Biometric Template Protection Governance

2. Summary

Biometric Template Protection Governance requires that AI agent systems handling biometric data implement rigorous controls over the storage, linkage, transmission, and exposure of biometric templates to prevent irreversible identity compromise. Unlike passwords or tokens, biometric identifiers — fingerprints, facial geometry, iris patterns, voiceprints, vein structures — are permanently bound to the individual and cannot be rotated, revoked, or reissued after compromise. A leaked password triggers a reset; a leaked fingerprint template triggers a lifelong vulnerability. This dimension mandates that conforming systems protect biometric templates through irreversibility-aware architecture: cryptographic transformation that prevents raw template recovery, storage isolation that prevents cross-context linkage, retention controls that enforce disposal obligations, and breach response mechanisms calibrated to the permanent nature of biometric compromise. The governance requirements address both the technical protections applied to templates at rest and in transit, and the organisational controls that prevent template accumulation, unauthorised linkage, and indefinite retention that transforms a biometric database into an escalating liability.

3. Example

Scenario A — Template Database Breach with Plaintext Storage: A national retail chain deploys AI-powered kiosks with facial recognition for loyalty programme identification. The system captures facial geometry templates from 3.2 million customers and stores them in a centralised database alongside loyalty identifiers, purchase histories, and email addresses. The templates are stored as raw mathematical representations — 128-dimensional floating-point vectors — without cryptographic transformation, because the engineering team prioritised matching speed over template protection. In month 14 of operation, an attacker exploits a SQL injection vulnerability in the loyalty programme's web portal, which shares a database cluster with the biometric template store. The attacker exfiltrates the full template database: 3.2 million facial geometry vectors linked to customer identities. Unlike the simultaneously compromised email addresses and loyalty points (which are reset within 48 hours), the facial geometry templates cannot be revoked. Every affected customer's face is now permanently compromised as an authentication factor across any system that uses facial recognition. Within six months, security researchers demonstrate that the stolen templates can be used to generate synthetic face images that defeat facial recognition systems at three major financial institutions. The retailer faces a class-action lawsuit under the Illinois Biometric Information Privacy Act (BIPA), resulting in a $228 million settlement — $5,000 per individual for reckless handling under BIPA's statutory damages provision. The remediation cost for the password and email compromise was $1.4 million; the remediation cost for the biometric compromise is unquantifiable because the biometric data cannot be remediated.

What went wrong: Templates were stored as raw mathematical vectors without cryptographic transformation, making them directly usable after exfiltration. The template database was co-located with the web-facing loyalty system, violating storage isolation principles. No architecture review assessed whether template storage met the irreversibility requirement — the permanent, non-revocable nature of biometric data. The system treated biometric templates with the same storage practices applied to passwords and email addresses, failing to account for the qualitative difference in compromise severity. Consequence: $228 million BIPA settlement, permanent identity compromise for 3.2 million individuals, reputational destruction, and ongoing litigation from financial institutions whose facial recognition systems were subsequently defeated using the stolen templates.

Scenario B — Cross-Context Template Linkage Enabling Surveillance: A municipal transit authority deploys an AI agent with palm-vein scanning for contactless fare payment at 340 stations. A separate city department deploys an AI agent with palm-vein scanning for identity verification at public benefits offices. Both systems use the same biometric modality and the same vendor SDK, producing mathematically compatible templates. Neither system's privacy impact assessment considers cross-context linkage risk. After a city council directive to "improve fraud detection across municipal services," a data analyst discovers that templates from the transit system can be matched against templates from the benefits system using a simple cosine similarity function. Without any formal authorisation process, the analyst links 42,000 transit usage records to benefits recipients, creating a comprehensive movement-tracking dataset for a vulnerable population. A civil liberties organisation obtains the linked dataset through a freedom-of-information request and publishes a report demonstrating that the city has built a de facto surveillance system targeting benefits recipients. The resulting lawsuit, public outcry, and federal investigation cost the city $47 million in legal fees, settlements, and system remediation, and both biometric programmes are permanently discontinued.

What went wrong: Templates from two independent systems were mathematically compatible, enabling cross-context linkage that neither system's design anticipated or authorised. No template transformation was applied that would make templates from one context unlinkable to templates from another. No access control prevented cross-system template comparison. The absence of context-specific template isolation turned two independent convenience systems into a combined surveillance infrastructure. Consequence: $47 million in costs, termination of both programmes, federal civil rights investigation, and erosion of public trust in municipal biometric systems.

Scenario C — BIPA Retention Violation Through Indefinite Template Storage: An employer deploys an AI-powered timekeeping system that uses fingerprint scanning for employee clock-in and clock-out. Over seven years, the system accumulates fingerprint templates for 14,600 current and former employees. The system has no template deletion mechanism — templates are retained indefinitely, including for employees who left the company years ago. The employer's written biometric data retention policy, drafted to comply with BIPA, states that templates will be destroyed within one year of the individual's last interaction with the system or within three years of collection, whichever comes first. But no automated enforcement mechanism implements this policy: it exists as a document, not as a system constraint. A BIPA class action is filed on behalf of 8,200 former employees whose templates were retained beyond the policy's stated retention period. The court finds that the employer wilfully violated BIPA Section 15(a) — the requirement to establish and comply with a retention schedule — because the employer had a written policy but made no effort to implement it. The statutory damages of $5,000 per violation for wilful non-compliance yield a potential liability of $41 million. The employer settles for $18.5 million. The per-employee cost of implementing automated template deletion would have been $0.23.

