Spoof-Response Escalation Governance

2. Summary

Spoof-Response Escalation Governance defines the mandatory containment actions, escalation pathways, and safe-state transitions that an AI agent must execute when biometric spoofing is detected or when biometric matching produces uncertain, ambiguous, or anomalous results. Biometric authentication systems — voice recognition, facial recognition, fingerprint matching, iris scanning, gait analysis — are exposed to a growing and increasingly sophisticated array of presentation attacks: deepfake audio synthesis that reproduces a target speaker's voice with sub-second latency, 3D-printed facial masks that defeat structured-light depth sensors, adversarial makeup patterns that cause misclassification in convolutional neural networks, and replay attacks using high-resolution video displayed on screens with controlled ambient lighting. When an agent detects indicators of spoofing — liveness check failure, anomalous confidence score distributions, sensor integrity violations, temporal inconsistencies between biometric modalities — the agent must execute a pre-defined containment response that prevents the attacker from gaining access, preserves forensic evidence for investigation, avoids penalising legitimate users through disproportionate lockout, and escalates the incident to human operators with sufficient context to assess the threat. This dimension governs the response, not the detection: it assumes that detection mechanisms exist (per AG-670 Liveness Verification and AG-043 Adversarial Robustness Testing) and prescribes what the agent must do when those mechanisms fire.

3. Example

Scenario A — Deepfake Bypass of Voice Authentication at a Financial Institution:

A retail bank deploys an AI agent for telephone banking authentication. Customers authenticate by speaking a passphrase, and the agent compares the voice sample against the enrolled voiceprint using a deep neural network speaker verification model. The model returns a similarity score between 0 and 1, with an acceptance threshold of 0.82. A threat actor obtains a 14-second sample of a customer's voice from a public earnings call recording and uses a real-time voice conversion model to synthesise speech in the customer's voice. The synthesised voice achieves a similarity score of 0.87 — above the acceptance threshold. However, the agent's liveness detection subsystem flags two anomalies: the audio spectrum lacks the micro-tremor patterns characteristic of live speech produced by a human larynx, and the signal-to-noise ratio is unusually uniform across the call, consistent with synthetic audio played through a digital audio interface rather than a telephone handset microphone.

Without spoof-response escalation governance, the agent faces a conflict: the primary biometric match succeeds (0.87 exceeds 0.82), but auxiliary signals indicate possible spoofing. A naive implementation might either accept the authentication (ignoring the liveness anomalies and granting the attacker access to the customer's accounts) or reject the authentication with a generic failure message (alerting the attacker that their synthesis technique was detected, enabling them to refine their approach). Neither response is safe.

With spoof-response escalation governance, the agent executes a pre-defined containment response: it does not grant access but also does not reveal the specific reason for rejection. It presents a generic "additional verification required" message and routes the call to a human fraud analyst with a priority flag. The agent transmits the full audio sample, the similarity score, the specific liveness anomalies detected, and the caller's claimed identity to the fraud analyst's workstation before the transfer completes. The agent simultaneously creates an incident record classified as a suspected presentation attack, locks the customer's account against further telephone authentication attempts pending human review, and sends an out-of-band notification to the genuine customer via their registered mobile number and email address. The fraud analyst reviews the evidence, confirms the synthetic audio indicators, and initiates the bank's fraud investigation procedure. The customer's account is protected, forensic evidence is preserved, and the attacker receives no information about which detection mechanism caught them.

What the governance controls: The containment response sequence — deny access without revealing detection rationale, escalate with evidence, lock the authentication channel, notify the genuine account holder, create an incident record — is defined in advance and executes deterministically when the liveness subsystem flags anomalies above the defined severity threshold. The agent does not exercise discretion about whether to escalate; the escalation is mandatory and automatic. The human analyst receives structured evidence, not a raw alert, enabling rapid triage.

Scenario B — Presentation Attack on Facial Recognition at Border Control:

A border control agency deploys an AI agent at automated passport gates. The agent captures a live image of the traveller's face, compares it against the passport chip photograph, and makes an accept/refer decision. Acceptance opens the gate; referral directs the traveller to a manned booth for officer inspection. A threat actor approaches the gate wearing a silicone mask fabricated from 3D scans of the passport holder's face. The mask is high-fidelity — matched skin tone, accurate geometry, embedded synthetic hair for eyebrows and hairline. The agent's facial recognition model returns a similarity score of 0.91 against a threshold of 0.85. However, the agent's multi-spectral liveness detection identifies two anomalies: near-infrared reflectance from the mask surface exhibits absorption characteristics inconsistent with human skin (silicone reflects NIR at 1.2 microns differently from melanin-bearing skin), and micro-expression analysis detects no involuntary facial micro-movements in the periorbital region during the 3-second capture window — the mask is rigid where a human face would exhibit involuntary muscular activity.

