Ambient Sensing and Bystander Governance

2. Summary

Ambient Sensing and Bystander Governance requires that every AI agent with access to environmental sensors — cameras, microphones, LiDAR, thermal imagers, Wi-Fi probe detectors, or any passive data-collection modality — operates under explicit, enforceable controls that govern what ambient data it may collect, how it distinguishes bystanders from authorised subjects, and what retention and processing limits apply to incidentally captured data. The dimension addresses a fundamental asymmetry: when an agent operates in a shared physical or digital environment, it inevitably captures data about individuals who have not consented to interaction with the agent and may not even be aware of its presence. Without structural governance, ambient sensing creates mass-surveillance exposure at machine speed, unbounded by the practical limitations that constrain human observation.

3. Example

Scenario A — Retail Analytics Agent Captures Bystander Biometrics: A retailer deploys an AI-powered customer analytics agent connected to in-store cameras. The agent's mandate is to count foot traffic and measure dwell time at product displays. However, the camera feed provides full-resolution imagery, and the agent's vision model extracts facial embeddings as an intermediate processing step. Over 90 days the agent accumulates 2.4 million unique facial embeddings from shoppers, staff, delivery personnel, and passers-by visible through store windows. None of these individuals consented to biometric data collection. A data subject access request reveals the biometric database. The retailer faces enforcement action under GDPR Article 9 (processing of special categories) and the Illinois Biometric Information Privacy Act (BIPA), resulting in a class-action exposure estimated at $1,200 per individual — $2.88 billion total potential liability.

What went wrong: The agent's sensing capability exceeded its governance mandate. No pre-processing filter existed to strip biometric features before the agent received the feed. No bystander classification mechanism distinguished consenting participants from incidental captures. No retention limit prevented accumulation over time.

Scenario B — Smart-Building Agent Records Private Conversations: A facilities management agent monitors meeting rooms via ceiling-mounted microphones to detect occupancy and adjust HVAC. The audio pipeline provides raw waveforms to the agent, which extracts occupancy signals but also retains 30-second audio buffers for "context." Over six months, the agent accumulates 14 TB of ambient audio recordings from 340 meeting rooms, capturing confidential board discussions, privileged legal conversations, and private employee conversations. The recordings are stored in an unencrypted object store accessible to the operations team. A departing employee copies 200 GB of recordings to a personal device.

What went wrong: The sensing modality (raw audio) was disproportionate to the purpose (occupancy detection). No data-minimisation filter converted audio to occupancy signals before the agent processed it. No retention policy purged buffers. No access control restricted the stored data. The agent's ambient sensing operated without any bystander governance framework.

Scenario C — Autonomous Delivery Robot Captures Residential Footage: An autonomous delivery robot navigates residential streets using 360-degree cameras and LiDAR. The robot's perception pipeline captures continuous video at 30 fps, generating 4.2 TB of street-level imagery per robot per month across a fleet of 500 robots. The imagery includes house interiors visible through windows, children in gardens, licence plates, and individuals in states of undress. The data is uploaded to a central training pipeline. A journalist discovers that any employee with training-data access can search the imagery by GPS coordinate and timestamp, effectively creating a retroactive surveillance system covering 12 cities.

What went wrong: No distinction was drawn between perception data needed for navigation (which can be processed ephemerally) and training data (which requires retention governance). No bystander-protection filter obscured faces, licence plates, or private spaces. No access control limited who could query the imagery. The fleet-scale accumulation transformed operational sensing into mass surveillance.

4. Requirement Statement

Scope: This dimension applies to any AI agent that receives data from sensors capable of capturing information about individuals or environments beyond the agent's direct interaction partners. This includes but is not limited to: cameras (visible, infrared, thermal), microphones, LiDAR and depth sensors, radar, Wi-Fi and Bluetooth probe request monitors, RFID readers with area coverage, and any sensor that passively collects data from its environment. The scope extends to virtual environments where an agent monitors shared digital spaces — screen-sharing feeds, ambient audio in virtual meetings, or network traffic analysis that captures bystander communications. An agent that processes only data explicitly provided by a consenting user (e.g., a chatbot receiving typed text) is outside scope. An agent that can observe its environment beyond the direct interaction is within scope.

4.1. A conforming system MUST maintain a sensor inventory that enumerates every sensing modality available to each agent, the data types each sensor produces, the maximum resolution and coverage area, and the purpose for which each sensor is authorised.

4.2. A conforming system MUST enforce data-minimisation filters between raw sensor output and agent input, reducing sensor data to the minimum fidelity required for the authorised purpose — for example, converting raw audio to an occupancy boolean, or replacing full-resolution imagery with bounding-box counts.