What went wrong: The retention policy existed on paper but was never implemented as a system control. No automated mechanism enforced template deletion when the retention period expired. The system accumulated templates indefinitely, creating both a legal liability and a security risk — an ever-growing database of biometric data for individuals with no continuing relationship with the organisation. The gap between documented policy and actual system behaviour is the defining characteristic of a BIPA retention violation. Consequence: $18.5 million settlement, ongoing compliance monitoring, and mandatory system redesign — all preventable with an automated deletion mechanism costing less than $3,400 for the entire employee population.

4. Requirement Statement

Scope: This dimension applies to every AI agent system that generates, receives, stores, processes, transmits, or matches biometric templates — mathematical representations derived from physiological or behavioural biometric characteristics including but not limited to: facial geometry, fingerprint minutiae, iris texture, retinal patterns, voiceprints, palm-vein maps, gait signatures, keystroke dynamics, and any other biometric modality from which a template can be extracted. The scope covers templates at every lifecycle stage: initial capture and enrolment, storage at rest, transmission between system components, matching and comparison operations, archival, and deletion. The scope extends to all environments where templates exist — cloud infrastructure, on-premises servers, edge devices, mobile applications, and embedded systems in robotic or CPS platforms. The scope includes both one-to-one verification templates (comparing a live sample against an enrolled template) and one-to-many identification templates (searching a live sample against a gallery). The scope applies regardless of whether the agent directly performs biometric processing or delegates to a third-party biometric SDK, API, or service — the deploying organisation retains governance accountability for template protection.

4.1. A conforming system MUST apply a cryptographic or irreversible transformation to all biometric templates before persistent storage, such that the stored representation cannot be reversed to recover the original biometric template or a biometric sample sufficient to spoof another system. Acceptable transformations include but are not limited to: cancellable biometrics, biometric salting, fuzzy vault schemes, secure sketch constructions, homomorphic encryption of templates, and any transformation that is demonstrably one-way under current cryptanalytic capabilities.

4.2. A conforming system MUST store biometric templates in a dedicated, logically or physically isolated data store that is not co-located with, or directly accessible from, general-purpose application databases, web-facing services, or systems whose compromise would expose the template store as a secondary target.

4.3. A conforming system MUST encrypt biometric templates at rest using an encryption algorithm and key length that meets or exceeds the requirements of AG-042 (Encryption & Cryptographic Control), with encryption keys managed separately from the template store and rotatable without requiring re-enrolment of biometric subjects.

4.4. A conforming system MUST encrypt biometric templates in transit between any system components — including between capture devices and processing servers, between processing servers and template stores, and between any services that transmit templates — using transport-layer encryption that meets or exceeds the requirements of AG-042.

4.5. A conforming system MUST enforce a documented retention schedule for biometric templates that specifies the maximum retention period, the triggering event for deletion (termination of the purpose for which the template was collected, end of the individual's relationship with the organisation, or expiration of a defined calendar period, whichever occurs first), and the deletion method. The retention schedule MUST be implemented as an automated system control, not merely documented as a policy.

4.6. A conforming system MUST execute verified deletion of biometric templates when the retention period expires or when a data subject exercises a deletion right, such that the template is irrecoverable from primary storage, backup storage, replica storage, and any cache or intermediate store. Deletion verification MUST be logged with a timestamp and a confirmation that all copies have been destroyed.

4.7. A conforming system MUST apply context-specific template transformation or domain separation such that a biometric template generated for one application context cannot be used to match against templates in a different application context, preventing cross-context linkage even if both template stores are compromised.

4.8. A conforming system MUST maintain an auditable inventory of all locations where biometric templates are stored, including primary databases, backup systems, disaster recovery replicas, edge device caches, and any third-party systems to which templates have been transmitted. The inventory MUST be reviewed and validated at least quarterly.

4.9. A conforming system MUST implement access controls that restrict template access to the minimum set of system components and personnel required for the authorised biometric function, with all access events logged, and with no human operator able to export, copy, or bulk-extract raw or transformed templates without a documented, pre-approved authorisation from the data protection function.

4.10. A conforming system MUST maintain a biometric breach response plan that is specific to biometric template compromise — distinct from the organisation's general data breach response plan — and that addresses the irreversible nature of biometric compromise, including notification to affected individuals that their biometric identifier is permanently compromised, guidance on implications for other systems using the same biometric modality, and a remediation pathway such as re-enrolment with a different transformation key or migration to an alternative biometric modality.

4.11. A conforming system SHOULD implement template protection schemes that support renewability — the ability to revoke a compromised transformed template and generate a new transformed template from the same biometric source using a different transformation key, without requiring the individual to change their biometric characteristic (which is impossible).

4.12. A conforming system SHOULD perform periodic cryptographic assessment of the template transformation scheme to verify that advances in cryptanalysis, computational capability, or AI-based inversion attacks have not degraded the irreversibility guarantee below the required threshold.

