AI that suppresses a turbidity exceedance and prevents the utility from issuing the required public notification creates a SDWA violation with civil penalty exposure of up to $25,000 per day per violation (40 CFR Part 141.201) and potential criminal prosecution under SDWA Section 1441 (42 USC § 300h-2) for knowingly making false statements in records required to be maintained under SDWA. The public health consequence of a drinking water turbidity exceedance that is not detected because the water quality AI was adversarially manipulated — and that allows pathogen-contaminated water to be distributed to utility customers — ranges from individual gastroenteritis cases to a community-scale outbreak of Cryptosporidium, Giardia, or STEC if the turbidity indicates filter breakthrough during a source water contamination event. Threshold: 50 for water quality sample and analyser AI (EPA SDWA MCL, Surface Water Treatment Rule, public notification rule, public health emergency).

2. Water infrastructure inspection AI injection (SUEZ AI, Evoqua Water AI, Trimble Cityworks AI)

Water distribution system infrastructure inspection AI processes CCTV pipe inspection video frames and photographs, acoustic leak detection imagery, and pipe external corrosion assessment camera images submitted through asset management platforms to classify pipe condition, detect structural defects (cracks, joint failures, corrosion pitting, liner delamination), identify active leaks, and generate rehabilitation priority scores that determine the capital improvement programme for water main renewal, relining, and replacement. SUEZ (now part of Veolia) Water Technologies AI infrastructure asset management platform processes CCTV pipe inspection video and photographs for municipal water and wastewater utilities, using AI-assisted pipe condition scoring and defect classification to generate rehabilitation priority rankings that inform multimillion-dollar capital improvement programme decisions. Evoqua Water Technologies’ AI asset management platform processes pipe inspection imagery and infrastructure condition assessment photographs for industrial and municipal water utilities, integrating AI-assisted infrastructure condition classification with capital planning tools. Trimble Cityworks AI processes infrastructure inspection data including CCTV footage and pipe inspection photographs for municipal utilities using the Cityworks asset management system, integrating AI-assisted condition assessment with work order management and capital planning workflows for water, wastewater, and stormwater system assets.

The distribution infrastructure inspection image submission pathway is the adversarial injection surface: CCTV pipe inspection video frames and external corrosion assessment photographs submitted through SUEZ AI, Evoqua, or Trimble Cityworks AI infrastructure management portals for pipe condition classification and rehabilitation priority ranking. An adversarially crafted CCTV pipe inspection video frame — in which pixel perturbations applied to the regions showing pipe wall cracking, joint failure gaps, root intrusion, or liner delamination cause the SUEZ AI or Trimble Cityworks AI to classify the pipe segment condition as grade B (minor defect, monitor) when the actual pipe condition shows a grade D (severe defect, immediate action required) structural failure risk — can result in a water main with imminent structural failure being placed at the bottom of the capital rehabilitation priority list rather than being scheduled for emergency replacement. The adversarial suppression motivation in infrastructure inspection AI is capital budget driven: water main replacement at $500–$2,000 per linear foot — with a typical water main replacement project costing $1–$10 million per mile — is one of the largest capital expenditures in a municipal water utility’s capital improvement programme, creating significant financial pressure on both utility staff and infrastructure inspection contractors to produce condition assessments that do not trigger immediate replacement programme requirements.

