After AI Comes the Sensor State
AI is not just software — it becomes intelligence attached to cameras, bodies, health systems, workplaces, cities, and devices. Europe's AI Act enters full effect in August 2026. But the more consequential battle is only beginning: the convergence of AI with biomedicine, spatial computing, and ambient surveillance is building infrastructure that will be nearly impossible to govern once it hardens.
Table of Contents
Why Europe must regulate the next decade before it becomes infrastructure.
The EU AI Act enters full effect in August 2026. It is a genuine milestone — the first comprehensive, risk-based AI law anywhere. But if you are building systems that will run in 2028 or 2031, the Act is not the whole map. It is the prologue.
The more consequential question is not whether one model is high-risk under Annex III. It is whether democratic societies can govern the wider convergence: AI fusing with biomedical data systems, augmented reality, workplace analytics, ambient sensors, connected devices, and biometric identification — before that fusion becomes infrastructure too embedded to contest.
This is the sensor state. Not a surveillance state in the dramatic Cold War sense. Something quieter and in some ways more durable: a world in which the environment becomes computable, the body becomes a data source, and the archive waits for the algorithm to catch up.
I. The Visible Centre and the Wider Storm
By mid-2026, AI is deeply embedded in cloud and edge infrastructure alike. Large language models are no longer experiments — they are decision layers inside organisations: search, customer support, legal review, medical triage, HR screening, fraud detection, public administration, content moderation. Edge AI (small language models running on-device) is now common enough that meaningful reasoning no longer requires a round-trip to a data center.
The AI Act correctly identifies a class of prohibited uses — social scoring, untargeted facial recognition from CCTV feeds, emotion inference in workplaces — and a taxonomy of high-risk systems requiring documentation, logging, human oversight, and bias testing. That taxonomy matters. But it is built around individual systems assessed in isolation.
The real risk architecture of 2026 is different. It is about chains of systems and converging data streams.
A public agency uses AI to prioritise inspection cases. A bank uses AI to interpret life events and adjust credit risk. An employer uses AI to infer engagement or predict attrition. A municipality uses AI-assisted camera feeds to allocate policing resources. Each use is individually defensible. Together they produce a society in which citizens are continuously classified, scored, and pre-judged — not by one high-risk system but by a mesh of interoperating inferences.
Regulating the mesh requires a different frame than regulating individual models.
II. The Three Converging Layers
Three technology categories are maturing simultaneously and fusing around a common substrate: intimate data about bodies, behaviour, location, attention, health, and intent.
Biomedical data infrastructure
AI-assisted diagnostics, genomic sequencing linked to risk profiles, wearable sensors monitoring vitals continuously, digital telemedicine platforms blending health records with live physiological data — these are not future scenarios. They are current deployments. Under the European Health Data Space (EHDS), published in March 2025 and entering its transition phase, EU health systems are building cross-border data sharing for both primary care and secondary research use.
Health data is not merely information about what we have done. It can reveal what may happen to us: disease risk, fertility, mental health history, genetic ancestry, future insurability. It implicates relatives who never consented. It retains significance for decades — and can be re-identified from data that once appeared anonymous.
Augmented and spatial computing
AR and VR hardware is more capable and more distributed than the consumer adoption curve suggests. The relevant deployments are not gaming headsets. They are factory maintenance overlays, surgical guidance systems, logistics workflows, workplace training environments, and city-scale digital twin infrastructure. Spatial mapping sensors — LiDAR, depth cameras, eye-gaze trackers — scan environments continuously.
The privacy issue with AR is not only what the user sees. It is what the device must sense in order to function. Spatial computing systems map rooms, track gaze, interpret gestures, record voices, identify objects, locate bodies, and infer attention. A smartphone knows where you are. AR glasses may know what you looked at, for how long, with what physiological response, in whose presence, and inside which private room.
Studies note that VR/AR cameras can capture posture, gaze, and subtle nervous patterns that betray emotional state or health status — data the user never consciously shared.
