Zero-Trust at the Physical Edge: Why Data Governance Is a Deployment Prerequisite

Article March 4, 2026

Share this post

Physical AI infrastructure operates inside venues, environments where security failures are not abstract risks but physical realities. A compromised camera system is not a data breach. It is a loss of operational control over a real-world environment.

OZ builds trust into the architecture, not onto it.

Why physical AI needs a different security model#

Cloud security assumes perimeter defense: keep unauthorized users out, encrypt data in transit and at rest, control API access. These are necessary but insufficient for edge infrastructure.

Edge security must answer harder questions:

How do you verify that the software running on a venue device has not been modified?
How do you ensure that a remote operator's override applies only to their authorized scope?
How do you guarantee that raw data from a venue never leaves the physical premises?
How do you maintain system integrity when the device operates disconnected from the cloud?

These are not IT security questions. They are physical operations security questions. The answers are architectural.

Runtime integrity#

Every OZ VI Venue runs a signed runtime:

Secure boot chain: The edge compute node verifies its software stack on boot. Each component (OS, inference engine, control plane, Spatial API) is cryptographically signed and verified against a known-good manifest.

Update verification: Software updates are signed by the build pipeline and verified by the target device before installation. An update that fails verification is rejected. There is no manual override for unsigned code.

Runtime attestation: The running system continuously attests its integrity. If a component is modified after boot (whether by external action or internal fault), the system flags the anomaly and can isolate the affected component.

This is not optional hardening. It is the default runtime behavior. Every venue, every boot, every update.

Override governance#

Human operators can override automated decisions at any time via OZ Studio. But every override operates within explicit governance:

Scope limitation: An override applies only to the operator's authorized scope: specific venues, zones, or functions. An operator authorized for one venue cannot affect another.

Time-bounded: Manual overrides carry a configurable timeout. After the timeout expires, the system reverts to automated control. This prevents "forgotten" manual interventions from persisting indefinitely.

Full audit trail: Every override is logged with:

Operator identity
Timestamp
Reason (required field)
Scope and duration
System state before and after

Accessible audit: The audit trail is available to operations leads, compliance teams, and venue operators. It is retained for a defined period and queryable by any authorized party.

The principle is simple: autonomy is safe because control is explicit. Operators can always intervene. The system always records what happened.

Data sovereignty#

OZ deploys into venues owned by other organizations: stadiums, facilities, campuses. Data governance must be clear, contractual, and architecturally enforced.

The data covenant#

OZ operates under explicit data contracts with every venue operator:

Raw data stays at the venue. Camera feeds, sensor data, and raw telemetry are processed on the venue edge and never transmitted to the cloud. Raw data does not leave the physical premises.

Structured output is governed. The Spatial API delivers entities, events, and trajectories, structured abstractions, not raw video. What flows beyond the venue boundary is defined in the data contract.

OZ derives spatial intelligence under purpose limitation. Aggregated, anonymized operational telemetry (calibration quality, model performance, timing metrics) is used to improve the platform. This derived data carries purpose limitations: it serves system improvement, not commercial resale.

Retention and deletion are explicit. Data retention periods are defined in the venue contract. At contract end or on request, venue-specific data is deleted per the agreed lifecycle.

Why this matters for enterprise procurement#

Enterprise buyers (sports organizations, facility operators, infrastructure companies) run procurement reviews that include data governance. Ambiguity on data ownership kills deals.

OZ eliminates ambiguity:

Clear statement of what the venue owns (raw data, venue-specific outputs)
Clear statement of what OZ derives (anonymized platform telemetry)
Clear deletion and retention lifecycle
No raw data redistribution, ever

This is not a privacy policy. It is a contractual architecture that is enforced by the system, not by policy documents.

Trust boundary architecture#

The OZ trust model operates across four boundaries:

Device identity: Every edge node has a unique, hardware-bound identity. The NOC authenticates devices, not IP addresses. A replaced or cloned device cannot masquerade as an authorized node.