Lead service line and Lead and Copper Rule Revisions (LCRR) consequences are the most significant consequence of adversarial distribution infrastructure inspection AI manipulation in the current regulatory environment. The EPA’s Lead and Copper Rule Revisions (LCRR, 40 CFR Part 141, Subpart I, effective October 2024) require water utilities to identify and inventory all lead service lines in their distribution system, and the Lead and Copper Rule Improvements (LCRI, 2024) establish mandatory replacement timelines for lead service lines. Adversarial manipulation of pipe inspection AI that suppresses lead service line condition indicators — causing the AI to misclassify a lead service line as copper or plastic in a pipe material assessment photograph — can suppress the lead service line replacement programme obligations that the LCRR imposes on the utility, with regulatory consequences including EPA enforcement action under SDWA Section 1414 (42 USC § 300g-3) and public notification requirements when lead action levels (15 parts per billion at the 90th percentile of tap samples) are exceeded. Infrastructure failure consequences of a grade D pipe segment that is adversarially downgraded to grade B and not replaced include water main breaks that can cause service disruptions affecting thousands of customers, road damage from pipe failure excavation, and in the most serious cases, pressure transients from water main breaks that create cross-connection contamination events — a mechanism for pathogen introduction into the distribution system that has caused community-scale waterborne illness outbreaks (the 1993 Milwaukee Cryptosporidium outbreak remains the largest waterborne illness outbreak in US history). Threshold: 50 for water infrastructure inspection AI (LCRR lead service line, EPA SDWA enforcement, infrastructure failure, cross-connection contamination).

3. Treatment process control AI injection (Veolia Water AI, Xylem Vue treatment AI, Grundfos iSOLUTIONS AI)

Water treatment process control AI processes SCADA system operator display screen images, chemical dosing pump display photographs, filter performance monitoring display images, and disinfection system status photographs submitted through AI-assisted treatment optimisation and process control platforms to classify treatment process performance, identify process deviations requiring operator intervention, and generate AI treatment optimisation recommendations that determine chemical dosing rates, filter backwash timing, and disinfection residual maintenance strategies for EPA SDWA Treatment Technique compliance. Veolia Water Technologies’ AI operations platform processes SCADA display images and treatment process sensor output photographs for large municipal water treatment plants, using AI-assisted process optimisation to reduce chemical consumption, optimise energy use, and maintain Treatment Technique compliance across coagulation/flocculation, sedimentation, filtration, and disinfection treatment stages. Xylem’s Vue AI treatment optimisation platform processes treatment plant sensor images and SCADA display photographs for utilities, generating AI treatment process recommendations integrated with the plant’s control system. Grundfos’ iSOLUTIONS AI platform processes pump system display images and treatment dosing system photographs for water utilities, using AI-assisted pump optimisation and chemical dosing control to maintain treatment process performance within regulatory compliance bounds.

The treatment process SCADA display and sensor output image submission pathway is the adversarial injection surface: photographs of SCADA operator display screens showing filter effluent turbidity readings, disinfection CT (Concentration × Time) values, chemical dosing pump rate indicators, and treatment process alarms, submitted through Veolia AI, Xylem Vue, or Grundfos iSOLUTIONS AI treatment optimisation platforms for AI process control recommendation generation. An adversarially crafted SCADA operator display photograph — in which pixel perturbations applied to the displayed filter effluent turbidity value, the disinfection CT calculation display, or the chemical dosing rate indicator cause the Veolia Water AI or Xylem Vue AI to generate a treatment optimisation recommendation that reduces coagulant dosing, delays filter backwash, or reduces disinfectant dosing below the CT value required for 99.9% (3-log) Cryptosporidium inactivation under the EPA’s Long Term 2 Enhanced Surface Water Treatment Rule (LT2ESWTR) — can result in the treatment plant operating below the Treatment Technique performance requirements without triggering the process alarm that would cause the operator to manually intervene to restore compliant treatment performance. The adversarial process control manipulation motivation is operational cost driven: reducing coagulant chemical dosing rates, extending filter run times between backwashes, and reducing disinfection chemical consumption are the primary operational cost levers in water treatment plant operation, with chemical costs representing 15–25% of total operating expenses at surface water treatment plants.