Surveillance infrastructure and cheap memory
Cameras and microphones are now ubiquitous: CCTV, traffic cameras, drones, doorbell cameras, smart speakers, dashcams. AI changes the economics of what has been recorded. In the past, collection was cheap but interpretation was expensive. Now interpretation is cheap too.
The critical concept is retroactive re-identification. A blurry street camera image from five years ago can be clarified by modern superresolution. A voice sample saved by a third party can be matched to a social profile. A mobility log considered anonymous can identify 95% of individuals from four location points. This turns stored data into latent power. The archive is patient.
III. What the AI Act Does and Does Not Cover
The AI Act's timeline is now well understood:
Aug 1, 2024 Act enters into force
Feb 2, 2025 Prohibited practices (Art. 5) apply
Feb 2, 2025 AI literacy obligations (Art. 4) apply
Aug 2, 2025 GPAI provider obligations (Chapter V) apply
Aug 2, 2026 High-risk requirements (Chapter III) apply
Aug 2, 2027 Extended deadline for high-risk AI in
Annex I regulated products
The Act covers individual AI systems assessed against defined risk categories. It requires documentation, logging, human oversight, bias testing, and risk management for high-risk systems. This is necessary and real.
What it does not address directly:
Chains of systems. A sequence of AI-assisted decisions across different organisations, each individually compliant, can produce an outcome no single system is accountable for. The mesh is ungoverned.
Retroactive surveillance. The Act restricts real-time remote biometric identification. It is less clear about retrospective analysis — using stored footage and improved future algorithms to identify people who were present years earlier.
Inferential privacy harms. Modern models can infer ethnicity from voice, political views from social network patterns, sexual orientation from reaction patterns, and health status from movement data. These inferences happen from data that does not look biometric at collection time.
Connected product data flows. IoT devices, AR headsets, smart vehicles, and health wearables generate continuous behavioural streams. These are governed primarily by GDPR and the Data Act, not the AI Act — creating a gap between where data is generated and where the risk-based regulation applies.
IV. Biomedical Data: The Most Personal Frontier
The EHDS framework is strategically important precisely because it exposes the tension at the heart of health data governance. At its best, it enables genuine public value: cross-border research, better diagnostic AI, coordinated pandemic response. Secondary use of health data — with consent and under strict governance — can accelerate drug discovery and reduce health inequalities.
At its worst, any large health data space risks function creep. "Secondary use" expands. Consent mechanisms become nominal. Commercial partners gain access that was not the original intent. The WHO has warned that large multimodal AI models may be widely used in healthcare and research, and has stressed that ethics and human rights must sit at the centre of design and deployment — not as afterthoughts added when public pressure demands them.
For engineers and architects building systems in this space, the practical principles are:
- Data minimisation as architecture. Collect only what is required for the stated purpose. Design systems that cannot retain more than they need. Make minimisation a structural property, not a policy document.
- Purpose limitation with technical enforcement. Secondary use permissions should be encoded in access controls, not merely documented in terms of service.
- Provenance and auditability. Every use of health data should be logged, attributable, and reviewable by the data subject and by regulators.
A health system must not become a soft surveillance system because the word "innovation" was placed above the entrance.
V. Spatial Computing: The Interface Becomes the Sensor
The mistake regulators made with cookies was building consent architecture after the economic model was mature. The lesson is that governance must arrive before mass-market deployment hardens the defaults.
For spatial computing, that window is open now — but not indefinitely.
The EU Commission has recognised virtual worlds and Web 4.0 as a strategic field, with stated goals for an open, trustworthy, and interoperable digital environment. But the governance framework for what spatial devices sense — not what they display — is underdeveloped. GDPR applies in principle. The practical enforcement gap is wide.
The principle for spatial computing should be simple: no invisible mapping of private or semi-private spaces without clear purpose, visible indicators, and enforceable user control.
Concretely:
- Local processing by default, not cloud upload of spatial maps.