Without spoof-response escalation governance, the agent might simply reject the traveller with an "authentication failed" message, allowing them to leave the queue, discard the mask, and attempt entry through a different gate or a manned booth where the silicone mask might be harder to detect under different lighting conditions. Alternatively, a poorly configured system might accept the match because the primary similarity score exceeds the threshold, ignoring the liveness anomalies.

With spoof-response escalation governance, the agent executes a containment response calibrated to the border-control threat model: it does not open the gate, displays a neutral "please wait" message on the passenger-facing screen (not "spoofing detected"), and simultaneously transmits a priority alert to the border control officer station that includes the captured images (visible and NIR), the similarity score, the specific liveness anomalies, and the passport data. The alert is classified as a suspected presentation attack, which under the agency's incident protocol triggers immediate officer response to the gate. The agent retains the traveller at the gate by keeping it in a locked "processing" state — the traveller cannot proceed forward or retreat backward without officer intervention. The gate's cameras continue recording. The officer arrives within 90 seconds, inspects the traveller, identifies the silicone mask, and initiates law enforcement procedures. The forensic evidence — images, scores, anomaly data, video — is preserved in the incident record and is admissible because it was captured and retained under the pre-defined governance protocol.

What the governance controls: The containment response — physical retention at the gate, covert alerting to officers, continued evidence capture, neutral passenger-facing messaging — is pre-defined for the border-control context. The agent does not decide whether to detain; the containment protocol is triggered automatically when liveness anomalies exceed the defined threshold. The response is calibrated to the physical environment (the gate can physically retain the traveller) and the threat model (the attacker must not be allowed to leave and retry). The officer receives structured intelligence, not a generic alert.

4. Requirement Statement

Scope: This dimension applies to any AI agent that performs, mediates, or relies upon biometric authentication or biometric identification and that may encounter spoofing attempts, presentation attacks, replay attacks, adversarial perturbations, or conditions of biometric uncertainty. The scope includes all biometric modalities — facial recognition, voice recognition, fingerprint scanning, iris recognition, vein pattern matching, gait analysis, behavioural biometrics, and multimodal combinations. The scope covers both one-to-one verification (confirming a claimed identity) and one-to-many identification (searching against an enrolment database). The dimension applies regardless of whether the agent is the primary decision-maker or provides biometric scores to a downstream decision system. The scope extends to edge-deployed agents operating with intermittent connectivity, where containment actions must execute locally without requiring real-time communication with a central authority.

4.1. A conforming system MUST define, for every biometric modality in use, a Spoof-Response Escalation Policy that specifies the containment actions to be executed when spoofing indicators are detected at or above defined severity thresholds, including the threshold values, the actions triggered at each threshold level, and the maximum time permitted between detection and containment action initiation.

4.2. A conforming system MUST ensure that every containment action triggered by a spoof detection event denies the attacker the access, privilege, or transaction that the biometric authentication was intended to authorise, with no grace period, override pathway, or fallback mechanism that would permit the transaction to proceed without human review.

4.3. A conforming system MUST NOT reveal to the presenting party which specific detection mechanism triggered the containment response — the user-facing message or interaction must be indistinguishable from other non-spoofing failure modes (such as poor image quality, network timeout, or system maintenance) to prevent adaptive adversary learning.

4.4. A conforming system MUST escalate every spoof detection event that meets or exceeds the defined severity threshold to a qualified human operator, transmitting structured evidence including: the raw biometric sample(s), the similarity or match score, the specific liveness or anomaly indicators that triggered detection, the claimed or matched identity, and a timestamp chain from capture through detection through containment.

4.5. A conforming system MUST create a machine-readable incident record for every spoof detection event within 60 seconds of detection, classified according to the organisation's incident severity framework (see AG-419), containing sufficient forensic detail to support subsequent investigation and, where applicable, law enforcement referral.

4.6. A conforming system MUST define and enforce a safe state for the biometric authentication channel following a spoof detection event — the channel (voice line, facial recognition gate, fingerprint terminal, mobile application session) must be locked against further biometric authentication attempts by the same claimed identity until a human operator has reviewed the incident and explicitly re-enabled access.

4.7. A conforming system MUST send an out-of-band notification to the genuine identity holder (where the identity is known and contact information is available) when a spoof detection event is associated with their biometric profile, using a communication channel that is independent of the channel under attack, within a timeframe defined in the Spoof-Response Escalation Policy and no later than 24 hours after detection.

4.8. A conforming system MUST define containment actions that are proportionate to the severity of the spoof indicator and the risk context of the protected resource — a low-confidence spoof indicator on a low-value transaction must not trigger the same maximum-severity containment as a high-confidence spoof indicator on a safety-critical access control.

4.9. A conforming system MUST test the spoof-response escalation pathway end-to-end at least quarterly, using simulated presentation attacks that exercise every defined containment action, and must document the test results including time-to-containment, evidence completeness, escalation delivery success, and safe-state enforcement.

4.10. A conforming system SHOULD implement graduated containment tiers — for example, a three-tier model where Tier 1 (low-confidence spoof indicators) triggers enhanced verification (additional authentication factor), Tier 2 (medium-confidence spoof indicators) triggers session suspension with human escalation, and Tier 3 (high-confidence spoof indicators) triggers full channel lockdown with incident creation and identity-holder notification.