EPA LT2ESWTR (40 CFR Part 141, Subpart W) and SWTR (40 CFR Part 141, Subpart H) Treatment Technique violations for inadequate Cryptosporidium inactivation CT are among the most serious SDWA violations because the public health consequence — potential Cryptosporidium contamination of the treated water supply — is immediate and affects all customers served by the treatment plant. The 1993 Milwaukee Cryptosporidium outbreak, which caused an estimated 400,000 illnesses and 69 deaths, resulted directly from inadequate treatment process control that allowed Cryptosporidium to pass through the filtration and disinfection treatment train — the exact treatment process failure that adversarial manipulation of treatment process control AI could reproduce at scale. EPA SDWA Treatment Technique violations carry civil penalties of up to $25,000 per day per violation (SDWA Section 1414) and criminal penalties under SDWA Section 1441 for knowing endangerment of a public water supply that presents an imminent and substantial endangerment to public health. Water utility executives and operators who knowingly allow treatment process violations to continue face criminal prosecution under 42 USC § 300h-2 — an adversarially manipulated treatment process AI that generates incorrect treatment optimisation recommendations is not a legal defence for a utility that does not have independent process controls to detect treatment performance deviations below the AI recommendation threshold. Threshold: 50 for treatment process control AI (EPA SDWA Treatment Technique, LT2ESWTR CT compliance, Cryptosporidium inactivation, public health emergency).

4. Environmental compliance monitoring AI injection (Intelex AI, Cority AI, Enablon compliance AI)

Environmental compliance monitoring AI processes scanned images of environmental sampling result documents, water quality laboratory report photographs, NPDES permit monitoring report (DMR) pages, and stormwater pollution prevention plan (SWPPP) inspection photographs submitted through environmental health and safety (EHS) management platforms to classify compliance status, identify permit limit exceedances, generate automated discharge monitoring reports (DMRs) submitted to the EPA or state environmental agency, and track corrective action requirements for environmental permit violations. Intelex AI environmental management platform processes environmental monitoring data and compliance document images for industrial water dischargers, municipal wastewater treatment plants, and stormwater management programmes, using AI-assisted permit limit classification and DMR generation for companies including major manufacturers, mining operations, and food and beverage producers subject to NPDES industrial stormwater or process wastewater discharge permits. Cority EHS AI processes environmental sampling result photographs and compliance monitoring report documents for enterprise environmental compliance programmes at Fortune 500 industrial companies, generating AI-assisted compliance status dashboards and regulatory reporting workflows for NPDES, RCRA, and Clean Air Act compliance management. Enablon’s compliance AI (now Wolters Kluwer’s EHS platform) processes environmental monitoring document images and laboratory result photographs for multinational manufacturers and resource companies, integrating AI-assisted permit compliance classification with automated regulatory reporting to EPA and state environmental agency electronic reporting systems (NetDMR).

The environmental monitoring result document scan and laboratory report photograph submission pathway is the adversarial injection surface: scanned images of water quality laboratory results, NPDES monitoring station discharge sample result reports, and SWPPP inspection checklists submitted through Intelex AI, Cority AI, or Enablon AI compliance management platforms for AI permit limit exceedance classification and automated DMR generation. An adversarially crafted laboratory result scan — in which pixel perturbations applied to the printed parameter value — such as the effluent total suspended solids (TSS) concentration, biological oxygen demand (BOD) value, metals concentration, or pH reading — cause the Intelex AI or Cority AI to extract a permit-compliant parameter value from the document when the actual laboratory measurement exceeds the NPDES permit effluent limitation — can result in a NetDMR (EPA’s electronic DMR reporting system) submission that misreports a permit violation as a compliant discharge, concealing the exceedance from the permitting authority (EPA or state environmental agency). The adversarial DMR falsification motivation is permit compliance driven: NPDES permit violations reported in DMRs trigger state environmental agency enforcement responses including NOVs (Notices of Violation), administrative penalties, and in cases of chronic or significant violations, permit compliance schedules — each of which creates operational, financial, and reputational consequences for the discharger.