4.13. A conforming system MAY implement decentralised template storage architectures — such as on-device template storage where the template never leaves the individual's personal device — to eliminate centralised template databases and the associated breach risk.

5. Rationale

Biometric templates occupy a unique position in the data protection landscape because they embody an irresolvable tension: they are simultaneously the most reliable form of individual identification and the most dangerous form of data to store. A biometric template is mathematically derived from a physical characteristic that the individual cannot change. Unlike every other authentication credential — passwords, PINs, tokens, certificates, cryptographic keys — a biometric identifier is permanently bound to the individual's body. This permanence creates the fundamental governance challenge: the consequence of compromise is not a temporary inconvenience requiring credential rotation, but a permanent identity vulnerability that persists for the individual's lifetime.

The severity of biometric template compromise is qualitatively different from other data breaches. When a password database is breached, the affected users change their passwords and the vulnerability is resolved. When a biometric template database is breached, the affected individuals cannot change their fingerprints, facial geometry, or iris patterns. The compromised templates can be replayed against any system that accepts the same biometric modality, and no remediation can undo the exposure. This asymmetry — easy to compromise, impossible to remediate — demands a governance posture that treats biometric templates as irreplaceable critical assets, not as ordinary authentication data.

The legal landscape reinforces this technical reality. The Illinois Biometric Information Privacy Act (BIPA) — the most consequential biometric privacy statute in the United States — imposes strict requirements on biometric data collection, storage, and retention, with statutory damages of $1,000 per negligent violation and $5,000 per wilful violation. BIPA litigation has produced some of the largest privacy settlements in history: Facebook's $650 million settlement (2021), Google's $100 million settlement (2022), and numerous employer class actions exceeding $10 million for timekeeping fingerprint systems. The EU General Data Protection Regulation classifies biometric data processed for identification purposes as a special category under Article 9, requiring explicit consent and heightened protection measures. The GDPR's data minimisation principle (Article 5(1)(c)) and storage limitation principle (Article 5(1)(e)) directly mandate the retention controls specified in this dimension. Brazil's LGPD, South Korea's PIPA, and India's DPDP Act similarly classify biometric data for enhanced protection.

Cross-context linkage represents a particularly insidious threat. When biometric templates from independent systems are mathematically compatible — because they use the same modality, the same vendor SDK, or the same feature extraction algorithm — the templates can be matched across contexts to build comprehensive profiles that neither system individually authorised. A fingerprint template enrolled for gym access can be matched against a fingerprint template enrolled for a government identity programme, linking the individual's fitness habits to their government records. This cross-context linkage potential transforms every biometric system into a node in a potential surveillance network. Context-specific template transformation — applying different, irreversible transformations to templates in different contexts — breaks the mathematical linkability and confines each template to its authorised purpose.

The retention dimension of biometric template governance addresses a pattern repeatedly demonstrated in BIPA litigation: organisations that collect biometric data, implement no automated deletion mechanism, and accumulate templates indefinitely — including for individuals who have long since ceased any relationship with the organisation. The retention violation is typically discovered years after it began, by which time the accumulated liability is enormous. Automated retention enforcement is not merely a governance best practice; it is a legal necessity in jurisdictions with biometric privacy statutes, and a risk management imperative everywhere else.

Template protection technology has matured to the point where the failure to implement it is a governance choice, not a technical constraint. Cancellable biometric schemes, fuzzy vault constructions, secure sketch methods, and homomorphic encryption of templates all provide mechanisms to store biometric data in a form that cannot be reversed to recover the original template. These schemes impose computational overhead — typically 10-30% additional processing time for matching operations — but this overhead is negligible compared to the liability exposure of storing raw templates. The argument that template protection degrades matching performance is no longer tenable given the state of the art; organisations that store raw templates are making a cost-convenience tradeoff that regulatory and litigation environments no longer tolerate.

6. Implementation Guidance

Biometric Template Protection Governance requires a defence-in-depth architecture that addresses template security at every lifecycle stage — from initial capture through enrolment, storage, matching, and eventual deletion. The core design principle is that no single point of compromise should expose raw biometric templates, and no template should persist beyond its authorised purpose and retention period.

Recommended patterns:

