Your Airport Runs 200+ AI Systems. The TSA Governs None of Them.

*Airports are the most AI-dense buildings in the world. They're also the most governance-free. The gap between the two is a national security conversation nobody's having.*

---

200 Systems, Zero Governance

Denver International Airport processes 69 million passengers annually across 33 airlines and 215 gates. DEN's operations depend on AI-driven systems at a density that no other building type matches: automated baggage handling with predictive routing, HVAC optimization across 6.8 million square feet (making DEN's terminal the largest building in Colorado), gate assignment algorithms, concession traffic prediction, runway de-icing scheduling, parking guidance systems, energy load management across a facility that consumes enough electricity to power a small city, and — increasingly — security screening assistance and facial recognition at boarding gates.

Conservative estimates put DEN's AI decision count above 50,000 per hour. Every one of those decisions affects passenger experience, operational efficiency, airline economics, or public safety.

How many of those decisions are governed? Not regulated — governed. Subject to a documented framework that defines what the AI can decide, what it can't, how decisions are logged, who reviews them, and what happens when something goes wrong.

The answer, at DEN and at virtually every major airport globally, is: approximately zero.

The Unique Governance Challenge of Airports

Airports are not buildings. They're multi-stakeholder operating environments that happen to be enclosed in structures. The governance challenge isn't just that AI operates without oversight — it's that the oversight itself is fragmented across organizations that don't coordinate on AI.

Multi-authority governance fragmentation. A single airport terminal involves the airport authority (DEN is city-owned), the TSA (federal security mandate), the FAA (airside operations), airlines (gate operations, boarding), concessionaires (retail and food service), and CBP (customs and immigration for international terminals). Each authority governs its domain. None governs the AI that operates across domains.

The HVAC system that maintains temperature in the terminal also maintains temperature in the TSA screening area — but TSA doesn't govern the HVAC AI, and the airport authority's building management doesn't coordinate HVAC governance with TSA's operational requirements. The gate assignment algorithm that moves passengers affects concession revenue patterns — but concessionaires have no visibility into or governance over the algorithm. The baggage system's predictive routing affects airline on-time performance — but airlines don't govern the building's AI.

Life safety at population scale. A commercial office building serves hundreds or thousands of occupants. A major airport terminal serves tens of thousands simultaneously. DEN's Jeppesen Terminal holds 30,000+ people at peak times. When an AI-driven system makes a decision that affects that environment — ventilation rates, emergency egress signaling, crowd flow management, elevator/escalator dispatch — the consequences operate at population scale. A suboptimal HVAC decision in an office building means discomfort. A suboptimal ventilation decision in an airport terminal with 30,000 occupants is a public health event.

Critical infrastructure designation. Airports are designated critical infrastructure under Presidential Policy Directive 21 and DHS critical infrastructure protection frameworks. Recent guidance from the TSA and DHS emphasizes the urgency for robust governance structures surrounding AI systems in critical infrastructure, urging airports to prioritize AI oversight protocol in line with evolving security demands. Yet the AI systems that increasingly control airport operations are not covered under critical infrastructure protection frameworks — because those frameworks were written before building AI existed.

24/7/365 operations with no downtime tolerance. Unlike commercial buildings, airports cannot schedule downtime for AI system maintenance, governance reviews, or model updates. Every governance mechanism must operate alongside continuous operations. This makes traditional "stop and audit" approaches impractical and demands real-time governance capabilities that don't exist in current building AI systems.

Three Scenarios That Keep Airport Directors Up at Night

Scenario 1: The Cascade Failure

DEN's AI-driven energy management system responds to a grid demand response signal during a summer peak. It reduces HVAC load across the terminal by 15%. Simultaneously, the automated baggage system reroutes bags through a secondary sorting facility to avoid a mechanical issue on the primary line — increasing processing time by 8 minutes per bag. The gate assignment algorithm, not aware of the baggage delay, doesn't adjust departure hold recommendations. Three airlines miss their 15-minute connection windows. 2,200 passengers are stranded overnight.

No single AI system failed. Each optimized within its domain. But no governance framework coordinated the cascade — because no governance framework exists that spans all the AI systems operating in the airport.

Scenario 2: The Bias Discovery

An airport's AI-driven gate assignment algorithm optimizes for operational efficiency — minimizing taxi time, maximizing gate utilization, reducing passenger connection distances. An analysis reveals that the algorithm consistently assigns the closest gates to the airport's two largest airlines (who pay the highest gate fees) and assigns distant gates to regional carriers. Passengers on regional flights walk an average of 2.7x farther to reach their gates.

This creates an ADA compliance issue: passengers with mobility challenges are disproportionately affected by distant gate assignments, and regional routes serve smaller communities with older demographics. The algorithm didn't intend discrimination. But the pattern it created is discriminatory in effect — and nobody was monitoring for it because no governance framework requires algorithmic fairness auditing for gate assignments.