Clean Water Act criminal prosecution for false DMR submissions is among the most frequently prosecuted environmental crimes in the US: 33 USC § 1319(c)(4) (Clean Water Act Section 309) imposes criminal penalties for knowingly falsifying or tampering with monitoring methods or records required under the CWA — including DMR data entries. The EPA’s Criminal Investigation Division (CID) and the DOJ Environment and Natural Resources Division (ENRD) prosecute DMR falsification cases aggressively; convictions under 33 USC § 1319(c)(4) carry penalties of up to 2 years imprisonment and $10,000 per day per violation for each false DMR entry. Civil penalty exposure under 33 USC § 1319(d) includes penalties of up to $25,000 per day per violation for NPDES permit violations, with each day of a continuing violation constituting a separate violation. The adversarial manipulation of environmental compliance AI that generates false DMR submissions — even if the manipulator’s intent was to avoid administrative enforcement rather than to endanger public health — creates the same criminal exposure as manual DMR falsification because the CWA criminal statute applies to the act of falsifying monitoring records, not only to the means of falsification. A discharger that implements Glyphward pre-scan for environmental monitoring document inputs to its Intelex/Cority/Enablon AI compliance platform has a documented basis for demonstrating that it implemented a data integrity verification measure for AI-processed monitoring records — relevant to any CWA civil penalty mitigation proceeding that considers the discharger’s compliance management efforts. Threshold: 50 for environmental compliance monitoring AI (CWA Section 309 criminal penalty, NPDES permit violation, NetDMR false reporting, EPA enforcement).

Integration: water treatment and environmental AI image ingestion with Glyphward pre-scan

Water treatment and environmental monitoring AI image ingestion flows from water quality analyser photograph APIs and laboratory result scan portals, distribution infrastructure CCTV pipe inspection data management systems, treatment plant SCADA display photograph interfaces, and environmental compliance document scanning platforms into AI water quality assessment, infrastructure condition classification, treatment optimisation, and permit compliance reporting pipelines. Insert Glyphward’s pre-scan at the ingestion boundary — in all water treatment and environmental AI contexts, where the public health and criminal enforcement consequences of adversarial image manipulation are categorically significant:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Water treatment / environmental AI — EPA SDWA MCL compliance,
# Surface Water Treatment Rule CT, Lead and Copper Rule Revisions,
# Clean Water Act NPDES, CWA criminal DMR falsification.
# Threshold 50 — public health and CWA criminal consequences of false
# negatives (adversarial images passing pre-scan) exceed operational
# cost of false positives (human review of borderline images).
THRESHOLD_WATER = 50


class WaterAIContext(str, Enum):
    WATER_QUALITY     = "water_quality"     # Xylem Vue, Hach, YSI
    INFRASTRUCTURE    = "infrastructure"    # SUEZ, Evoqua, Trimble Cityworks
    PROCESS_CONTROL   = "process_control"   # Veolia AI, Xylem Vue treatment, Grundfos
    ENV_COMPLIANCE    = "env_compliance"    # Intelex, Cority, Enablon


async def scan_water_image(
    image_path: str | Path,
    context: WaterAIContext,
    utility_id_hash: str,       # SHA-256 of utility PWSID or NPDES permit number
    facility_hash: str,         # SHA-256 of facility/plant ID
    measurement_ref: str,       # e.g. "turb_east_filter_2026Q2", "pipe_segment_4A32"
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan a water treatment or environmental monitoring AI image for adversarial
    injection payloads before forwarding to water quality assessment AI,
    distribution infrastructure inspection AI, treatment process control AI,
    or environmental permit compliance monitoring AI.

    Raises AdversarialWaterImageError if the Glyphward score meets or
    exceeds the water/environmental threshold (50).
    """
    image_bytes = Path(image_path).read_bytes()
    image_b64 = base64.b64encode(image_bytes).decode()
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    scan_id = str(uuid.uuid4())

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "water_context": context.value,
                "utility_id_hash": utility_id_hash,
                "facility_hash": facility_hash,
                "measurement_ref": measurement_ref,
                "client_scan_id": scan_id,
                "image_sha256": image_sha256,
            },
        },
        timeout=10.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "utility_id_hash": utility_id_hash,
        "facility_hash": facility_hash,
        "measurement_ref": measurement_ref,
        "water_context": context.value,
        "scan_id": result["scan_id"],
        "client_scan_id": scan_id,
        "image_sha256": image_sha256,
        "score": result["score"],
        "flagged_region": result.get("flagged_region"),
        "threshold": THRESHOLD_WATER,
        "action": "blocked" if result["score"] >= THRESHOLD_WATER else "allowed",
    }
    await write_water_compliance_record(audit_record)