• Irreversible template transformation at the point of capture. Apply the cryptographic or irreversible transformation as close to the biometric sensor as architecturally feasible — ideally in the capture device's secure enclave or trusted execution environment — so that raw biometric data never traverses the network or reaches the application layer. The transformation should accept a context-specific key or salt, producing a transformed template that is unique to the application context. If the capture device lacks a secure enclave, perform the transformation in the first processing component that receives the raw biometric sample, and ensure that the raw sample is zeroed from memory immediately after transformation. This pattern minimises the attack surface for raw template interception.
• Dedicated biometric template vault. Implement a purpose-built, isolated storage component for biometric templates — a "biometric vault" — that is network-segmented from general application infrastructure. The vault exposes only a narrow API: enrol (store a transformed template), match (compare a probe template against enrolled templates and return a match/no-match decision), and delete (remove a template). The vault does not expose bulk export, query-by-template, or administrative access to raw template data. Authentication to the vault API uses mutual TLS with certificate pinning. The vault maintains its own encryption at rest, independent of the underlying storage infrastructure's encryption. This architecture ensures that even if the application layer is fully compromised, the attacker cannot extract templates from the vault — they can only submit match requests through the controlled API.
• Context-specific domain keys for cross-context isolation. Assign a unique domain key to each application context that uses biometric templates. The domain key is incorporated into the template transformation, producing templates that are mathematically incompatible across contexts. A facial recognition template generated with the retail loyalty domain key cannot be compared against a facial recognition template generated with the building access domain key, even though both are derived from the same individual's face. If one domain's template store is compromised, the attacker gains no capability against templates in other domains. Domain keys are managed by the cryptographic key management infrastructure under AG-042, with key rotation procedures that allow re-transformation of enrolled templates without requiring biometric re-enrolment (using a stored intermediate representation that is itself encrypted and access-controlled).
• Automated retention enforcement with deletion verification. Implement retention enforcement as a system-level scheduled process that runs at defined intervals (recommended daily). The process identifies templates whose retention period has expired — based on the triggering event (relationship termination, purpose completion, or calendar expiration) — and executes deletion across all storage locations: primary database, backup tapes, disaster recovery replicas, edge device caches, and any third-party systems. Deletion is verified by attempting to retrieve the template after the deletion operation; the verification result is logged. For backup media where individual record deletion is impractical, implement crypto-shredding: encrypt each template with a unique per-template key, and destroy the key when the template's retention period expires.
• Breach-specific response for biometric compromise. Develop a biometric breach response playbook that is distinct from the general data breach playbook. The biometric playbook must address: immediate containment (isolating the compromised template store), impact assessment (determining which templates were exposed and whether the transformation was sufficient to prevent template recovery), notification content (explaining to affected individuals that their biometric identifier may be permanently compromised and advising them to monitor any other systems where they have enrolled the same biometric modality), remediation actions (re-enrolling affected individuals with a new transformation key if the protection scheme supports renewability, or migrating to an alternative modality if re-transformation is not feasible), and regulatory notification (which may have shorter timelines for biometric data under jurisdictional requirements).
• Template inventory reconciliation. Maintain a machine-readable inventory of every location where biometric templates exist — including locations that may not be obvious, such as developer staging environments, QA databases populated with production data, analytics pipelines that receive template metadata, and third-party integrator systems. Conduct quarterly reconciliation: compare the inventory against actual storage locations discovered through infrastructure scanning, and investigate any discrepancies. Templates found in unauthorised locations are treated as a security incident.

Anti-patterns to avoid:

• Storing raw biometric vectors for matching speed. Storing untransformed template vectors because the irreversible transformation adds computational overhead to matching operations. The 10-30% matching latency increase is negligible compared to the liability of a raw template breach. Organisations that optimise for matching speed at the expense of template protection are making a tradeoff that no reasonable risk assessment supports.
• Co-locating template stores with application databases. Placing biometric templates in the same database instance, cluster, or storage account as general application data. This pattern ensures that any application-layer vulnerability — SQL injection, API misconfiguration, credential compromise — exposes the template store as collateral damage.
• Policy-only retention without automated enforcement. Documenting a biometric data retention policy without implementing automated deletion. This is the pattern that produces BIPA class actions: the policy exists, the system ignores it, and templates accumulate indefinitely. A retention policy that is not implemented as a system control is not a control — it is evidence of wilful non-compliance.
• Using identical template representations across contexts. Generating mathematically identical templates for the same individual across different application contexts. This enables cross-context linkage and converts each biometric system into a potential surveillance node. Even within a single organisation, different application contexts should use context-specific transformations.
• Relying on infrastructure encryption alone. Treating storage-layer encryption (e.g., transparent data encryption, encrypted EBS volumes) as sufficient template protection. Infrastructure encryption protects against physical media theft but provides no protection against application-layer compromise, insider threats, or authorised database queries. Template protection requires application-layer irreversible transformation in addition to infrastructure encryption.

Industry Considerations

Retail and Customer-Facing. Customer-facing biometric systems — loyalty identification, age verification, checkout authentication — face the highest BIPA exposure because they collect biometric data from the general public at scale. Template protection is not optional in BIPA jurisdictions; it is a statutory requirement. Retail organisations should default to on-device template storage (where the template never leaves the customer's personal device) to eliminate centralised template databases entirely. Where centralised storage is operationally necessary, the full template vault architecture is required.

Public Sector and Rights-Sensitive. Government biometric systems — identity verification for benefits, border control, law enforcement databases — face heightened scrutiny because of the power asymmetry between the state and the individual. Cross-context linkage between government biometric systems is particularly dangerous because it can enable population-scale surveillance without legislative authorisation. Public sector deployments must implement strict context-specific domain separation and must not share templates across departmental boundaries without explicit legal authority and data protection impact assessment.

Safety-Critical and CPS. Biometric authentication in safety-critical systems — nuclear facility access, industrial control system operator verification, aviation crew authentication — must balance template protection with authentication reliability. Safety-critical environments should implement multi-modal biometric systems (combining two or more modalities) to maintain authentication reliability even if one modality's template protection scheme introduces matching degradation. Template stores for safety-critical access must be protected against both external compromise and insider manipulation (an attacker who can modify templates could grant themselves access to restricted areas).