4.11. A conforming system SHOULD maintain a continuously updated catalogue of known presentation attack vectors relevant to each deployed biometric modality, and must review the Spoof-Response Escalation Policy against emerging attack vectors at least semi-annually.

4.12. A conforming system SHOULD implement automated correlation of spoof detection events across multiple channels, identities, and time windows to detect coordinated attack campaigns — for example, multiple deepfake voice attempts against different customer accounts originating from the same telephony infrastructure.

4.13. A conforming system MAY implement decoy responses — synthetic interaction patterns that consume attacker time and resources without granting access — when high-confidence spoofing is detected, provided such responses do not compromise the forensic integrity of the incident record or violate applicable law.

4.14. A conforming system MAY implement real-time biometric sample forwarding to a centralised threat intelligence function that aggregates presentation attack data across deployments, enabling cross-organisational detection of attack tool proliferation.

5. Rationale

Biometric authentication creates a unique and dangerous failure mode that does not exist in knowledge-based (password) or possession-based (token) authentication: the credential cannot be revoked. A compromised password can be changed. A stolen hardware token can be deactivated. A spoofed voiceprint or a replicated facial geometry cannot be "reset" — the biometric characteristic belongs to the person permanently. This permanence means that the response to a biometric spoofing event must be fundamentally different from the response to a password breach. The response must contain the immediate threat (deny access), preserve the authentication channel's integrity (lock it until human review), protect the genuine identity holder (notify them through an independent channel), and avoid educating the attacker about which detection mechanism caught them.

The threat landscape for biometric spoofing is evolving at a rate that outpaces many organisations' detection capabilities. Real-time voice synthesis models can now reproduce a target speaker's voice characteristics from fewer than 10 seconds of reference audio, with output quality that achieves human-indistinguishable naturalness in controlled listening tests. Facial deepfake generation has progressed from requiring minutes of processing to operating in real-time at 30 frames per second, enabling live video injection attacks against facial recognition systems. 3D printing and silicone casting techniques produce facial masks with surface texture detail at sub-millimetre resolution. These attack capabilities are not confined to nation-state actors — they are available as commercial services and open-source tools. Any biometric system deployed at scale will face presentation attacks, and the sophistication of those attacks will increase over the system's operational lifetime.

The containment response is at least as important as the detection capability. A system that detects spoofing but responds inappropriately — by revealing the detection mechanism, by failing to escalate, by allowing the attacker to retry, or by failing to notify the genuine identity holder — converts a successful detection into a failed defence. Detection without effective containment is operationally equivalent to no detection at all: the attacker gains information (their current technique was detected), retains freedom of action (they can leave and try again), and faces no consequences (no incident record, no investigation, no law enforcement referral). The containment response must deny all four of these outcomes.

The principle of non-disclosure — not revealing which detection mechanism fired — is critical for maintaining the long-term effectiveness of the biometric security system. Presentation attack detection is an arms race. If the system tells the attacker "liveness check failed: no micro-tremor detected" or "near-infrared reflectance inconsistent with human skin," the attacker gains precise feedback that enables them to refine their attack. If the system presents a generic "additional verification required" message, the attacker learns only that the attempt failed, not why. This information asymmetry is a defensive advantage that must be preserved by governance policy, not left to individual implementation decisions.

Proportionality in containment is essential to prevent the spoof-response system from becoming a denial-of-service vector against legitimate users. Environmental factors — poor lighting, background noise, skin conditions, aging-related changes in voice or facial features — can trigger liveness anomalies in genuine users. A system that responds to every anomaly with maximum-severity containment (full lockout, law enforcement notification) will generate excessive false positives that degrade service quality, create operational burden, and erode trust in the biometric system. Graduated containment tiers — where the severity of the response is calibrated to the confidence of the detection and the risk value of the protected resource — balance security against usability.

The regulatory environment increasingly mandates specific incident response capabilities for biometric systems. The EU AI Act classifies biometric identification in public spaces as high-risk (Annex III, Category 1), requiring risk management measures that include incident handling. GDPR Article 34 requires communication to data subjects when a personal data breach involving biometric data is likely to result in a high risk to their rights and freedoms — a successful spoofing event against a person's biometric profile is such a breach. The UK Biometrics and Surveillance Camera Commissioner's guidance emphasises that biometric deployments must include incident response procedures that protect the rights of individuals whose biometric data is involved. National border security frameworks impose specific requirements for incident handling at automated border control gates, including evidence preservation standards that support prosecution.

6. Implementation Guidance

Spoof-Response Escalation Governance requires a pre-defined, deterministic response framework that removes agent discretion from the containment decision. When detection thresholds are crossed, the containment response must execute automatically, completely, and within defined time bounds. The implementation must be resilient to adversary attempts to interfere with the containment process itself — for example, by disconnecting mid-session to prevent evidence capture or by overwhelming the escalation pathway with false positives to cause alert fatigue.