    if result["score"] >= THRESHOLD_WATER:
        raise AdversarialWaterImageError(
            f"Water AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"utility_hash={utility_id_hash} ref={measurement_ref}"
        )
    return result


async def scan_cctv_inspection_batch(
    frame_paths: list[Path],
    utility_id_hash: str,
    facility_hash: str,
    pipe_segment_id: str,
) -> dict:
    """
    Scan all CCTV pipe inspection frames for a pipe segment before loading
    into SUEZ/Evoqua/Trimble Cityworks AI infrastructure condition scoring.
    All frames scanned with INFRASTRUCTURE context (threshold 50).
    """
    allowed, blocked, errors = [], [], []
    async with httpx.AsyncClient() as client:
        tasks = [
            scan_water_image(
                p, WaterAIContext.INFRASTRUCTURE,
                utility_id_hash, facility_hash,
                f"{pipe_segment_id}_frame{i:05d}", client,
            )
            for i, p in enumerate(frame_paths)
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)

    for path, result in zip(frame_paths, results):
        if isinstance(result, AdversarialWaterImageError):
            blocked.append({"path": str(path), "error": str(result)})
        elif isinstance(result, Exception):
            errors.append({"path": str(path), "error": str(result)})
        else:
            allowed.append({"path": str(path), "scan_id": result["scan_id"]})

    return {
        "utility_id_hash": utility_id_hash,
        "pipe_segment_id": pipe_segment_id,
        "total": len(frame_paths),
        "allowed": len(allowed),
        "blocked": len(blocked),
        "errors": len(errors),
        "blocked_frames": blocked,
    }


async def write_water_compliance_record(record: dict) -> None:
    """Persist compliance audit record to water utility records system (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialWaterImageError(Exception):
    """Raised when a water treatment AI image exceeds the adversarial injection threshold."""
    pass

Call scan_water_image() with WaterAIContext.WATER_QUALITY for turbidity analyser display photographs, chlorine residual analyser images, and laboratory result photographs before Xylem Vue AI, Hach AI, or YSI EXO AI water quality compliance classification — this is the highest public health consequence integration point in the water treatment AI pipeline because an adversarially suppressed turbidity exceedance can prevent a Boil Water Advisory from being issued during a source water contamination event. Call scan_cctv_inspection_batch() for CCTV pipe inspection frame sets before SUEZ AI, Evoqua, or Trimble Cityworks AI infrastructure condition scoring — CCTV batch scanning prevents adversarial downgrading of pipe condition severity that would suppress lead service line replacement obligations under the LCRR. Call scan_water_image() with WaterAIContext.PROCESS_CONTROL for SCADA display photographs and treatment process sensor images before Veolia Water AI, Xylem Vue treatment AI, or Grundfos iSOLUTIONS AI treatment optimisation recommendations. Call with WaterAIContext.ENV_COMPLIANCE for all environmental laboratory result scans and NPDES permit monitoring report page images before Intelex AI, Cority AI, or Enablon AI permit compliance classification and NetDMR submission generation — environmental compliance document scanning has direct CWA criminal exposure because the NetDMR submission generated from the AI-extracted values becomes the regulatory record. The Glyphward audit record should be retained as part of the utility’s SDWA and CWA compliance records for the applicable regulatory retention period. Get early access