Embodied, Edge, and Robotic. Robotic and edge-deployed agents that perform biometric recognition — warehouse robots identifying workers, delivery drones verifying recipients, autonomous vehicles authenticating passengers — face unique constraints: limited computational resources for template transformation, intermittent network connectivity that may prevent real-time access to centralised template stores, and physical vulnerability to device theft or tampering. Edge deployments should implement hardware-backed secure enclaves for template storage and matching, with remote attestation to verify enclave integrity. Templates cached on edge devices for offline operation must be encrypted with device-specific keys and must be subject to aggressive retention limits (hours, not months).

Maturity Model

Basic Implementation — The organisation has applied irreversible transformation to all biometric templates before persistent storage. Templates are stored in an isolated, encrypted data store. A documented retention schedule exists and is implemented as an automated system control. Template access is restricted to authorised system components. A biometric breach response plan exists. This level meets the minimum mandatory requirements.

Intermediate Implementation — All basic capabilities plus: context-specific domain keys prevent cross-context template linkage. A maintained inventory of all template storage locations is reconciled quarterly. Deletion verification confirms irrecoverability across all storage tiers. Cryptographic assessment of the template transformation scheme is conducted annually. The template vault exposes only a narrow matching API with no bulk export capability.

Advanced Implementation — All intermediate capabilities plus: templates are generated and matched within hardware-backed secure enclaves, and raw biometric data never exists outside the enclave boundary. On-device or decentralised template storage eliminates centralised template databases. Template protection schemes support renewability — compromised templates can be revoked and re-generated without biometric re-enrolment. Independent penetration testing of the template vault is conducted annually, including template inversion attacks. The organisation can demonstrate through empirical testing that compromised transformed templates cannot be used to recover the original biometric sample or to authenticate against systems using a different transformation key.

7. Evidence Requirements

Required artefacts:

• Template protection scheme documentation. Technical documentation of the irreversible transformation applied to biometric templates, including the algorithm, key management approach, and a security analysis demonstrating that the transformation is one-way under current cryptanalytic capabilities. Must identify the specific scheme (e.g., cancellable biometrics, fuzzy vault, biometric salting) and reference the academic or industry literature supporting its security properties.
• Template storage architecture documentation. Architecture diagrams and configuration documentation showing the logical or physical isolation of the biometric template store from general application infrastructure. Must include network segmentation details, API access controls, and encryption configuration for data at rest and in transit.
• Retention schedule and automated enforcement evidence. The documented retention schedule specifying maximum retention periods and triggering events, plus evidence that the automated deletion mechanism operates as specified — including deletion execution logs showing templates deleted, timestamps, and verification results confirming irrecoverability.
• Template inventory. A current, machine-readable inventory of all locations where biometric templates are stored, including primary databases, backups, replicas, edge caches, and third-party systems. Must include the most recent quarterly reconciliation report showing discrepancies found and resolved.
• Access control configuration and logs. Configuration documentation showing the access controls restricting template access to authorised components and personnel. Access logs covering the audit period showing all template access events, including any bulk access or export requests and their authorisation documentation.
• Context-specific domain separation evidence. Documentation of the domain keys or context-specific transformations applied to prevent cross-context template linkage. Must include a technical demonstration or test result showing that templates from one context cannot be matched against templates from another context.
• Biometric breach response plan. The current biometric-specific breach response plan, distinct from the general data breach response plan, addressing the irreversible nature of biometric compromise. Must include notification templates, remediation pathways, and escalation procedures.
• Cryptographic assessment report. The most recent assessment of the template transformation scheme's security properties, including evaluation against current cryptanalytic techniques and AI-based template inversion attacks.

Retention requirements:

• Template protection scheme documentation and architecture diagrams: retained for the operational lifetime of the system plus 7 years for regulated financial services; plus 5 years for other regulated sectors; plus 3 years otherwise.
• Deletion execution logs and access logs: same retention as audit trail records under AG-036 and AG-023.
• Template inventory and reconciliation reports: minimum 3 years.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Template Irreversibility Verification (Requirement 4.1)

• Stimulus: Extract a sample of 50 transformed templates from the production template store. Attempt to reverse the transformation using: (a) brute-force inversion against the transformation function, (b) known academic attacks against the specific template protection scheme, and (c) a trained neural network inversion model (if applicable to the modality). Measure whether any attack recovers a biometric representation sufficient to achieve a match score above the system's acceptance threshold against the original enrolled template in a separate, unprotected reference system.
• Expected behaviour: No inversion attack recovers a representation that achieves a match score above the acceptance threshold.
• Pass criteria: Zero out of 50 transformed templates are successfully inverted to a representation that matches the original biometric source above the acceptance threshold.
• Fail criteria: Any transformed template is inverted to a representation that matches the original above the acceptance threshold, or the organisation cannot demonstrate what transformation scheme is applied and provide a security analysis.

