“This Whisper Report address the question regarding the best practices for integrating AI and ML into our security Systems. It highlights how leaders emphasize protecting PII, using selective data movement, optimizing hardware, choosing the right models, and knowing when AI should not be applied. Insights come from LVT’s Steve Lindsey, Safr’s John Cassise, 360 Privacy’s Trinity Davis, Intel’s Mike Nielsen, RightCrowd’s Jason Bohrer, Bioconnect’s Edsel Shreve, Vaidio’s Marshall Tyler, and Databuoy’s Kathleen Griggs. “
Cyber-physical security, like healthcare tech, must carefully manage PII. Experts highlight privacy-preserving biometrics, user-controlled consent, and anonymous face matching. Regulatory compliance, such as GDPR, drives standardization and innovation. As laws vary by region, adaptable and consistent global system architectures are essential for scalable, secure, and compliant operations.
Target Audience Titles:
Chief Technology Officer, Chief Security Officer, Chief Information and Security Officer, Chief Trust Officer, Chief Compliance Officer, Chief Risk Officer
Head of Product, VP of Product, Chief Marking Officer, Data Protection Officer,
Enterprise Architect, Director of Data Protection, Director of Data Governance, Chief Privacy Officer
Key Takeaways
Privacy-first design: Cyber-physical systems must protect PII using encrypted biometrics, local storage, and user-controlled consent mechanisms.
Anonymity matters: Face matching enables identity verification without revealing personal data, preserving user anonymity.
Compliance drives innovation: Regulations like GDPR standardize data practices and encourage secure, privacy-focused system development.
Global consistency is key: Scalable, compliant operations require adaptable, non-proprietary architectures across diverse regions and regulatory environments.
We took the most frequently asked and most urgent technology questions straight to the cyber physical security experts gathering at ISC West 2025. This Whisper Report addresses the question regarding how can we ensure compliance with new and evolving cyber physical security regulations? We will know explore the four signs you are on the correct path as depicted in Figure 1.
Data Privacy
One very interesting aspect of the cyber physical security space that reminds of healthcare tech is the handling of PII or personally identifiable information data. As Safr’s John Cassie shared, in the cyber physical space it, “has a lot to do with what we talked about as far as PII and how we manage data.” Or as LVT’s Steve Lindsey observed, “what we call private or data of sovereignty .. from a data security perspective the technology and the architectures of how these systems are built really have to be in place to address that the PII information really comes down to our use of AI.”
Fortunately, the regulations for privacy include related standards for vendors. As Intel’s RealSense’s Mike Nielsen noted, “I have been very excited about the Privacy preservation of biometric data is really possible now so I can get a template of a human being from their face that can be stored and encrypted it can be handed back to me so in my pocket.”
Managing user consent is a must to achieve privacy in the cyber physical space. Bioconnect’s Edsel Shreve argued, “in privacy where more and more controls going in the user’s hand to say yes I am allowing you to use my biometric. If I ever want to revoke that consent I need proof that you deleted my data and that it’s no longer being used.” He further explained, “we build in to both a upfront gather consent with an audit trail that says okay the user provided consent we didn’t just check a box and say yeah.” Furthermore, the solution must realize the full lifecycle of permission. Edsel Shreve further explained, “you can just do regular maintenance and go in and say who hasn’t authenticated in 6 months what are we going to do with that data right do we want to delete the template or just alert the person or alert an administrator.”
Anonymity has to do with the lack of the ability to identify the person. As LVT’s Steve Lindsey commented, “there’s a difference between facial recognition and face matching right.” Facial recognition includes identification while facial matching allows the face to remain anonymous. A great example was revealed by Intel’s RealSense’s Mike Nielsen.
“I’ve actually got a version of my this QR code is my face template. From this is 512 bytes it’s a it’s just a simple Vector map that looks at 80 points on my face but it’s mine. This isn’t siting in a database somewhere. This isn’t living on somebody’s server. This is physically in my pocket as a badge. I can then apply that (badge) by walking up to one of our devices – one of our cameras have the scan. It pulls in that QR code, evaluates what that template looks like. Then I look at the camera it pulls the template from my actual face and compares the two. The cool thing about the techniques that is it’s privacy preserving by definition it never leaves the device it can be dissolved immediately and you never have to send a picture or any personally identifiable info anywhere outside of me scanning my badge. Then the device makes sure I can unlock that door.”
Thus, this example achieves privacy and anonymity.
When it comes to cybersecurity and data governance – there are the things you want to do as an organization based on your public commitments such as your privacy statements. Then, there are requirements which are legal requirements sometimes coming from a location and sometimes defined based on your industry referred to as regulatory compliance. As LVT’s Steve Lindsey put it, “we think about the problem in the context of the of the compliance and Regulatory things that we have to have as we’re designing and building this stuff from the beginning.” Furthermore, since we are dealing with cyber physical security,
The best part about regulatory compliance according to Intel RealSense’s Mike Nielsen is, “they’re really well defined at least in the case of like GDPR so GDPR has very strange requirements on how to use PII but specifically how to use sensitive PII like biometric information one of the things that we’ve seen help move the industry forward ironically is having the regulation in place allows people to have a Level Playing Field.” That means that vendors will not be penalized for taking the more difficult road by protecting the customer as all must take equal precautions. Gary Chen of EverFocus noted, “to ensure that we have keep our regulations up to date, we need to keep advancing our technology and mostly from our end installers that will be the key .. also keep good connection with your customer.”
Requirements evolve by location as every product vendor will realize. “One of the things that’s occurring is that whether it’s in Europe or in each state coming up with new requirements for both security of data and compliance.” Edsel Shreve, Bioconnect. When faced with this challenge, it is always best to step back and see how to adjust the architecture to accommodate this capability as a configurable option vs to create a product branch. Today’s regulations in location A become tomorrow’s regulation in location Z. One can then configure at the system level as regulations evolve in different locations.
Finally, it is important to keep in mind the architecture must accommodate the cyber physical security space. who has “from an access control standpoint is not only managing who has access in and out of the mine but also incorporating some functionality around safety who’s completed what safety classes and if they haven’t completed the proper classes then we have the ability to manage access control based on what needs to happen.” Cyber physical security includes the physical safety of the employees themselves and all that goes into ensuring safety compliance regulations are met – in each location.
The complexity of cyber physical security is magnified in organizations the wider the physical disparity across country and continental boundaries. As one might expect, different vendors have different footprints across the globe. For smooth global operations one generally recommends standardized solutions as opposed to propriety solutions. As Safr’s John Cassie explained, “would be nice if I could just capture that from the existing access control system and not have to do some extra procedure so that’s another element that allows us to have sort of this compliance across my entire security platform. As long as I am not using solutions that are pigeonholing me into proprietary solutions.” There may be slightly better solutions in this aspect or that aspect locally available but those frequently ruin the ability to have global clarity. It is critical to maintain a consistent architecture globally unless you want custom roadmap items for each and every change. If you are anywhere in the lifecycle of trying to realize such as solution, be sure to set up an inquiry plan so that an expert who has been there can provide actionable guidance.