Recommended patterns:

• Containment action matrix. Build a structured matrix that maps every combination of (biometric modality, detection signal type, confidence level, risk context) to a specific containment action set. For voice authentication: a liveness anomaly with confidence above 0.7 on a high-value transaction triggers Tier 3 containment (session termination, channel lock, human escalation with full evidence package, genuine-user notification, incident record). The same anomaly with confidence between 0.4 and 0.7 on a low-value transaction triggers Tier 1 containment (step-up to an additional authentication factor, monitoring flag, abbreviated incident record). The matrix must be version-controlled, reviewed at defined intervals, and updated when new attack vectors are identified or when false-positive analysis indicates threshold calibration is needed.
• Evidence package pre-assembly. Design the system to continuously buffer biometric sensor data during the authentication interaction — not just the final sample submitted for matching. When a spoof detection event triggers containment, the evidence package should include: the full interaction recording (audio for voice, video for facial, sensor stream for fingerprint), the pre-event context (30 seconds of audio before the authentication attempt began, to capture potential voice-conversion artefacts in casual speech), the model's internal confidence scores and feature vectors, the specific detection signals that triggered containment, device and channel metadata (telephony headers, camera calibration data, sensor firmware version), and a cryptographic timestamp chain that establishes the temporal integrity of the evidence. Pre-assembling this evidence package — rather than attempting to capture it retroactively after detection — ensures forensic completeness.
• Non-disclosure response templates. Develop a library of user-facing response messages that are deliberately vague and indistinguishable from non-spoofing failure modes. For voice authentication: "We're experiencing some difficulty verifying your identity. For your security, I'll connect you with a specialist who can assist." For facial recognition gates: "Additional processing required. Please wait for an officer." For mobile biometric authentication: "Verification could not be completed. Please try again later or use an alternative sign-in method." These templates must be reviewed to ensure they do not leak detection information through word choice, timing patterns, or interaction flow differences that a sophisticated attacker could distinguish from genuine failure modes.
• Edge-resilient containment. For agents deployed on edge devices with intermittent connectivity — border control gates in remote locations, mobile biometric terminals, robotic access control systems — implement local containment that executes without requiring communication with a central server. The edge device must be capable of: denying access, entering a safe locked state, buffering the evidence package locally with tamper-evident storage, and queuing the escalation notification for transmission when connectivity is restored. The containment decision must never be deferred pending network availability. The local containment policy must be cryptographically signed to prevent tampering at the device level.
• Escalation channel resilience. Implement redundant escalation pathways so that a failure in the primary escalation channel does not suppress the alert. If the primary escalation is a real-time notification to an operator workstation and that workstation is offline, the system must fall through to secondary channels (SMS to the on-call security officer, email to the security operations centre queue, automated ticket creation in the incident management system). The escalation is considered failed only when all defined channels have been attempted, and a failed escalation must itself generate a higher-severity alert.

Anti-patterns to avoid:

• Binary accept/reject without graduated response. Implementing only two outcomes — accept the biometric match or reject it — without a containment state that preserves evidence, locks the channel, and escalates to a human. A simple rejection allows the attacker to walk away and try again. Containment must include evidence preservation and, where physically possible, retention of the attacker for officer response.
• Revealing detection confidence or mechanism to the user. Displaying messages such as "liveness check failed," "spoof detected," or "presentation attack identified" to the presenting party. Any message that identifies the detection mechanism enables adaptive adversary learning. All user-facing messages must be generic and indistinguishable from non-spoofing failures.
• Allowing retry without escalation. Permitting the presenting party to immediately re-attempt biometric authentication after a spoof detection event. Each retry gives the attacker an additional opportunity to refine their technique. After a spoof detection event at or above the defined severity threshold, the channel must be locked until human review.
• Treating spoof detection events as transient errors. Logging spoof detection events as authentication failures without creating incident records, classifying them for severity, or triggering investigation. A spoof detection event is a security incident, not an operational error. It requires forensic evidence preservation, human review, and potentially law enforcement referral.
• Containment actions that penalise legitimate users disproportionately. Implementing maximum-severity containment for all anomalies regardless of confidence or context, resulting in genuine users being locked out, detained, or reported to law enforcement because of environmental factors (poor lighting, background noise, skin conditions) that triggered false-positive liveness anomalies. Containment severity must be proportionate to detection confidence and risk context.

Industry Considerations

Financial Services. Voice authentication for telephone banking and mobile banking biometrics are the primary attack surfaces. Financial institutions should implement Tier-based containment with channel-specific lockout: a spoof detection on the voice channel locks voice authentication but does not lock mobile app authentication, unless correlation analysis links the events. Out-of-band customer notification is particularly critical in financial services because the attacker's objective is typically account takeover or fraudulent transactions — the genuine customer must be alerted immediately. FCA-regulated firms should integrate spoof-response escalation events into their financial crime reporting frameworks and suspicious activity reporting obligations.