Test 8.2: Storage Isolation Verification (Requirement 4.2)

• Stimulus: From the general application layer (using credentials with full application-level database access but no biometric vault credentials), attempt to query, connect to, or access the biometric template store through: (a) direct database connection, (b) network-level access to the template store's host or port, and (c) any shared storage infrastructure (shared file systems, shared object storage buckets). Additionally, simulate a full application-layer compromise (SQL injection in the application database) and verify that the template store is not reachable from the compromised context.
• Expected behaviour: All access attempts fail. The template store is unreachable from the general application context.
• Pass criteria: Zero access paths exist from the general application layer to the template store. The simulated application-layer compromise does not yield access to any biometric templates.
• Fail criteria: Any access path permits reading, writing, or querying biometric templates from the general application context, or the template store is network-reachable from the compromised application infrastructure.

Test 8.3: Encryption at Rest Verification (Requirement 4.3)

• Stimulus: Access the raw storage medium (disk, object store, database files) underlying the biometric template store. Attempt to read template data directly from the storage medium, bypassing the application and database layers. Verify that the data is encrypted and that the encryption keys are not stored on the same medium or in the same key management scope as the template data.
• Expected behaviour: Template data read directly from the storage medium is encrypted and unreadable without the encryption keys. Keys are stored in a separate key management system.
• Pass criteria: Raw storage reads return only encrypted data. Encryption key storage is physically or logically separate from template storage. The key management system meets AG-042 requirements.
• Fail criteria: Template data is readable in plaintext from the storage medium, or encryption keys are co-located with the template store.

Test 8.4: Encryption in Transit Verification (Requirement 4.4)

• Stimulus: Capture network traffic between the biometric capture device and the processing server, and between the processing server and the template store, during a live enrolment and matching operation. Analyse the captured traffic for template data transmitted in plaintext.
• Expected behaviour: All template data in transit is encrypted. No plaintext template representations appear in captured network traffic.
• Pass criteria: 100% of template transmissions are encrypted using protocols and cipher suites that meet AG-042 requirements. Zero plaintext templates are observed in network captures.
• Fail criteria: Any template transmission occurs without encryption, or the encryption protocol or cipher suite does not meet AG-042 requirements.

Test 8.5: Automated Retention Enforcement Verification (Requirement 4.5)

• Stimulus: Enrol 10 test biometric templates with a retention period that expires within the test window (e.g., retention period of 24 hours). After the retention period expires, verify that the automated deletion mechanism has executed. Attempt to retrieve the 10 templates from: (a) the primary template store, (b) any backup systems, (c) any replica or disaster recovery systems, and (d) any edge device caches.
• Expected behaviour: All 10 templates are automatically deleted from all storage locations after the retention period expires. Retrieval attempts return no results.
• Pass criteria: Zero out of 10 expired templates are retrievable from any storage location. Deletion execution logs show timestamps and verification confirmations for all 10 deletions.
• Fail criteria: Any expired template is retrievable from any storage location, or the automated deletion mechanism did not execute within the defined tolerance period after retention expiry.

Test 8.6: Verified Deletion Completeness (Requirement 4.6)

• Stimulus: Issue a deletion request for 5 test templates (simulating a data subject deletion right exercise). Verify that the deletion is executed across all storage tiers and that the deletion log records the timestamp and confirmation for each storage location. After deletion, attempt forensic recovery of the deleted templates from the storage medium.
• Expected behaviour: All 5 templates are deleted from all storage tiers. Deletion logs are complete. Forensic recovery does not retrieve the deleted templates.
• Pass criteria: Zero out of 5 deleted templates are recoverable through forensic techniques. Deletion logs record the deletion timestamp and per-location confirmation for each template.
• Fail criteria: Any deleted template is forensically recoverable, or deletion logs are incomplete or missing.

Test 8.7: Cross-Context Linkage Prevention (Requirement 4.7)

• Stimulus: Enrol the same biometric source (a test subject's biometric sample) in two different application contexts that use context-specific domain keys. Extract the transformed templates from both contexts. Attempt to match the two templates against each other using: (a) the system's standard matching algorithm, and (b) a correlation analysis to detect statistical relationships between the two transformed representations.
• Expected behaviour: The two templates are mathematically unlinkable. The matching algorithm returns a score below the acceptance threshold. Correlation analysis does not identify a statistically significant relationship.
• Pass criteria: The match score between cross-context templates is below the system's rejection threshold (not merely below the acceptance threshold — it should be indistinguishable from a non-match). Correlation analysis yields no statistically significant linkage (p > 0.05).
• Fail criteria: The cross-context match score exceeds the rejection threshold, or correlation analysis identifies a statistically significant relationship between templates from different contexts.

Test 8.8: Template Inventory Completeness (Requirement 4.8)

• Stimulus: Conduct an infrastructure scan across all environments (production, staging, disaster recovery, edge devices, third-party integrations) to discover storage locations containing biometric template data. Compare the discovered locations against the documented template inventory.
• Expected behaviour: All discovered template storage locations are present in the documented inventory. No undocumented template locations exist.
• Pass criteria: 100% of discovered template storage locations match entries in the documented inventory. The most recent quarterly reconciliation report is dated within the last 90 days.
• Fail criteria: Any template storage location is discovered that is not in the documented inventory, or the quarterly reconciliation has not been performed within the last 90 days.