4.3. A conforming system MUST classify all individuals detected by ambient sensors into categories — authorised subject, bystander, or unknown — and apply the most restrictive processing rules to bystander and unknown categories by default.

4.4. A conforming system MUST delete or irreversibly anonymise bystander data within a defined retention window that SHALL NOT exceed 24 hours unless a documented legal basis requires longer retention for a specific, named purpose.

4.5. A conforming system MUST prevent agent access to raw sensor data when a processed, reduced-fidelity alternative is sufficient for the authorised purpose.

4.6. A conforming system MUST log every instance where ambient sensor data is accessed, retained beyond the minimisation window, or transmitted to another system, including the legal basis and authorised purpose for each access.

4.7. A conforming system MUST block ambient sensing entirely in jurisdictions or zones where the applicable sensing modality is prohibited or requires consent that has not been obtained.

4.8. A conforming system SHOULD implement real-time bystander detection and automated redaction (face blurring, voice masking, licence-plate obscuration) at the sensor-processing layer before data reaches the agent.

4.9. A conforming system SHOULD provide a mechanism for bystanders to signal opt-out — for example, a broadcast beacon, a visible notice with a digital opt-out channel, or integration with a do-not-track registry.

4.10. A conforming system MAY implement adaptive sensing resolution that automatically reduces sensor fidelity when bystander density exceeds a configured threshold — for example, switching from individual tracking to aggregate counting when more than 10 unclassified individuals are in the sensing area.

5. Rationale

Ambient sensing is the capability that most directly transforms an AI agent from a tool into a surveillance system. The distinction is structural: a tool processes data it is given; a surveillance system acquires data from its environment. When an agent operates in a shared physical or digital space, it inevitably captures information about individuals who have not consented to observation, who may not be aware of the agent's presence, and who have no relationship with the agent's operator. These individuals — bystanders — have privacy rights that the agent's operator must protect, regardless of the operator's commercial objectives.

The governance challenge is compounded by three factors. First, modern sensors capture far more data than any single purpose requires. A camera installed for occupancy detection captures biometric data. A microphone installed for voice-command detection captures private conversations. The sensor's capability exceeds the authorised purpose, creating a data-minimisation obligation that must be enforced at the technical layer. Second, AI agents can extract information from sensor data that was not explicitly collected. A vision model receiving an occupancy-detection feed can infer emotional states, read documents on desks, and identify individuals by gait. The governance must address not only what data is captured but what inferences can be drawn. Third, fleet-scale deployment transforms ambient sensing from local observation into mass surveillance. A single robot observing a street is unremarkable. Five hundred robots with continuous cameras covering 12 cities, with centrally queryable data, is a surveillance infrastructure — regardless of the stated purpose.

AG-180 requires organisations to govern the gap between sensor capability and authorised purpose, implement structural controls that prevent ambient sensing from exceeding governance boundaries, and protect bystanders whose data is incidentally captured.

6. Implementation Guidance

The core implementation challenge is inserting a governance layer between raw sensor output and agent input. This layer must reduce data fidelity to the minimum required for the authorised purpose, classify individuals as authorised subjects or bystanders, and enforce retention limits before data reaches persistent storage.

Recommended Patterns:

• Sensor-edge minimisation pipeline. Process raw sensor data at the edge (on the device or at a local gateway) before it enters the agent's data pipeline. A camera producing 1920x1080 video at 30 fps for occupancy detection should be reduced to a count integer updated every 5 seconds at the edge. The raw video never leaves the device. This pattern eliminates bystander data at source rather than governing it downstream. Implementation: deploy a lightweight inference model at the sensor that outputs only the authorised data type (count, boolean, aggregate metric). The agent receives only the reduced output. Raw data is not stored, transmitted, or made available.
• Tiered classification with progressive redaction. Implement a three-tier classification: (1) authorised subjects whose data may be processed per the mandate, (2) bystanders whose data must be redacted or anonymised before processing, (3) unknown individuals who are treated as bystanders by default. Use the classification to drive progressive redaction: authorised subjects retain identifying features; bystanders have faces blurred, voices masked, and identifiers removed; unknowns are fully redacted. The classification decision should be logged and auditable.
• Jurisdictional sensing policy engine. Maintain a policy table mapping sensing modalities to jurisdictions and zones. When the agent operates in a jurisdiction that prohibits a specific modality (e.g., covert audio recording in a two-party consent state), the policy engine disables that modality before the agent can access it. The policy engine should integrate with AG-186 (Geofence, Human-Proximity and No-Go-Zone Governance) for location-aware enforcement.
• Retention countdown with cryptographic enforcement. Assign each sensor data fragment a retention timer at capture time. Store fragments encrypted with a key that is automatically deleted when the timer expires. After key deletion, the data is cryptographically irrecoverable even if the storage medium is retained. This provides enforceable retention limits that survive operator negligence or system failure.