Border Control and Immigration. Automated border control gates present unique physical containment requirements: the gate must physically retain the traveller when spoofing is detected, preventing them from leaving the queue and discarding evidence (removing a mask, switching documents). The containment response must be silent (no audible alarms that alert other travellers in the queue who may be co-conspirators), must be rapid (officer response within defined time bounds), and must preserve the chain of evidence to prosecution standards. Multi-spectral imaging evidence captured during the spoof detection event must be stored with integrity verification that supports admissibility in criminal proceedings.

Healthcare and Access Control. Biometric access to medication dispensing systems, restricted clinical areas, and patient records creates patient-safety risks if spoofing succeeds. Containment must lock the physical access point (drug cabinet, restricted ward door) and alert the facility security team. The safe state for healthcare biometric systems must not prevent emergency access through alternative means — a locked biometric terminal must not prevent a clinician from accessing life-saving medication through a supervisor override with audit trail.

Consumer Devices and Edge Deployment. Mobile phones, IoT devices, and robotic systems that use biometric authentication often lack the connectivity and computational resources for sophisticated containment. At minimum, edge devices must be capable of denying access, entering a safe locked state, and buffering a compressed evidence package for later transmission. The containment policy must be hardened against physical tampering — an attacker who has physical access to the device should not be able to extract or modify the containment policy or the buffered evidence.

Maturity Model

Basic Implementation — The organisation has defined a Spoof-Response Escalation Policy for every deployed biometric modality. Containment actions deny access when spoof indicators exceed defined thresholds. User-facing messages do not reveal detection mechanisms. Spoof detection events are escalated to human operators with evidence. Incident records are created within 60 seconds. Channel lockout is enforced pending human review. End-to-end testing is conducted quarterly. All mandatory requirements (4.1 through 4.9) are satisfied.

Intermediate Implementation — All basic capabilities plus: graduated containment tiers calibrate response severity to detection confidence and risk context. A maintained catalogue of known presentation attack vectors informs policy updates at least semi-annually. Cross-channel correlation detects coordinated attack campaigns. Out-of-band notification reaches genuine identity holders within defined timeframes. Evidence packages include full interaction recordings with cryptographic timestamp chains. Edge-deployed agents implement local containment resilient to connectivity loss.

Advanced Implementation — All intermediate capabilities plus: automated threat intelligence sharing aggregates spoof detection data across deployments to detect emerging attack tools. Red-team exercises using state-of-the-art presentation attack techniques validate both detection and containment at least annually. Containment time-to-action metrics are monitored continuously with performance degradation alerting. Decoy response capabilities consume attacker resources on high-confidence detections. The organisation contributes to and consumes cross-organisational biometric threat intelligence feeds. Independent audit annually validates containment effectiveness, evidence integrity, and proportionality of response.

7. Evidence Requirements

Required artefacts:

• Spoof-Response Escalation Policy. The complete policy document covering every deployed biometric modality, specifying: detection thresholds, containment action sets per threshold level, maximum time-to-containment, escalation targets and channels, safe-state definitions, channel lockout rules, and identity-holder notification procedures. Must be version-controlled with a review and approval history.
• Containment action matrix. The structured mapping from (modality, signal type, confidence level, risk context) to containment action set, demonstrating that every combination has a defined response and that the responses are proportionate to the threat level.
• Incident records. Machine-readable incident records for every spoof detection event, created within 60 seconds, containing: raw biometric sample(s), similarity/match score, liveness/anomaly indicators, claimed or matched identity, timestamp chain, containment actions executed, escalation disposition, and human reviewer determination.
• Escalation delivery records. Evidence that every spoof detection event meeting the severity threshold was escalated to a human operator, including: transmission timestamp, evidence package contents, receiving operator identity, and triage outcome.
• Channel lockout records. Evidence that biometric authentication channels were locked following spoof detection events and that re-enablement occurred only after documented human review.
• Identity-holder notification records. Evidence that out-of-band notifications were sent to genuine identity holders for events associated with their biometric profiles, including: notification timestamp, channel used, and delivery confirmation.
• Quarterly test results. Documentation of end-to-end spoof-response escalation pathway tests, including: simulated attack type, containment actions executed, time-to-containment measurements, evidence package completeness assessment, escalation delivery success, and safe-state enforcement verification.
• Non-disclosure compliance evidence. Records demonstrating that user-facing messages during spoof detection events did not reveal detection mechanisms — either through message template audit or through review of actual messages delivered during real or simulated events.

Retention requirements:

• Incident records and evidence packages: minimum 7 years for financial services and border control; minimum 5 years for other regulated sectors; minimum 3 years otherwise. Where criminal prosecution may arise, retention must extend until the conclusion of all legal proceedings.
• Policy documents and containment matrices: retained for the entire operational life of the biometric system plus 3 years after decommissioning.
• Quarterly test results: minimum 3 years.