Test 8.9: Access Control and Export Prevention (Requirement 4.9)

• Stimulus: Using credentials of a non-authorised role (e.g., a general application administrator), attempt to: (a) read individual templates from the template store, (b) execute a bulk export of templates, and (c) copy templates to an external location. Then, using an authorised biometric system component's credentials, attempt a bulk export without a pre-approved authorisation document.
• Expected behaviour: All non-authorised access attempts are denied and logged. The authorised component's bulk export attempt without pre-approval is denied and logged.
• Pass criteria: Zero templates are accessible to non-authorised roles. Bulk export is blocked without documented pre-approval. All denied access attempts are recorded in the access log.
• Fail criteria: Any non-authorised access attempt succeeds, or bulk export is possible without pre-approved authorisation.

Test 8.10: Biometric Breach Response Plan Validation (Requirement 4.10)

• Stimulus: Execute a tabletop exercise simulating a biometric template database breach. Verify that the biometric-specific breach response plan is invoked (not the general data breach plan), that the plan addresses the irreversible nature of biometric compromise in its notification content, that the plan includes guidance to affected individuals about implications for other biometric systems, and that the plan includes a remediation pathway (re-enrolment with a new transformation key or modality migration).
• Expected behaviour: The biometric breach response plan is distinct from the general plan, addresses irreversibility, provides individual guidance, and includes a technical remediation pathway.
• Pass criteria: The tabletop exercise demonstrates that the biometric breach response plan exists as a distinct document, is known to the incident response team, addresses biometric-specific concerns (irreversibility, cross-system implications), and includes a feasible remediation pathway. Notification templates explicitly reference the permanent nature of biometric compromise.
• Fail criteria: No biometric-specific breach response plan exists, the incident response team is unaware of it, the plan does not address the irreversible nature of biometric data, or no remediation pathway is defined.

Conformance Scoring

• Score 0: Biometric templates are stored as raw mathematical representations without cryptographic transformation. No storage isolation, retention enforcement, or cross-context linkage prevention is implemented. No biometric-specific breach response plan exists.
• Score 1: Irreversible template transformation is applied before storage. Templates are encrypted at rest and in transit. A retention schedule is documented and automated deletion is implemented. Storage is isolated from general application infrastructure. This level meets the minimum mandatory requirements but may lack cross-context domain separation, comprehensive inventory management, or biometric-specific breach response planning.
• Score 2: All Score 1 capabilities plus: context-specific domain keys prevent cross-context linkage. A complete template inventory is maintained and reconciled quarterly. Access controls prevent bulk export without pre-approval. A biometric-specific breach response plan addresses irreversibility and includes remediation pathways. Deletion verification confirms irrecoverability across all storage tiers.
• Score 3: Verified by independent audit — an external party has validated the irreversibility of the template transformation through inversion testing, confirmed storage isolation through penetration testing, verified deletion completeness through forensic analysis, and confirmed cross-context unlinkability through statistical analysis. The organisation demonstrates renewability — the ability to revoke and regenerate compromised templates without biometric re-enrolment.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
Illinois BIPA	Section 15(a) (Retention and Destruction), Section 15(c) (Sale/Disclosure), Section 15(e) (Storage/Transmission)	Direct requirement
EU GDPR	Article 9 (Special Categories), Article 5(1)(c)(e)(f) (Data Minimisation, Storage Limitation, Integrity/Confidentiality)	Direct requirement
EU AI Act	Article 10 (Data Governance), Article 14 (Human Oversight)	Supports compliance
NIST AI RMF	GOVERN 1.5 (Risk Management Processes), MAP 3.5, MANAGE 2.2	Supports compliance
ISO/IEC 24745	Biometric Template Protection (full standard)	Direct requirement
ISO 42001	Annex A.8 (Data for AI Systems), Clause 6.1.2 (AI Risk Assessment)	Supports compliance
CCPA/CPRA	Section 1798.140(b) (Biometric Information Definition), Section 1798.100 (Right to Delete)	Direct requirement
Texas CUBI	Business and Commerce Code 503.001 (Capture or Use of Biometric Identifier)	Direct requirement

Illinois BIPA — Section 15

BIPA Section 15(a) requires private entities in possession of biometric identifiers or biometric information to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the entity, whichever occurs first. AG-673's Requirement 4.5 (automated retention enforcement) and Requirement 4.6 (verified deletion) directly operationalise this obligation. BIPA's statutory damages — $1,000 per negligent violation, $5,000 per wilful violation, with no cap on aggregate damages — mean that retention violations affecting thousands of individuals produce eight- and nine-figure liability exposure. The critical BIPA compliance insight is that a written policy alone is insufficient; Section 15(a) requires that the policy be followed. A documented retention schedule with no automated enforcement mechanism is evidence of wilful non-compliance, not compliance.

