That Foot-Traffic Model Becomes Surveillance When the Buyer Changes

An AI agency in San Diego built a sophisticated facial analysis system for a retail client in 2025. The system was designed to analyze foot traffic patterns in stores—counting visitors, measuring dwell time in different sections, and identifying peak hours. The system did not identify individuals or store biometric data; it processed video frames and generated aggregate statistics. The retail client was happy. Then a different potential client—a private security firm—approached the agency wanting to adapt the same technology for surveillance purposes. The technology could be adapted. The facial analysis pipeline could be reconfigured to track specific individuals, compare faces against watchlists, and monitor public spaces. The agency's leadership was split. The CTO argued the technology was neutral—it was how it was used that mattered. The COO argued that adapting the technology for surveillance would create ethical and legal risks the agency was not prepared to manage. The agency had no framework for making this decision. After weeks of internal debate, they declined the security firm's contract but realized they needed a governance framework for dual-use decisions before the next one arrived.

Dual-use technology is technology that can serve both beneficial and harmful purposes. In the AI context, dual-use is pervasive. Computer vision systems designed for quality inspection can be adapted for surveillance. Language models built for customer service can be used for social engineering. Recommendation algorithms designed for content personalization can be weaponized for radicalization. Voice synthesis built for accessibility can be used for fraud.

For AI agencies, dual-use governance is not about refusing to build AI. It is about establishing frameworks that guide decisions about what you build, for whom, and with what restrictions. This post provides that framework.

Understanding Dual-Use in AI

The Dual-Use Spectrum

AI technologies exist on a spectrum of dual-use risk.

Low dual-use risk: Technologies that are difficult to repurpose for harm. A data visualization tool, a document formatting assistant, or a meeting scheduling AI have limited dual-use potential.

Moderate dual-use risk: Technologies that could be repurposed for harm with significant modification. A content recommendation engine, a predictive analytics platform, or a natural language generation system could serve legitimate or harmful purposes depending on configuration and context.

High dual-use risk: Technologies that are inherently capable of harm depending on application. Facial recognition, voice cloning, deepfake generation, autonomous decision-making systems, and cybersecurity AI all have obvious dual-use potential.

Critical dual-use risk: Technologies whose capabilities directly enable serious harm. AI for weapons systems, biological agent design, critical infrastructure attack, or mass surveillance requires the most rigorous governance.

Why AI Amplifies Dual-Use Concerns

Adaptability: AI models can be fine-tuned, prompted, or reconfigured for purposes far from their original design. A language model trained for customer service can be prompted to generate phishing emails.

Accessibility: AI tools are increasingly accessible to non-experts. Capabilities that once required specialized teams can now be deployed by individuals with modest technical skills.

Scalability: AI operates at scales that amplify both beneficial and harmful applications. A surveillance system that tracks thousands of people simultaneously is qualitatively different from a security guard watching monitors.

Opacity: AI systems can be deployed in ways that are not visible to affected populations. This opacity enables harmful use that is difficult to detect and resist.

The Dual-Use Governance Framework

Decision Framework for New Engagements

When evaluating a potential engagement or product development decision, assess dual-use risk systematically.

Step 1: Capability assessment. What capabilities does this AI system provide? List the core technical capabilities independent of the intended use case.

Step 2: Misuse scenario analysis. For each capability, brainstorm realistic scenarios where the capability could be misused for harm. Consider:

• Who might want to misuse this capability?
• What harm could they cause?
• How easy would it be to adapt the technology for misuse?
• How severe would the harm be?
• How many people could be affected?

Step 3: Risk scoring. Score each misuse scenario on:

• Likelihood: How likely is this misuse scenario (1-5)?
• Severity: How severe would the harm be (1-5)?
• Scale: How many people could be affected (1-5)?
• Reversibility: How reversible is the harm (1-5, where 5 is irreversible)?

Multiply the four scores for a composite risk index. Scenarios above your threshold require mitigation or may justify declining the engagement.

Step 4: Mitigation assessment. For high-risk scenarios, evaluate what mitigations could reduce the risk.