Anti-Patterns to Avoid:

• Collecting everything and governing later. The most common anti-pattern is to capture full-fidelity sensor data, store it centrally, and apply governance rules at query time. This creates a surveillance database that exists regardless of governance rules, is vulnerable to unauthorised access, and creates GDPR Article 5(1)(c) data-minimisation violations. Governance must be applied at capture time, not query time.
• Relying on agent-level filtering. Sending raw sensor data to the agent and instructing it to "ignore bystander information" is structurally equivalent to relying on agent reasoning for mandate enforcement (the AG-001 anti-pattern). The agent's vision model will process bystander data whether or not it is instructed to ignore it. Filtering must occur before the agent receives the data.
• Consent-by-presence assumptions. Assuming that individuals in a monitored area have consented to observation by their presence is legally unsound in most jurisdictions. GDPR requires freely given, specific, informed consent. Entering a shop or walking down a street does not constitute consent to biometric processing.
• Resolution creep. Gradually increasing sensor resolution or adding sensing modalities without re-evaluating the governance framework. A system approved for 320x240 occupancy detection that is upgraded to 4K "for better accuracy" has fundamentally changed its surveillance capability without governance review.

Industry Considerations

Retail and Hospitality. Foot-traffic analytics must be implementable with aggregate counting rather than individual tracking. If individual path analysis is required, implement it with on-device processing that outputs path geometries without biometric identifiers. Illinois BIPA, Texas CUBI, and EU GDPR Article 9 create specific obligations for biometric data — facial recognition should be treated as biometric processing requiring explicit consent, not as a byproduct of camera deployment.

Healthcare. Patient monitoring systems must distinguish between the patient (authorised subject) and visitors, other patients, and staff (bystanders in the monitoring context). A bedside camera monitoring a patient's respiratory rate captures visitors entering the room. The system must redact visitor data or limit processing to the patient's bed area. HIPAA minimum necessary requirements apply to ambient sensing data.

Autonomous Vehicles and Robotics. Perception data required for safe operation (obstacle detection, path planning) should be processed ephemerally and not retained beyond the immediate navigation decision. Training data collection requires separate governance — the purpose has changed from "safe operation" to "model improvement," requiring a distinct legal basis and bystander protection framework.

Smart Cities and Public Spaces. Municipal deployments of AI-enabled sensing must comply with public-sector transparency obligations. Citizens must be informed about what data is collected, for what purpose, and how bystander protections operate. AG-180 requirements should be incorporated into procurement specifications for smart-city infrastructure.

Maturity Model

Basic Implementation — The organisation maintains a sensor inventory documenting all sensing modalities available to each agent. Data-minimisation filters exist but operate at the application layer (after raw data has been transmitted to the agent's processing environment). Bystander data is deleted within the 24-hour retention window. Logging captures sensor data access events. This level meets minimum mandatory requirements but retains structural risks: raw data exists in transit and in processing buffers, creating exposure to interception or unauthorised access before minimisation occurs.

Intermediate Implementation — Data-minimisation filtering operates at the sensor edge or at a dedicated gateway before data enters the agent's environment. Raw sensor data never reaches the agent — only reduced-fidelity outputs matching the authorised purpose. Bystander classification operates in real time with automated redaction. Retention enforcement uses cryptographic key expiry. Jurisdictional policy engine disables prohibited modalities based on location. Sensor inventory is automatically maintained and alerts on new or modified sensing capabilities.

Advanced Implementation — All intermediate capabilities plus: the sensing governance framework has been validated through independent privacy impact assessments covering all deployment jurisdictions. Adaptive sensing resolution automatically reduces fidelity in high-bystander-density scenarios. Privacy-preserving computation techniques (federated learning, differential privacy) are applied to any retained sensor-derived data. The organisation can demonstrate to regulators that no raw bystander data exists in any persistent store, and that the minimisation pipeline has been independently tested against bypass attacks. Integration with bystander opt-out mechanisms (do-not-track registries, broadcast beacons) is operational.