Coverage matrix

Control	Water quality AI injection	Infrastructure inspection AI injection	Treatment process AI injection	Environmental compliance AI injection
Text-only PI scanners (Lakera, LLM Guard)	No — adversarial pixel perturbations in water quality analyser display photographs are invisible to text-based analysis	No — CCTV pipe inspection image pixel manipulation is not detected by text-only scanning	No — SCADA display photograph pixel perturbations in process value fields are not visible to text scanners	No — environmental compliance document scan pixel manipulation in parameter value fields is not caught by text analysis
EPA SDWA compliance monitoring	Consumer Confidence Reports and state primacy agency monitoring require accurate MCL data; do not prevent adversarial manipulation of AI water quality monitoring image inputs	LCRR service line inventory requirements apply to utility-reported data; do not include controls for adversarial manipulation of infrastructure inspection AI image inputs	Treatment Technique compliance monitoring requires process performance records; does not detect adversarial manipulation of SCADA display image inputs to AI optimisation tools	NetDMR electronic reporting requires DMR data accuracy; does not prevent adversarial manipulation of laboratory result scans before AI-assisted DMR generation
Plant operator manual verification	Operators can manually check analyser readings but cannot detect sub-pixel adversarial manipulation in photographs submitted to AI before operator review	Field inspection of flagged pipe segments verifies AI findings but adversarial downgrading of condition scores prevents flagging in the first place	Control room operators monitoring SCADA directly can detect process deviations but adversarial AI optimisation recommendations can override manual vigilance in highly automated systems	Environmental compliance managers reviewing laboratory reports cannot detect sub-pixel adversarial manipulation in scanned images before AI parameter extraction
Glyphward	Yes — threshold 50; utility_id_hash audit trail; blocks adversarial analyser display photographs before Xylem/Hach/YSI AI MCL compliance classification	Yes — threshold 50; batch scan blocks adversarial CCTV pipe inspection frames before SUEZ/Evoqua/Cityworks AI condition scoring and LCRR lead service line classification	Yes — threshold 50; blocks adversarially crafted SCADA display photographs before Veolia/Xylem/Grundfos AI treatment optimisation recommendation generation	Yes — threshold 50; blocks adversarially crafted environmental lab result scans before Intelex/Cority/Enablon AI permit compliance classification and NetDMR submission

Frequently asked questions

How does adversarial manipulation of water quality AI differ from ordinary analyser calibration drift or measurement error, and why do existing quality control procedures not address the threat?

Ordinary analyser calibration drift and measurement error in water quality monitoring — online turbidity analyser fouling that causes the optical sensor to read below actual turbidity, residual chlorine analyser reagent depletion that produces false-low readings, and sensor drift that causes gradual baseline offset in continuous monitoring systems — are managed through analyser quality control procedures including daily verification checks, weekly calibration verification, preventive maintenance schedules, and online analyser redundancy (dual turbidity sensors in parallel). These quality control procedures are designed for the instrument malfunction scenario: they verify that the online analyser’s reading is within acceptable tolerance of a reference measurement, and they trigger recalibration or maintenance when drift is detected. Laboratory grab sample results provide an independent reference that can identify when an online analyser is reading incorrectly due to calibration drift.

Adversarial injection is a categorically different attack: the online analyser is functioning correctly and displaying the actual water quality measurement — it is the photograph of the analyser display that is submitted to the AI monitoring system that contains adversarial pixel perturbations. The adversarial perturbations are applied in the image region corresponding to the displayed turbidity or chlorine residual value, causing the Xylem Vue AI or Hach AI to extract an incorrect value from the photograph when the instrument is actually displaying a value that exceeds the EPA SDWA action level threshold. The laboratory grab sample verification procedure can detect an online analyser calibration drift — if the online analyser’s measurement is adversarially manipulated, grab sample results will still reflect the actual water quality — but the grab sample result is typically available only every 4 hours or once per shift, while the adversarial AI extraction of incorrect values from online analyser display photographs can suppress an exceedance continuously during the period between grab samples. Preventing adversarial water quality AI manipulation requires a pre-scan integrity check at the photograph submission boundary, supplemented by independent online analyser readings that do not pass through the AI image extraction pathway.

What is a water utility’s public notification obligation when an adversarially manipulated water quality AI fails to trigger a Boil Water Advisory, and the actual water quality exceedance is subsequently discovered?