• Technical controls (access restrictions, use monitoring, capability limitations)
• Contractual controls (use restrictions, audit rights, termination clauses)
• Organizational controls (client vetting, deployment review, ongoing monitoring)

Step 5: Decision. Based on the risk assessment and available mitigations:

• Proceed: Low dual-use risk with adequate mitigations
• Proceed with restrictions: Moderate dual-use risk with strong mitigations
• Decline: High or critical dual-use risk without adequate mitigations
• Escalate: Risk assessment is unclear; escalate to governance committee for decision

Client Vetting

Not every client should receive every capability. Vet clients based on their intended use and the dual-use risk of the technology.

Standard vetting (all clients):

• Verify the client's identity and legal status
• Understand the intended use case
• Assess the client's industry and regulatory environment
• Check for sanctions, export control restrictions, and reputational red flags

Enhanced vetting (moderate to high dual-use risk):

• Detailed review of the client's intended application
• Assessment of the client's organizational controls and governance
• Reference checks with other vendors or partners
• Review of the client's public reputation and any history of technology misuse
• On-site visit or detailed organizational assessment

Restricted access (high to critical dual-use risk):

• All enhanced vetting measures plus
• Legal review of the engagement
• Contractual use restrictions with audit rights
• Technical controls limiting the technology's adaptability
• Ongoing monitoring of how the technology is used
• Named-individual access controls

Use Restrictions

For dual-use technologies, define and enforce restrictions on how the technology can be used.

Contractual use restrictions:

• Specify the permitted use case in the contract
• Prohibit specific misuse scenarios identified in your risk assessment
• Require the client to notify you of any change in intended use
• Include audit rights to verify compliance with use restrictions
• Define consequences for violating use restrictions (up to contract termination and technology reclamation)

Technical use restrictions:

• Limit the technology's capabilities to what is needed for the permitted use case
• Implement access controls that prevent unauthorized users from operating the system
• Build monitoring that detects use patterns inconsistent with the permitted use case
• Design kill switches or capability degradation mechanisms that can be activated if misuse is detected
• Avoid providing source code or model weights when API-level access is sufficient

Organizational use restrictions:

• Train the client's team on the permitted use boundaries
• Require the client to designate a responsible person for the technology
• Establish a communication channel for reporting concerns about misuse

Ongoing Monitoring

For moderate to high dual-use risk technologies, monitor for misuse after deployment.

Usage monitoring: Track how the technology is being used. Are usage patterns consistent with the permitted use case? Are there anomalies that suggest misuse?

Client monitoring: Monitor the client's business activities and public reputation for changes that might affect dual-use risk. A client that pivots from retail analytics to security services changes the risk profile.

Technology monitoring: If the technology is updated or enhanced, reassess the dual-use implications of the updated capabilities.

Reporting mechanisms: Maintain a channel for employees, users, and third parties to report suspected misuse.

Sector-Specific Dual-Use Considerations

Surveillance and Monitoring

Facial recognition, behavior analysis, location tracking, and communication monitoring technologies have obvious dual-use implications.

Governance approach:

• Define a clear policy on surveillance applications (many agencies choose to avoid surveillance entirely)
• If you build monitoring technology, implement strong use restrictions
• Require human rights impact assessments for monitoring deployments in sensitive contexts
• Restrict sales to law enforcement and government agencies to jurisdictions with adequate human rights protections

Generative AI

Text generation, image generation, voice synthesis, and video generation all have dual-use potential for disinformation, fraud, and harassment.

Governance approach:

• Implement content safety measures in all generative AI systems
• Build watermarking and provenance tracking into generated content
• Restrict generation capabilities that enable impersonation or fraud
• Monitor for misuse patterns in generation logs
• Train clients on responsible use of generative capabilities

Cybersecurity AI

AI for threat detection, vulnerability analysis, and security testing can also be used for offensive cyber operations.

Governance approach:

• Vet cybersecurity AI clients thoroughly
• Restrict offensive capabilities to authorized security testing contexts
• Implement logging and monitoring for all security AI usage
• Comply with relevant cybersecurity regulations and norms
• Do not provide capabilities that exceed what is needed for the client's defensive or authorized testing needs

Decision-Making AI

AI systems that make or influence consequential decisions (hiring, lending, insurance, criminal justice) can be used fairly or discriminatorily.