Runtime integrity: As described above: signed boot, verified updates, continuous attestation.

API authorization: Every API call (from the venue to the cloud, from the cloud to the venue, from operators to the system) carries authorization context. Scope, permissions, and rate limits are enforced at the API layer.

Command authorization: Operational commands (overrides, configuration changes, policy updates) require explicit authorization. The system distinguishes between "can view" and "can act"; read access doesn't imply control access.

Trust as infrastructure#

Security is not a feature that gets added after the product works. In physical AI, trust is infrastructure. If operators don't trust the system, they override it constantly, which defeats the purpose of automation. If venue owners don't trust the data governance, they reject deployment, which defeats the purpose of infrastructure.

OZ builds trust into the architecture so that it does not depend on trust in individuals. Signed runtimes, auditable overrides, explicit data covenants, and hardware-bound identities: these are the mechanisms that make managed infrastructure acceptable in real-world venues.

Trust is not earned by promises. It is earned by architecture.

Zero-Trust at the Physical Edge: Why Data Governance Is a Deployment Prerequisite

Article March 4, 2026

Share this post

OZ builds trust into the architecture, not onto it.

Why physical AI needs a different security model#

Cloud security assumes perimeter defense: keep unauthorized users out, encrypt data in transit and at rest, control API access. These are necessary but insufficient for edge infrastructure.

Edge security must answer harder questions:

How do you verify that the software running on a venue device has not been modified?
How do you ensure that a remote operator's override applies only to their authorized scope?
How do you guarantee that raw data from a venue never leaves the physical premises?
How do you maintain system integrity when the device operates disconnected from the cloud?

These are not IT security questions. They are physical operations security questions. The answers are architectural.

Runtime integrity#

Every OZ VI Venue runs a signed runtime:

This is not optional hardening. It is the default runtime behavior. Every venue, every boot, every update.

Override governance#

Human operators can override automated decisions at any time via OZ Studio. But every override operates within explicit governance:

Scope limitation: An override applies only to the operator's authorized scope: specific venues, zones, or functions. An operator authorized for one venue cannot affect another.

Full audit trail: Every override is logged with:

Operator identity
Timestamp
Reason (required field)
Scope and duration
System state before and after

Accessible audit: The audit trail is available to operations leads, compliance teams, and venue operators. It is retained for a defined period and queryable by any authorized party.

The principle is simple: autonomy is safe because control is explicit. Operators can always intervene. The system always records what happened.

Data sovereignty#

OZ deploys into venues owned by other organizations: stadiums, facilities, campuses. Data governance must be clear, contractual, and architecturally enforced.

The data covenant#

OZ operates under explicit data contracts with every venue operator:

Raw data stays at the venue. Camera feeds, sensor data, and raw telemetry are processed on the venue edge and never transmitted to the cloud. Raw data does not leave the physical premises.

Retention and deletion are explicit. Data retention periods are defined in the venue contract. At contract end or on request, venue-specific data is deleted per the agreed lifecycle.

Why this matters for enterprise procurement#

Enterprise buyers (sports organizations, facility operators, infrastructure companies) run procurement reviews that include data governance. Ambiguity on data ownership kills deals.

OZ eliminates ambiguity:

Clear statement of what the venue owns (raw data, venue-specific outputs)
Clear statement of what OZ derives (anonymized platform telemetry)
Clear deletion and retention lifecycle
No raw data redistribution, ever

This is not a privacy policy. It is a contractual architecture that is enforced by the system, not by policy documents.

Trust boundary architecture#

The OZ trust model operates across four boundaries:

Device identity: Every edge node has a unique, hardware-bound identity. The NOC authenticates devices, not IP addresses. A replaced or cloned device cannot masquerade as an authorized node.

Runtime integrity: As described above: signed boot, verified updates, continuous attestation.

Trust as infrastructure#

Trust is not earned by promises. It is earned by architecture.