When an adversarially manipulated water quality AI fails to trigger a Boil Water Advisory by suppressing a Tier 1 turbidity exceedance, and the actual exceedance is subsequently discovered through laboratory grab sample results, independent online analyser verification, or state primacy agency audit, the water utility’s public notification obligations under the EPA Safe Drinking Water Act Public Notification Rule (40 CFR Part 141, Subpart Q) attach immediately upon discovery of the violation — regardless of whether the delayed discovery was caused by adversarial AI manipulation. Three elements of the notification obligation. First, a Tier 1 violation that presents an acute health risk (turbidity above the SWTR action level, which indicates potential filter failure and pathogen passage) requires public notice within 24 hours of discovery through a medium that reaches persons served by the water system — including radio, television, and hand delivery in addition to posting on the utility’s website. The 24-hour clock starts at the time the utility discovers or should have discovered the violation, not at the time the actual exceedance occurred.

Second, if the turbidity exceedance was not detected by the AI monitoring system for a period of hours or days before the exceedance was discovered through independent verification, the utility faces a compound regulatory exposure: the original turbidity exceedance, the failure to provide timely public notification for the duration of the undetected exceedance period, and the failure to report the violation to the state primacy agency within the required timeframe (10 days for Tier 1 violations). Each of these is a separate SDWA violation with independent civil penalty exposure. Third, if the retrospective analysis of the water quality data suggests that consumers may have been exposed to Cryptosporidium, Giardia, or other pathogens during the undetected exceedance period, the utility faces potential tort liability from affected consumers under state public health negligence law — and the adversarial AI manipulation that caused the delayed detection does not eliminate the utility’s duty of care to provide safe drinking water under the applicable state law negligence standard. Implementing Glyphward pre-scan for water quality AI photograph inputs — and retaining the pre-scan audit records as part of the utility’s compliance management records — provides documentation that the utility implemented a reasonable data integrity measure, which is relevant to both the SDWA civil penalty mitigation proceeding and the state tort negligence defence.

What is the Clean Water Act criminal exposure for a discharger whose Intelex or Cority environmental compliance AI generates a false NetDMR submission from an adversarially manipulated laboratory result scan?

The Clean Water Act criminal exposure for a discharger whose environmental compliance AI generates a false NetDMR submission from an adversarially manipulated laboratory result scan operates under two distinct criminal theories that produce different intent requirements and penalty ranges. First, under 33 USC § 1319(c)(4) (CWA Section 309(c)(4)), it is a federal crime to knowingly falsify or tamper with any monitoring method or device required under the CWA, or to knowingly render inaccurate any monitoring device or method required to be maintained under the CWA. The term “knowingly” in 33 USC § 1319(c)(4) has been interpreted by federal courts to require knowledge that the monitoring method was being falsified, but not knowledge that the falsification violated the CWA specifically — meaning that a discharger employee who knowingly submits an adversarially crafted laboratory result scan to the Intelex AI knowing that the scan has been manipulated to show a lower pollutant concentration than the actual measurement has committed a knowing falsification under 33 USC § 1319(c)(4), even if the employee did not know the specific CWA provision being violated.

Second, if the false NetDMR submission results in the issuance of a federal permit (the continued NPDES permit coverage) based on false compliance data, 18 USC § 1001 (false statements to federal agencies) applies as an additional criminal theory, carrying up to 5 years imprisonment per count for each false statement in a federal agency submission. Environmental prosecutors routinely charge both 33 USC § 1319(c)(4) and 18 USC § 1001 in DMR falsification cases. A discharger that discovers after the fact that its environmental compliance AI generated a false NetDMR submission because the laboratory result scan was adversarially manipulated should immediately contact legal counsel and consider whether voluntary disclosure to the EPA Regional office and state environmental agency — prior to the agency discovering the false submission through its own inspection or database audit — is appropriate. EPA’s Audit Policy (EPA’s Incentives for Self-Policing, 65 Fed. Reg. 19618) provides civil penalty mitigation for voluntary disclosure of violations discovered through an environmental compliance audit, including a 75% reduction in gravity-based civil penalties for violations that are disclosed and corrected within 60 days. Voluntary disclosure documented with Glyphward pre-scan audit records demonstrating the adversarial manipulation — showing that the laboratory result scan image was flagged by Glyphward after the fact — provides the evidentiary foundation for an Audit Policy voluntary disclosure proceeding.