Implementation and audit guidance for physical security and facility protection.
AIJET Principles: A = Awareness I = Integrity J = Judgment E = Ethics T = Transparency
| ID | Requirement | Guidance to implement | Guidance to audit | AI Threats and Mitigation | Principles | KPI |
|---|---|---|---|---|---|---|
| PHY-01 | Establish a zoning system with defined areas (public, internal, confidential…) based on criticality | Develop a detailed facility zoning plan and integrate it with digital access control systems for real-time monitoring. | Zoning maps, access control configurations, and audit logs. | Facility zoning must consider vulnerabilities to AI-driven facial recognition spoofing and deepfake entry attempts. | I | T | X% of access zones have real-time monitoring and clear zoning for security. |
| PHY-02 | Secure physical access using individual badges, biometrics or CCTV | Implement multi-factor physical access controls and update badge/biometric systems regularly. | Access logs, biometric enrollment records, and CCTV policy documents. | Use anti-spoofing measures to protect biometric systems from AI-generated fake identities or deepfake impersonations. | I | J | T | X% of high-security areas use multi-factor access and updated systems. |
| PHY-03 | Ensure guests are announced in advance per standard protocols | Implement a guest pre-registration system and verify guest identity upon arrival. | Guest registration logs and sign-in records. | Pre-registration and visitor systems must include checks against AI-generated synthetic identities. | J | T | X% of guests must be pre-registered and verified on arrival. |
| PHY-04 | Retain guest logs for an appropriate period to balance security and privacy | Define retention policies for guest logs per regulatory requirements and archive logs securely. | Archived guest logs with documented retention policies. | Ensure guest logs are protected from manipulation or misuse in AI model training or data scraping. | A | E | T | Retain guest logs for X months |
| PHY-05 | Protect guest logs as sensitive documents | Store guest logs in secure, access-controlled systems and encrypt digital records. | Encryption records and access control audit logs. | Explicitly forbid the use of visitor data for unauthorized AI model training or analytics. | A | I | T | X% of guest logs are encrypted and stored in secure systems. |
| PHY-06 | Provide distinguishable badges to guests | Issue clearly identifiable guest badges with visible expiration markers; disable upon exit. | Badge issuance logs and sample guest badge images. | Badge systems should resist duplication by generative AI and incorporate secure authentication measures. | I | T | X% of guests receive identifiable badges that are disabled upon exit. |
| PHY-07 | Ensure guests are not left unattended from the entrance to the exit | Implement a guest escort policy and monitor compliance through regular security patrols. | Verify logs and incident reports. | Implement protocols to counter AI-assisted social engineering or deception in guest interactions. | I | J | T | X% of guests are escorted through secure areas from entry to exit. |
| PHY-08 | Provide secure storage for employees’ sensitive physical assets (e.g. papers) | Install secure lockers or safes in designated areas and restrict access via authentication. | Locker access logs and maintenance records. | Secure storage areas should guard against unauthorized AI-enhanced surveillance or monitoring. | I | T | X% of sensitive physical assets are stored securely with proper authentication. |
| PHY-09 | Ensure IT devices provided by the IT department (computers, phones…) are encrypted using state-of-the-art encryption mechanisms | Mandate enterprise-grade encryption for all IT devices and perform periodic audits to verify compliance. | IT Department compliance checklist approved by security team | Mandate encryption on IT devices to prevent data leaks that could feed unauthorized AI models. | I | J | T | X% of IT devices are encrypted and meet enterprise-grade security standards. |
| PHY-10 | Make confidentiality filters available for sensitive information display | Deploy physical privacy screens in areas where sensitive information is displayed; include usage guidelines. | Installation records and employee training feedback. | Confidentiality filters should consider threats from AI-enhanced visual surveillance tools. | A | E | T | X% of areas with sensitive information are equipped with privacy screens. |
| PHY-11 | Add a pincode to get printed document when printing remotely | Implement a secure print release system that requires a PIN for remote printing and log each transaction. | Print release logs and configuration reports. | Secure print release systems should include safeguards against AI-based interception or fraudulent print requests. | I | T | X% of remote print jobs require PIN authorization and are logged. |
| PHY-12 | Ensure shredding machines are used to securely destroy sensitive documents and maintained | Schedule routine maintenance for shredding equipment and log all document destruction activities. | Maintenance logs and shredder usage records. | Ensure shredding policies account for AI threats that attempt to reconstruct shredded documents. | I | T | X% of sensitive documents are destroyed with shredder maintenance tracked. |
| PHY-13 | Deploy and maintain CCTV in sensitive areas | Install CCTV cameras in critical zones, ensure regular maintenance, and review footage retention policies. | CCTV maintenance logs and footage retention policy documents. | Ensure CCTV systems incorporate AI-resistant privacy protections, such as masking sensitive areas from automated surveillance analytics. | E | J | T | X% of sensitive areas are covered by CCTV with up-to-date footage retention. |
| PHY-14 | Alerts generated by alarms are monitored | Establish a dedicated monitoring center for real-time alarm response and integrate with incident management systems. | Alarm log reports and monitoring center records. | Integrate AI anomaly detection systems for more robust real-time monitoring of alarm-triggered events. | I | T | X% of alarm-generated events are monitored in real-time by dedicated staff. |
| PHY-15 | Surveillance logs are retained (local regulations) | Implement secure log retention systems that meet or exceed regulatory requirements. | Log retention policies and sample exported logs. | Surveillance log systems should protect against unauthorized AI-driven analysis and data scraping activities. | I | T | Retain surveillance logs for X weeks |