INVESTIGATE · EXTERNAL IDENTITY BRIDGE
Put a name to a face — accountably, or not at all.
Where you are lawfully authorized, the External Identity Bridge cross-references a detection against external identity galleries — by secure reference, never by copying the source photo. Every query is permission-gated, carries a recorded lawful basis, and is written to a tamper-evident audit.
Click to enlargeReference-by-handle — never copies external photos · Only where lawfully authorized · Every query in a tamper-evident audit.
Read this first
The most sensitive capability in the platform is the one we built the most controls around.
Identity resolution is powerful, and power without accountability is a liability — for you and for us. So the Bridge was designed control-first. These are not settings you switch on later; they are the shape of the feature.
Reference-by-handle — it never copies or stores external photos
Sentinel holds a secure reference handle and a face embedding, not the source image. The original photo stays in the source system. Retrieving an actual image is a separate, separately-authorized request.
Only where lawfully authorized — with a recorded basis per query
A source can require a lawful basis before it will answer, and the Bridge enforces it. Every query carries the basis the operator stated for that lookup, not a blanket org-wide grant.
Every query is logged to a tamper-evident (WORM) audit
Who asked, against which source, under what basis, and what came back — written append-only and anchored into a tamper-evident chain you can independently verify later.
Results are permissioned
The Bridge is invisible to operators who lack the role for it, and sensitive fields are surfaced only to the tiers entitled to see them. Nothing leaks to a view-only seat.
No autonomous action
The Bridge surfaces a possible match. A person decides what to do with it. The platform never acts on an identity on its own.
This is the line we hold in public and in private: identity fusion is offered only into lawful, accountable operations. The controls above are enforced in the data model, not promised in a policy.
Cross-reference a detection against external galleries — by secure reference, not a photo copy.
An authorized operator cross-references a detected face against the external galleries they may query — ranked by confidence, with the match running on embeddings so the source photo never leaves the source system.
- Embedding match, not image transfer — the comparison happens by mathematical signature; the source photo never leaves the source system
- Ranked across allowed sources — top candidates by confidence, only from galleries this operator may query
- Honest about denials — sources the operator couldn't reach are returned explicitly, each with a reason, so nothing is silently dropped
- Lawful basis enforced first — the query is gated before it ever touches a source that requires a basis
- Logged the instant it runs — the cross-reference is in the audit before the result is on screen
Every cross-reference is in the tamper-evident audit before the result is on screen.
Every country’s systems are different. The framework doesn’t care.
Partners and in-country engineering teams add new identity sources by configuration and plug-in — without touching the platform core — so every jurisdiction's systems connect on their own terms.
- Multi-tenant — each organization sees and queries only its own configured sources; cross-tenant access is structurally impossible
- Configuration-first — most sources are stood up by describing them in configuration, not by writing code
- Extensible without core changes — partners and local engineers add connectors as plug-ins under their own agreements
- Generic and specific — generic connectors per source type; specialized connectors only where a jurisdiction needs them
- Capability-aware — each source declares what it supports (face query, identifier query, plate-to-owner) and the UI adapts
Click to enlargePartners and in-country engineers add connectors without touching the platform core.
The full accountability stack
Every control, in detail.
Person-profile match card
Where a subject has been linked to an external reference, that link surfaces on the person's profile as a dedicated card — alongside the same subject's Pattern-of-Life and movement history. Each row shows the source type, a masked display label rather than a raw identifier, an optional confidence reading, and only the fields the operator's tier is cleared to see.
Open connector framework
Identity sources differ by institution and format. A connector teaches the platform how to talk to one type of source. A generic, configuration-driven connector covers the common case: point it at a source, describe the field mapping in configuration, and it works. Partners and in-country engineering teams add new connectors by configuration and plug-in — without touching the platform core.