Governance approach:

• Require bias testing and fairness assessment for all decision-making AI
• Implement transparency and explainability requirements
• Restrict use in high-stakes contexts without adequate human oversight
• Monitor for discriminatory outcomes in production
• Build appeal mechanisms into decision-making systems

Organizational Governance Structures

Dual-Use Review Committee

Establish a committee that reviews engagements and products with dual-use implications.

Composition:

• Technical lead who understands the technology's capabilities
• Ethics or governance representative
• Legal counsel
• Business leadership
• External advisor (for complex cases)

Responsibilities:

• Review new engagements flagged for dual-use risk
• Review product development decisions with dual-use implications
• Assess client vetting results for high-risk engagements
• Monitor ongoing dual-use risk across the agency's portfolio
• Update dual-use policies based on emerging risks and regulatory changes

Decision authority:

• Can approve, restrict, or block engagements based on dual-use assessment
• Can require additional mitigations as a condition of approval
• Can recommend suspension of existing engagements if dual-use risk changes

Dual-Use Policy

Document your agency's dual-use governance policy.

Elements to include:

• Definition of dual-use technology as your agency applies it
• Risk assessment methodology
• Client vetting procedures
• Use restriction framework
• Monitoring requirements
• Decision-making authority and escalation procedures
• Prohibited applications (categories of work your agency will not do regardless of client or context)
• Record keeping requirements

Training

Train all team members on dual-use awareness and your agency's governance framework.

For all team members:

• What dual-use technology means and why it matters
• Your agency's dual-use policy and prohibited applications
• How to identify and escalate dual-use concerns
• Their role in dual-use governance

For technical staff:

• How to assess the dual-use potential of specific technologies
• How to implement technical use restrictions and monitoring
• How to design AI systems with dual-use risk in mind

For sales and business development:

• How to identify dual-use red flags during client conversations
• How to explain your agency's dual-use governance to clients
• When to escalate engagements for dual-use review

Balancing Innovation and Responsibility

Avoiding Governance Paralysis

Dual-use governance should not paralyze your agency. Most AI applications have low dual-use risk and should proceed with standard practices. Reserve enhanced governance for technologies and engagements that genuinely warrant it.

Proportionality principle: The governance burden should be proportional to the dual-use risk. Low-risk applications need minimal governance overhead. High-risk applications need comprehensive governance. Scale your governance to the risk.

Speed principle: Governance reviews should have defined timelines. A dual-use assessment for a standard engagement should take days, not weeks. Only complex, high-risk cases should require extended review.

Default-to-go principle: Unless the dual-use assessment identifies specific, material risks that cannot be adequately mitigated, the default should be to proceed. Governance should enable responsible innovation, not block all innovation.

Learning from Decisions

Track your dual-use governance decisions and their outcomes.

• What engagements were reviewed for dual-use risk?
• What decisions were made (proceed, restrict, decline)?
• What was the reasoning for each decision?
• Were any declined engagements later pursued by competitors? What happened?
• Were any approved engagements later found to have dual-use problems?
• What lessons can be drawn from the outcomes?

Use this data to refine your governance framework over time.

Your Next Step

Define your agency's prohibited applications—the categories of AI work you will not do regardless of the client or context. Most agencies can quickly agree on some clear boundaries: you will not build AI for lethal autonomous weapons, for mass surveillance without oversight, or for systems designed to deceive vulnerable populations.

Then build your risk assessment process for gray-area engagements. Create a simple template that captures the capability assessment, misuse scenarios, risk scoring, and mitigation options described in this post. Use it for your next three client engagements to calibrate the framework against real decisions.

The agency with a clear dual-use governance framework makes faster, more confident decisions about what to build and for whom. Clients respect agencies that have thought through these questions because it signals maturity and integrity. And when the inevitable question comes—"could this technology be misused?"—you will have an answer that demonstrates responsibility rather than ignorance.