EU GDPR — Article 9 and Article 5

GDPR Article 9 classifies biometric data processed for the purpose of uniquely identifying a natural person as a special category of personal data, requiring explicit consent under Article 9(2)(a) or another lawful basis under Article 9(2). Article 5(1)(f) — the integrity and confidentiality principle — requires that personal data is processed in a manner ensuring appropriate security, including protection against unauthorised processing and accidental loss. For biometric templates, "appropriate security" demands the irreversible transformation and storage isolation specified by AG-673, because the irreversible nature of biometric data means that a breach produces permanent harm that cannot be remediated by the standard GDPR breach response (notification, access restriction, and monitoring). Article 5(1)(e) — the storage limitation principle — requires that biometric data is kept for no longer than necessary. AG-673's automated retention enforcement with verified deletion operationalises this principle. The GDPR's accountability principle (Article 5(2)) requires the organisation to demonstrate compliance, which maps to the evidence requirements in Section 7.

ISO/IEC 24745 — Biometric Template Protection

ISO/IEC 24745 is the international standard specifically addressing biometric template protection. It defines requirements for irreversibility (the transformed template cannot be used to recover the original biometric sample), renewability (a compromised template can be replaced with a new template derived from the same biometric source), and unlinkability (templates generated from the same biometric source for different applications cannot be linked). AG-673's Requirements 4.1 (irreversible transformation), 4.7 (cross-context linkage prevention), and 4.11 (renewability) are directly derived from ISO/IEC 24745's framework. Organisations implementing AG-673 should reference ISO/IEC 24745 for detailed technical guidance on template protection scheme selection, security analysis methodology, and performance evaluation.

CCPA/CPRA — Biometric Information

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, includes biometric information in the definition of personal information (Section 1798.140(b)) and sensitive personal information (Section 1798.140(ae)). Consumers have the right to request deletion of their personal information (Section 1798.100), including biometric data. AG-673's Requirement 4.6 (verified deletion upon data subject request) operationalises this right. The CPRA's requirement for businesses to implement reasonable security measures for sensitive personal information (Section 1798.100(e)) maps to AG-673's template protection, encryption, and isolation requirements.

Texas CUBI — Capture or Use of Biometric Identifier

Texas Business and Commerce Code Chapter 503 prohibits the capture of a biometric identifier for a commercial purpose unless the individual is informed and consents. Section 503.001(c) requires that biometric identifiers are destroyed within a reasonable time, not exceeding the first anniversary of the date the purpose for collection expires. AG-673's retention and deletion requirements directly operationalise CUBI's destruction obligation. While CUBI initially lacked a private right of action, the Texas Data Privacy and Security Act and subsequent amendments have expanded enforcement mechanisms, making template retention violations increasingly consequential.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Population-scale — affects every individual whose biometric template is compromised, with irreversible lifetime consequences

Consequence chain: A biometric template protection failure begins at the storage layer — raw templates stored without irreversible transformation, templates co-located with general application databases, or retention mechanisms that fail to delete expired templates. The failure is invisible during normal operations because the biometric system functions correctly regardless of whether templates are properly protected. The failure materialises through one of three channels. First, external breach: an attacker compromises the application infrastructure and reaches the template store, exfiltrating raw or insufficiently protected templates. Because the templates are not irreversibly transformed, they are directly usable for impersonation against any system that accepts the same biometric modality. The affected individuals' biometric identifiers are permanently compromised — they cannot change their fingerprints, faces, or irises. Second, cross-context linkage: mathematically compatible templates from separate systems are matched, creating unauthorised profiles that violate purpose limitation and may constitute surveillance. The affected individuals are unaware that their participation in one biometric system has exposed their activities in another. Third, retention accumulation: templates persist beyond their authorised retention period, growing the liability surface with each passing month. Former employees, former customers, and individuals who withdrew consent have their biometric data retained indefinitely, creating both a legal liability under BIPA, GDPR, and equivalent statutes, and a security risk — a larger database is a more attractive target and produces greater harm when breached. The downstream consequences are characteristically severe and irreversible. BIPA litigation has produced settlements exceeding $100 million for template storage violations. GDPR enforcement for biometric data mishandling carries fines up to 4% of global annual turnover. Beyond financial penalties, the reputational damage of a biometric breach is uniquely persistent because the affected individuals can never fully remediate the compromise — every subsequent use of the compromised biometric modality carries residual risk. The consequence chain extends to third-party systems: a biometric template breached from one organisation can be used to attack authentication systems at other organisations that use the same modality, creating cascading liability and eroding trust in biometric authentication as a category.

Cross-references: AG-036 (Data Retention & Disposal) provides the general retention governance framework; AG-673 specifies the biometric-specific retention requirements that account for the irreversible nature of biometric data. AG-042 (Encryption & Cryptographic Control) defines encryption standards; AG-673 requires those standards be applied to biometric templates with additional template-specific protections (irreversible transformation) beyond standard encryption. AG-669 (Biometric Purpose Limitation) governs what purposes biometric data may be used for; AG-673 governs how the templates supporting those purposes are protected. AG-674 (Cross-Context Biometric Reuse) addresses the policy dimension of cross-context usage; AG-673 addresses the technical dimension through context-specific domain separation. AG-677 (Consent and Notice for Biometrics) governs the legal basis for biometric data collection; AG-673 governs the technical protection of the data collected under that legal basis. AG-678 (Biometric Redress) provides remediation pathways for individuals; AG-673's renewability and breach response requirements provide the technical foundation for that redress.