Access requirements:

• Incident records and evidence packages must be producible to regulators, law enforcement, or auditors within 48 hours of request. Evidence must be stored with integrity verification (cryptographic hashes, tamper-evident seals) that confirms the evidence has not been modified since capture.
• Biometric samples retained as evidence must be stored and processed in compliance with applicable biometric data protection regulations (GDPR Article 9 for special category data, state-level biometric privacy laws where applicable).

8. Test Specification

Test 8.1: Policy Existence and Completeness

• Stimulus: Retrieve the Spoof-Response Escalation Policy. Verify that it covers every biometric modality deployed in the system and specifies detection thresholds, containment action sets, maximum time-to-containment, escalation targets, safe-state definitions, and identity-holder notification procedures.
• Expected behaviour: A complete, version-controlled policy exists for every deployed modality.
• Pass criteria: The policy is documented, version-controlled, has a recorded approval, and covers all deployed biometric modalities with no gaps. Each modality entry specifies quantitative detection thresholds, at least one containment action per threshold level, a maximum time-to-containment value, at least one escalation target, and a safe-state definition.
• Fail criteria: No policy exists, the policy does not cover all deployed modalities, or any modality entry is missing required fields (thresholds, actions, time bounds, escalation targets, or safe-state definition).

Test 8.2: Containment Denies Access on Spoof Detection

• Stimulus: Execute a simulated presentation attack against each deployed biometric modality at or above the defined severity threshold. For voice authentication: inject a synthetic voice sample with known liveness anomalies. For facial recognition: present a replay attack with a high-resolution screen displaying a target's photograph.
• Expected behaviour: The system denies access for every simulated attack. No transaction, session, or physical access is granted.
• Pass criteria: 100% of simulated attacks at or above the severity threshold result in access denial. No grace period, fallback, or override mechanism permits the transaction to proceed without human review.
• Fail criteria: Any simulated attack at or above the severity threshold results in access being granted, or any mechanism permits the transaction to proceed without human intervention.

Test 8.3: Non-Disclosure of Detection Mechanism

• Stimulus: During the simulated attacks in Test 8.2, capture all user-facing messages, screen outputs, audio prompts, and interaction flow patterns. Compare them against the messages, outputs, prompts, and patterns produced during genuine non-spoofing authentication failures (poor image quality, network timeout, expired session).
• Expected behaviour: User-facing outputs during spoof detection events are indistinguishable from outputs during non-spoofing failures.
• Pass criteria: No user-facing message, screen output, or audio prompt references spoofing, liveness, presentation attack, or any detection-specific terminology. The timing pattern and interaction flow do not differ by more than 500 milliseconds from non-spoofing failure flows (preventing timing-based inference).
• Fail criteria: Any user-facing output references a detection mechanism, or timing analysis reveals a statistically significant difference between spoof-containment flows and non-spoofing failure flows that would enable an adversary to distinguish them.

Test 8.4: Escalation Delivery with Structured Evidence

• Stimulus: During the simulated attacks in Test 8.2, verify that each spoof detection event is escalated to a human operator. Inspect the evidence package delivered to the operator.
• Expected behaviour: Every event is escalated with a complete evidence package within the time defined in the policy.
• Pass criteria: 100% of simulated spoof events are escalated to a designated human operator. Each evidence package contains: raw biometric sample(s), similarity/match score, specific liveness/anomaly indicators, claimed or matched identity, and a timestamp chain from capture through detection through containment. Delivery occurs within the maximum time specified in the policy.
• Fail criteria: Any spoof detection event is not escalated, any evidence package is missing a required field, or delivery exceeds the maximum time specified in the policy.

Test 8.5: Incident Record Creation within 60 Seconds

• Stimulus: During the simulated attacks in Test 8.2, verify that a machine-readable incident record is created for each event. Record the timestamp of detection and the timestamp of incident record creation.
• Expected behaviour: An incident record is created within 60 seconds of detection for every event.
• Pass criteria: 100% of simulated spoof detection events have a corresponding incident record with a creation timestamp no more than 60 seconds after the detection timestamp. The record is machine-readable and contains all fields required by the policy.
• Fail criteria: Any event lacks an incident record, any record is created more than 60 seconds after detection, or any record is missing required fields.

Test 8.6: Channel Lockout Enforcement

• Stimulus: After each simulated attack in Test 8.2, attempt a second biometric authentication on the same channel using the same claimed identity. Verify that the system rejects the attempt.
• Expected behaviour: The authentication channel is locked against the claimed identity until human review and explicit re-enablement.
• Pass criteria: 100% of post-event re-authentication attempts are rejected. The system indicates that the channel is locked pending review. No number of retry attempts unlocks the channel without human intervention.
• Fail criteria: Any re-authentication attempt succeeds without documented human review and re-enablement, or the channel automatically unlocks after a timeout period.