Scenario 3: The Security Gap

An airport's AI-driven access control system manages staff entry to secure areas. The system uses badge data, historical access patterns, and anomaly detection to flag unusual access. A maintenance contractor's badge is used to enter a secure baggage area at 2:47 AM — unusual but not flagged, because the AI learned that maintenance workers access this area overnight when work orders are active.

Except there's no active work order. The badge was cloned. The AI's learning-based access model — trained to minimize false positives because each false positive triggers a security response that delays operations — decided this was a normal pattern.

TSA governs the physical screening process. The airport authority governs the building access system. The AI that decided not to flag a cloned badge access event at 2:47 AM? Nobody governs that decision.

What Airport AI Governance Requires

The Building Constitution framework, adapted for critical infrastructure, addresses airport governance through a layered architecture:

Layer 1: System Inventory and Risk Classification

Every AI system operating in the airport must be cataloged and classified by risk tier, considering factors such as number of people affected, safety and security implications, and decision reversibility. For DEN, this inventory would likely identify 150-250 AI-driven systems across building operations, security, airline operations, and passenger services. Most airport directors don't know the number — because nobody has done the inventory.

Layer 2: Cross-Authority Governance Coordination

A single governance framework can't span airport authority, TSA, FAA, airlines, and concessionaires — the jurisdictional complexity is too deep. Instead, airports need a coordination layer: a shared protocol that defines how AI governance decisions in one authority's domain must be communicated to other authorities when the decisions have cross-domain effects.

When the building AI adjusts HVAC in the secure area, TSA should be notified. When the gate algorithm changes assignments, airlines should see the data. When the access control AI changes its anomaly thresholds, security leadership should approve the change. This isn't shared governance — it's governed interoperability.

Layer 3: Decision Logging at Critical Infrastructure Grade

Airport AI decision logs must meet a higher standard than commercial building logs. Each Tier 1 or Tier 2 system’s decisions must be logged, including the decision made, data inputs, alternatives considered, predicted impact, and actual outcomes. These logs must be tamper-evident, retain compliance with federal records requirements, and be accessible to relevant authorities during incident investigations.

Layer 4: Continuous Fairness Monitoring

Gate assignments, service allocation, crowd management, and every AI decision that differentially affects passengers or tenants must be monitored for bias patterns continuously. The algorithms change, the traffic patterns shift, and new bias signatures can emerge. Quarterly audits are insufficient — continuous oversight captures anomalies in real-time.

Layer 5: Incident Response Protocol (AIRS-CI)

Cognitive Corp's AIRS framework, extended for critical infrastructure (AIRS-CI), adds airport-specific requirements: multi-authority notification chains, federal reporting triggers (TSA, FAA, DHS CISA), cascade analysis protocols, and concurrent-operations recovery procedures that don't require system shutdown.

International Comparisons in Airport AI Governance

While the U.S. has yet to establish a comprehensive framework for airport AI governance, some international airports are leading the charge. For instance, the European Union's GDPR guidelines mandate stringent data privacy measures, which indirectly influence how AI is managed in public infrastructure. Airports like Singapore Changi have implemented integrated AI frameworks that prioritize transparency and accountability, involving stakeholders from various sectors to ensure holistic oversight. Observing these best practices can inform and improve the governance landscape in U.S. airports.

What Airport Leaders Should Do Now

1. Conduct an AI system census. Count every AI-driven system in your airport — building operations, security, airline operations, passenger services, retail, parking. The number will be larger than expected. This census becomes the foundation of your governance framework.

2. Establish cross-authority AI governance working group. Bring TSA, FAA representatives (for airports with FAA control tower coordination), major airlines, and your operations team into a quarterly AI governance coordination meeting. Agenda item one: "What AI changes did each authority make this quarter, and how did they affect other authorities?"

3. Pilot decision logging on your highest-risk systems. Start with the three systems where a bad AI decision has the worst consequences: HVAC in high-density areas, access control for secure zones, and baggage handling. Work with your BMS and system vendors to enable decision logging. If they can't provide it, that reveals critical insights about the system's governance readiness.

4. Request BAGI assessment. Cognitive Corp's Building AI Governance Index provides a quantified baseline. Airport governance assessments consistently score 8-18 on the 100-point scale — but the assessment itself is valuable, as it maps every governance gap against the specific risk profile of your facility.

5. Engage DHS CISA on AI governance for critical infrastructure. CISA's critical infrastructure protection frameworks don't yet address building AI governance. Airport authorities that engage CISA on this topic don't just improve their own security posture — they help shape the framework that will eventually be required.

The airports that govern their AI systems aren't the ones with fewer AI systems. They're the ones that recognize that 50,000 AI decisions per hour at a facility serving 69 million passengers per year is a governance imperative — not a technology project.

---

*James C. Waddell is President of Cognitive Corp. Cognitive Corp provides AI governance assessments for critical infrastructure facilities, including airports, transit systems, and multi-modal transportation hubs.*

*→ Request a critical infrastructure governance assessment: [link]*

*#AIGovernance #Aviation #CriticalInfrastructure #SmartBuildings #AIinTransportation #InternationalAirportGovernance*