7. Evidence Requirements

Required artefacts:

• Sensor inventory. A complete, maintained register of all sensing modalities available to each agent, including data types, resolution, coverage area, authorised purpose, and data-minimisation filter configuration. Format: structured data (JSON, YAML, or database export). Updated within 7 days of any change.
• Data-minimisation pipeline documentation. Architecture diagrams and configuration showing how raw sensor data is reduced before reaching the agent. Must demonstrate that the agent cannot access raw data when reduced alternatives exist. Include filter specifications mapping each sensor to its output schema.
• Bystander classification and redaction evidence. Sample outputs showing bystander detection and redaction in operation, including classification accuracy metrics and redaction completeness. Minimum sample: 1,000 processed frames or equivalent per sensing modality.
• Retention compliance evidence. Logs demonstrating that bystander data is deleted or anonymised within the defined retention window. Must include cryptographic proof of key deletion where retention enforcement uses key-based controls.
• Jurisdictional compliance mapping. A table mapping each deployment location to applicable ambient sensing regulations, with evidence that the sensing configuration complies in each jurisdiction.

Retention requirements:

• Sensor inventory and governance configuration: minimum 5 years for regulated sectors; minimum 3 years otherwise.
• Bystander data access logs: minimum 3 years.
• Raw bystander data: maximum 24 hours unless a documented legal basis requires longer retention.

Access requirements:

• Producible to regulators or data protection authorities within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Sensor Inventory Completeness

• Stimulus: Enumerate all sensing modalities connected to the agent platform and compare against the sensor inventory.
• Expected behaviour: Every connected sensor appears in the inventory with correct metadata (data type, resolution, coverage, purpose).
• Pass criteria: 100% coverage — no connected sensor is missing from the inventory. No inventory entry describes a sensor that is not connected.
• Fail criteria: Any connected sensor is absent from the inventory, or any inventory entry is materially inaccurate.

Test 8.2: Data-Minimisation Filter Effectiveness

• Stimulus: Inject a test data stream containing identifiable bystander features (synthetic faces, voice samples, licence plates) into the sensor pipeline. Capture the agent's input after minimisation filtering.
• Expected behaviour: The agent receives only the reduced-fidelity output (counts, booleans, aggregates). No identifiable features are present in the agent's input.
• Pass criteria: Zero identifiable bystander features in the agent's post-filter input across a test set of at least 1,000 frames or equivalent.
• Fail criteria: Any identifiable bystander feature reaches the agent's input.

Test 8.3: Bystander Classification Accuracy

• Stimulus: Present the system with a mixed scenario containing authorised subjects and bystanders in known positions and roles.
• Expected behaviour: Authorised subjects are classified correctly. Bystanders and unknowns are classified as bystander or unknown (never as authorised subject).
• Pass criteria: Zero false negatives — no bystander is misclassified as an authorised subject. False positive rate (authorised subject classified as bystander) below 5%.
• Fail criteria: Any bystander is classified as an authorised subject, or false positive rate exceeds 5%.

Test 8.4: Retention Window Enforcement

• Stimulus: Capture bystander data and monitor its lifecycle. Attempt to access the data at intervals: at 12 hours, at 23 hours, and at 25 hours after capture (assuming a 24-hour retention window).
• Expected behaviour: Data is accessible at 12 and 23 hours. Data is inaccessible at 25 hours — either deleted or cryptographically irrecoverable.
• Pass criteria: No bystander data is recoverable after the retention window expires.
• Fail criteria: Any bystander data remains accessible after the retention window.

Test 8.5: Jurisdictional Sensing Restriction

• Stimulus: Simulate agent operation in a jurisdiction where a specific sensing modality is prohibited (e.g., covert audio recording in a two-party consent jurisdiction). Attempt to activate the prohibited modality.
• Expected behaviour: The jurisdictional policy engine blocks the modality. The agent receives no data from the blocked sensor.
• Pass criteria: Prohibited modality produces no data output when the agent operates in the restricted jurisdiction.
• Fail criteria: Any data from the prohibited modality reaches the agent in the restricted jurisdiction.

Test 8.6: Raw Data Access Prevention

• Stimulus: Attempt to access raw sensor data through the agent's API, data pipeline, or storage interfaces when a reduced-fidelity alternative is configured.
• Expected behaviour: All access paths return only the reduced-fidelity output. Raw data access is blocked at the infrastructure layer.
• Pass criteria: No access path yields raw sensor data when a reduced alternative exists.
• Fail criteria: Any access path provides raw sensor data to the agent or agent-accessible storage.

Test 8.7: Bystander Opt-Out Mechanism

• Stimulus: Register a test identity in the bystander opt-out mechanism. Present the opted-out individual to the sensing system.
• Expected behaviour: The opted-out individual's data is excluded from processing or immediately redacted upon detection.
• Pass criteria: No identifiable data from the opted-out individual appears in agent input or retained data.
• Fail criteria: Opted-out individual's data is processed or retained.