Per-query authorization tiers
The Bridge treats every lookup as an event that needs its own justification. Each source declares the authority a query demands — a single authorized officer, dual-control sign-off by two officers, or a judicial warrant reference. A per-officer daily query ceiling prevents a lawful tool from becoming a bulk pull. A query that doesn't clear its source's authority simply fails, and the failure is logged.
WORM-anchored audit of every lookup
Every operation — a face cross-reference, a plate-to-owner lookup, a configuration change, a reference suppression — writes one append-only record: who ran it, against which source, under what basis, what parameters were used, and how many references it returned. Records are sanitized — no embedding bytes, no full identifiers — so the audit itself never becomes a second copy of the sensitive data.
How it works
Detection, to authorized reference query, to a logged result.
Detection
A face or a vehicle is detected on your camera network and becomes a subject in Sentinel, with its own profile, patterns, and movement history. Nothing external has happened yet.
Authorized reference query
An entitled operator chooses to cross-reference that detection. They state the lawful basis, the framework enforces the source's authority requirement, and the query runs by secure reference against only the galleries that operator may reach. The source photo is never copied; the comparison is by embedding.
Logged result
Matching references return as masked, source-attributed handles on the person's profile card — and, at the same moment, the entire query is written to the tamper-evident audit. The operator decides what the match means and what to do next. The platform acts on nothing by itself.
Under the hood
Specifications
| Reference model | Reference-by-handle — Sentinel stores a secure reference and a face embedding; never the source photograph. Image retrieval is a separate, separately-authorized request. |
| Connector types | National civil/ID registry · driver & vehicle registry · criminal-records system · international notices — described generically; new types added via the connector framework |
| Connector framework | Open, multi-tenant plug-in registry; generic configuration-driven connectors plus specialized connectors that extend them; partners / in-country engineers add connectors without core changes |
| Query types | Face → external reference (ranked by confidence) · external identifier → linked subject · plate → registered-owner reference |
| Lawful basis | Required per query where a source mandates it; enforced server-side before the source answers; carried into the audit record |
| Authority tiers | Per-source: single authorized officer · dual-control (two officers) · judicial-warrant reference; fail-closed if unmet |
| Rate & re-auth | Per-officer daily query ceiling per source; configurable fresh-authentication window for sensitive sources |
| Access control | Role-gated for both querying and administration; field-level permissioning on connector detail; per-organization scoping (cross-tenant access structurally impossible) |
| Audit | Append-only record of every operation (operator · source · basis · authority · parameters · result count); sanitized (no embeddings, no full identifiers); material operations anchored into a tamper-evident chain |
| Erasure & suppression | A reference can be suppressed — hidden from every read path while its audit history is preserved; suppression is itself an audited, anchored operation |
| Display masking | Operators see masked display labels by default; full identifiers are never surfaced to non-cleared tiers |
| Autonomous action | None — the Bridge surfaces matches; a person decides |
| Deployment | Cloud-managed, on-premise, or fully air-gapped — your data and your queries stay within your network |
Specifications describe shipped platform capabilities and enforced controls; we'll confirm which connectors and authorities fit your deployment, lawfully, during your demo.
Where the Bridge fits
Identity is one layer. It rides on search, and it answers to governance.
Face & Plate Search
The Bridge extends the same search you already run across your own cameras out to authorized external galleries; start here to find the subject, then cross-reference where lawful.
Learn moreCompliance & Privacy
Lawful basis, subject-access, retention, and erasure are platform-wide; the Bridge reuses the same machinery, which is why a suppressed reference disappears everywhere at once.
Learn moreAudit & Accountability
Every Bridge lookup lands in the same tamper-evident audit as every other operator action, independently verifiable later.
Learn moreSee identity fusion done accountably — on live data.
Request demo access and we’ll send you a private, pre-loaded environment. Run an authorized cross-reference against synthetic external galleries, watch the lawful-basis and authority gates enforce themselves, open the masked match card on a profile, and read the tamper-evident audit the query just wrote — the whole accountable workflow, end to end.