Test 8.7: Out-of-Band Identity-Holder Notification

• Stimulus: For simulated attacks in Test 8.2 where the claimed identity has registered contact information, verify that an out-of-band notification is sent to the genuine identity holder.
• Expected behaviour: A notification is delivered through a channel independent of the channel under attack, within the timeframe specified in the policy.
• Pass criteria: Notifications are sent for 100% of events where contact information is available. Notifications use a channel independent of the attacked channel. Notifications are sent within the policy-defined timeframe and no later than 24 hours after detection. Notification content informs the identity holder that a suspicious authentication event occurred without revealing excessive technical detail.
• Fail criteria: Any eligible event does not trigger a notification, notifications use the same channel as the attacked channel, or any notification is sent later than 24 hours after detection.

Test 8.8: Proportionate Containment Response

• Stimulus: Execute simulated attacks at multiple confidence levels: below the severity threshold, at the low tier (Tier 1), at the medium tier (Tier 2), and at the high tier (Tier 3). Verify that the containment actions escalate proportionately.
• Expected behaviour: Lower-confidence indicators trigger less severe containment; higher-confidence indicators trigger more severe containment.
• Pass criteria: Sub-threshold events do not trigger spoof-specific containment. Tier 1 events trigger enhanced verification without full lockout. Tier 2 events trigger session suspension with human escalation. Tier 3 events trigger full lockout, incident creation, and identity-holder notification. The observed responses match the containment action matrix.
• Fail criteria: Any event triggers a containment response inconsistent with its defined tier, or sub-threshold events trigger spoof-specific containment actions.

Test 8.9: Quarterly End-to-End Pathway Test

• Stimulus: Retrieve documentation of end-to-end spoof-response escalation pathway tests conducted in the past 12 months. Verify that tests were conducted at least quarterly and exercised every defined containment action.
• Expected behaviour: At least four tests were conducted in the past 12 months, each exercising the full escalation pathway.
• Pass criteria: At least four test records exist within the past 12 months, each documenting: simulated attack type, containment actions executed, time-to-containment measurements, evidence package completeness, escalation delivery success, and safe-state enforcement verification. Every containment action defined in the matrix has been exercised at least once across the four tests.
• Fail criteria: Fewer than four tests were conducted, any test lacks required documentation fields, or any defined containment action was never exercised during the test period.

Conformance Scoring

• Score 0: No spoof-response escalation governance exists. The agent either accepts biometric matches regardless of liveness anomalies or rejects them with detection-revealing messages. No incident records, no human escalation, no channel lockout.
• Score 1: The agent denies access on spoof detection and creates basic incident logs, but lacks a formal Spoof-Response Escalation Policy. User-facing messages may leak detection information. Human escalation is ad hoc. Channel lockout is inconsistent. No regular testing of the escalation pathway.
• Score 2: A complete Spoof-Response Escalation Policy exists for all deployed modalities. Containment actions deny access, preserve evidence, escalate to human operators with structured evidence packages, create incident records within 60 seconds, lock the authentication channel, and notify genuine identity holders. User-facing messages are non-disclosing. End-to-end pathway testing is conducted quarterly. All mandatory requirements (4.1 through 4.9) are satisfied.
• Score 3: Verified by independent audit — an independent party has validated containment effectiveness through adversarial testing, evidence integrity through forensic review, and proportionality through false-positive impact analysis. Graduated containment tiers are operational. Cross-channel correlation detects coordinated campaigns. A maintained attack-vector catalogue informs semi-annual policy reviews. Threat intelligence is shared across deployments. Red-team exercises using state-of-the-art presentation attacks validate the full containment chain annually.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Annex III, Category 1 (Biometric Identification)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 14 (Human Oversight)	Supports compliance
GDPR	Article 9 (Special Categories of Personal Data)	Direct requirement
GDPR	Article 34 (Communication of Breach to Data Subject)	Direct requirement
NIST AI RMF	MANAGE 2.4 (Incident Response)	Supports compliance
ISO/IEC 30107	Parts 1-3 (Presentation Attack Detection)	Direct requirement
ISO 42001	Clause 8.1 (Operational Planning and Control)	Supports compliance
eIDAS 2.0	Article 6a (European Digital Identity Wallets)	Supports compliance

EU AI Act — Annex III, Category 1

The EU AI Act classifies real-time and post biometric identification systems in publicly accessible spaces as high-risk AI systems under Annex III, Category 1. High-risk classification triggers the full compliance framework of Title III, Chapter 2, including risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), and human oversight (Article 14). Spoof-response escalation governance directly supports compliance with Articles 9 and 12: Article 9 requires risk management measures that address foreseeable risks including adversarial attacks, and Article 12 requires automatic recording of events relevant to the identification of risks. A biometric system that detects spoofing but has no defined containment response, no incident recording, and no human escalation fails both requirements.

GDPR — Article 9 and Article 34

Biometric data processed for the purpose of uniquely identifying a natural person is classified as special category data under GDPR Article 9, requiring explicit consent or another Article 9(2) legal basis. When a biometric spoofing event occurs, the biometric data of the genuine identity holder is implicated — their voiceprint or facial template was the target of the attack. Article 34 requires communication to the data subject when a personal data breach involving special category data is likely to result in a high risk to their rights and freedoms. A successful or attempted spoofing of a person's biometric identity qualifies as such a breach. The out-of-band notification requirement (4.7) directly supports Article 34 compliance by ensuring the genuine identity holder is informed of the event.