Conformance Scoring

• Score 0: No ambient sensing governance — agents receive raw sensor data without minimisation, classification, or retention controls.
• Score 1: Sensor inventory exists and retention limits are defined but enforcement is application-layer and minimisation occurs after the agent has received raw data.
• Score 2: Data-minimisation filtering operates before agent input, bystander classification is implemented, and retention is enforced with deletion verification — structural controls are in place.
• Score 3: All Score 2 controls verified by independent assessment, including minimisation bypass testing, classification accuracy validation, jurisdictional compliance audit, and retention enforcement verification. Privacy impact assessments cover all deployment jurisdictions.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU GDPR	Article 5(1)(c) (Data Minimisation)	Direct requirement
EU GDPR	Article 9 (Special Categories — Biometric Data)	Direct requirement
EU AI Act	Article 5(1)(a) (Prohibited Subliminal Techniques)	Supports compliance
EU AI Act	Annex III, 1(a) (Real-Time Remote Biometric Identification)	Direct requirement
Illinois BIPA	740 ILCS 14/15 (Biometric Identifiers)	Direct requirement
UK Data Protection Act 2018	Section 35 (Law Enforcement Processing Conditions)	Supports compliance
NIST AI RMF	MAP 5.1, MANAGE 2.3	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance

EU GDPR — Article 5(1)(c) (Data Minimisation)

Article 5(1)(c) requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Ambient sensing by AI agents directly engages this principle: a camera system capturing full-resolution video for the purpose of occupancy counting collects data far exceeding what is necessary. AG-180's data-minimisation filter requirement (4.2, 4.5) implements Article 5(1)(c) at the technical layer, ensuring that the agent receives only the data necessary for its authorised purpose.

EU GDPR — Article 9 (Special Categories)

Biometric data processed for the purpose of uniquely identifying a natural person is a special category under Article 9. Ambient sensing systems that capture facial imagery, voice prints, or gait patterns are processing biometric data even if identification is not the stated purpose — the CJEU has held that the processing of facial images constitutes biometric data processing where the images are processed through specific technical means allowing unique identification. AG-180's requirement for bystander classification and pre-agent redaction (4.3, 4.8) prevents inadvertent special-category processing.

EU AI Act — Annex III, 1(a)

The EU AI Act classifies real-time remote biometric identification systems in publicly accessible spaces as high-risk (Annex III, point 1(a)), and Article 5(1)(a) prohibits certain AI practices including subliminal techniques. Fleet-scale ambient sensing that captures biometric data across public spaces engages these provisions. AG-180 compliance supports demonstrating that ambient sensing operates within the Act's requirements.

Illinois BIPA — 740 ILCS 14/15

BIPA requires written consent before collecting biometric identifiers, a published retention and destruction policy, and prohibits profiting from biometric data. Ambient sensing systems that capture facial geometry without written consent from each individual violate BIPA. AG-180's pre-processing minimisation (4.2) and bystander protection (4.3, 4.4) provide the structural controls to prevent BIPA violations in Illinois deployments. BIPA's statutory damages of $1,000–$5,000 per violation make ambient sensing governance a material financial risk.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	All individuals within sensing range — potentially millions for fleet-scale deployments across public spaces

Consequence chain: Ungoverned ambient sensing creates mass-surveillance exposure that scales with fleet size and deployment duration. A single robot capturing street-level imagery is a privacy incident. Five hundred robots operating across 12 cities for 12 months is a retroactive surveillance infrastructure containing billions of images of millions of individuals. The immediate technical failure is the accumulation of bystander data without consent, minimisation, or retention limits. The regulatory consequence includes GDPR fines up to 4% of global annual turnover (Article 83(5)), BIPA class-action exposure at $1,000–$5,000 per violation per individual, and EU AI Act enforcement for prohibited biometric identification practices. The reputational consequence is existential for consumer-facing organisations — public discovery that an organisation has been operating covert ambient surveillance typically triggers sustained media coverage, consumer boycotts, and legislative scrutiny. The liability extends beyond the organisation: individual officers may face personal liability under data protection legislation, and processors handling bystander data face joint controller liability.

Cross-references: AG-050 (Physical and Real-World Impact Governance) for broader physical-world impact controls; AG-039 (Active Deception and Concealment Detection) for detecting agents that conceal their sensing activities; AG-040 (Knowledge Accumulation Governance) for governing the knowledge base built from ambient sensing; AG-185 (Spatial Grounding and Scene Verification Governance) for verifying the agent's understanding of its physical context; AG-186 (Geofence, Human-Proximity and No-Go-Zone Governance) for location-based sensing restrictions; AG-022 (Behavioural Drift Detection) for detecting drift in sensing patterns over time.