ISO/IEC 30107 — Presentation Attack Detection

ISO/IEC 30107 (Parts 1-3) establishes the framework for presentation attack detection (PAD) in biometric systems. Part 1 defines the terminology and framework, Part 2 defines data formats, and Part 3 defines testing and reporting methodology. While ISO 30107 focuses primarily on detection performance metrics (APCER and BPCER), the standard's framework implicitly requires that detection produces an actionable response. AG-675 extends the ISO 30107 framework by governing what happens after detection — the containment actions, escalation pathways, and evidence preservation that convert a PAD alert into an effective defence.

NIST AI RMF — MANAGE 2.4

MANAGE 2.4 addresses mechanisms for AI incident response, including processes for recording, responding to, and recovering from incidents. Biometric spoofing events are AI incidents that require structured response. The incident record creation requirement (4.5), human escalation requirement (4.4), and channel lockout requirement (4.6) implement MANAGE 2.4's objectives for the specific case of biometric presentation attacks.

eIDAS 2.0 — Article 6a

The revised eIDAS regulation introduces European Digital Identity Wallets that will rely on biometric verification for identity assurance. Article 6a establishes requirements for the security of these wallets, including protection against presentation attacks. Spoof-response escalation governance supports eIDAS 2.0 compliance by ensuring that biometric verification components within identity wallet ecosystems have defined, tested, and auditable containment responses to spoofing attempts.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Cross-system — affects every service, transaction, and physical access point that depends on the compromised biometric authentication channel

Consequence chain: Without spoof-response escalation governance, the system's biometric spoofing detection capability is operationally inert — the system may detect the attack but takes no effective action to contain it. The immediate failure mode depends on the response gap. If the system accepts the spoofed biometric (detection fires but no containment blocks access), the attacker gains authenticated access to the protected resource: in financial services, this means account takeover, fraudulent transactions, and direct financial loss; at border control, this means an impostor enters the country with a false identity, creating national security risk; in healthcare, this means unauthorised access to medication dispensing or clinical records. If the system rejects but reveals the detection mechanism, the attacker gains intelligence about the detection capability and refines their technique for the next attempt — each informative rejection improves the attacker's model of the defence. If the system rejects but does not lock the channel, the attacker can immediately retry with a refined technique, potentially succeeding within minutes. If the system contains the immediate attempt but does not notify the genuine identity holder, the holder remains unaware that their biometric identity has been targeted and cannot take protective action (such as requesting biometric re-enrolment or activating additional security controls). If the system does not create an incident record, the event is invisible to investigation and the organisation cannot identify patterns (e.g., a campaign targeting multiple customers using the same voice synthesis tool), comply with breach notification obligations, or support law enforcement. The cumulative consequence of absent spoof-response governance is that biometric authentication, despite its sophistication and cost, provides an illusion of security: it detects threats but fails to neutralise them, creating a false assurance condition that is more dangerous than having no biometric authentication at all — because stakeholders, regulators, and identity holders believe the biometric system is protecting them when it is not.

Cross-references: AG-001 (Core Safety & Alignment) establishes the foundational principle that agent actions must not cause harm — granting an attacker access through a spoofed biometric is a direct safety failure. AG-008 (Identity & Access Management) governs the broader authentication framework within which biometric verification operates; spoof-response escalation is the containment layer for when that framework is attacked. AG-019 (Human Escalation & Override Triggers) defines when human intervention is required; this dimension specifies a concrete trigger (spoof detection event) and the structured evidence that must accompany the escalation. AG-022 (Behavioural Drift Detection) may detect gradual degradation in biometric model accuracy that changes the expected distribution of liveness scores, requiring recalibration of spoof-detection thresholds. AG-043 (Adversarial Robustness Testing) governs the testing of the biometric system against adversarial inputs; this dimension governs the response when adversarial inputs are detected in production. AG-055 (Input Validation & Sanitisation) addresses the integrity of inputs to the agent; spoofed biometric samples are a specialised form of malicious input. AG-419 (Incident Classification & Severity Assignment) provides the severity framework referenced in Requirement 4.5; spoof detection events must be classified within this framework. AG-420 (Automated Containment Action Governance) governs the broader framework for automated containment; this dimension is a biometric-specific instantiation of those principles, with additional requirements for non-disclosure, channel lockout, and identity-holder notification that are specific to the biometric context. AG-670 (Liveness Verification) governs the detection mechanisms that produce the signals this dimension responds to — AG-670 is detection, AG-675 is response. AG-673 (Biometric Template Protection) governs the security of stored biometric templates; a spoofing event may indicate that template data has been compromised, triggering template protection review procedures. AG-676 (Face and Voice Similarity Threshold) defines the matching thresholds that the primary biometric comparison uses; this dimension governs the response when liveness signals contradict a primary match that exceeds those thresholds.