- Short retention periods for environmental scans.
- Visible recording indicators — a legal and design requirement, not optional.
- Strong bystander rights: a person who enters a space should not be continuously mapped without notice.
- Strict prohibition on combining spatial data with identity profiles except under narrow, audited conditions.
A person entering a café should not need to silently negotiate with the ambient sensors of every device in the room.
VI. Surveillance at Scale: Cheap Memory and the Patient Archive
Europe's AI Act places important limits on real-time remote biometric identification in publicly accessible spaces for law enforcement purposes — requiring narrow conditions and prior judicial or independent administrative authorisation. This is a real constraint on a real risk.
But civil society organisations have correctly identified the gaps. Biometric surveillance by non-law-enforcement actors is largely ungoverned at the sensor level. Retrospective analysis — reprocessing stored footage with improved models — falls into a regulatory ambiguity. And the convergence of modalities (CCTV plus phone metadata, AR gaze data plus purchase history) creates surveillance capability that no individual dataset would appear to authorise.
The deeper issue is structural. A person who can be identified, tracked, and retrospectively analysed everywhere behaves differently. They attend fewer political gatherings. They visit fewer sensitive organisations. They become cautious in ways that are hard to measure and politically profound. Democracy requires not only freedom of speech but also freedom from continuous identification.
This is why the default must be prohibition for generalised public-space tracking, with narrow, time-limited, judicially authorised exceptions — not the reverse.
VII. Connected Products: The Quiet Governance Frontier
Two laws that receive less public attention than the AI Act are quietly significant:
The EU Data Act (applicable September 2025) grants users — consumers and businesses — rights to access and share data generated by their use of connected products: cars, appliances, industrial machines, health monitors, smart home devices. It forbids unfair contract terms that prevent data sharing and sets conditions for emergency public access.
The Cyber Resilience Act (in force December 2024, main obligations from December 2027) imposes mandatory cybersecurity requirements on all hardware and software products sold in the EU. Manufacturers must build products securely by design, provide security updates, and report vulnerabilities.
Together with GDPR, the AI Act, the Digital Services Act, and the Digital Markets Act, these instruments begin to form a stack-level governance model — rules that apply at hardware, cloud, software, data access, platform, and AI layers. This is the correct intuition. Technological power in 2026 is not located in one layer. It sits across a full stack, and governance that only reaches one layer will be routed around.
The regulator of the next decade must see the whole stack, not just the model at the top.
VIII. Five Principles for the Next Settlement
The AI Act is the beginning, not the end. For architects, CTOs, and institutional decision-makers building systems that will operate through 2031, five structural principles matter more than any single compliance checklist.
1. Regulate data collection at source. Once data is collected at scale, the governance battle is already partially lost. The next generation of rules must require data minimisation, local processing where technically feasible, short retention by default, and purpose limitation as an architectural property — in AI systems, AR devices, connected products, and biomedical platforms alike.
2. Treat biometric identification as exceptional infrastructure. Both real-time and retrospective biometric identification require strict democratic control. The default must be prohibition for generalised tracking, with narrow, time-limited, judicially authorised exceptions. This applies to non-state actors as much as law enforcement.
3. Audit the organisation, not just the model. AI compliance that stops at model cards misses the point. Meaningful audit must inspect training data provenance, deployment context, human oversight mechanisms, user recourse paths, logging, incident reporting, and post-deployment drift. The model is one component of a sociotechnical system. Governance must cover the system.
4. Health data spaces need hard governance limits. Secondary use of health data can be publicly valuable, but must be transparent, logged, reviewable by data subjects, and protected against commercial repurposing. "Innovation" is not a sufficient justification for weakening these protections. Citizens need confidence that health data infrastructure serves health outcomes, not optimised extraction.
5. Procurement as regulatory instrument. Public institutions should not purchase AI, AR, surveillance, or health data systems that fail strong privacy, auditability, and interoperability requirements. The state must not finance the architectures it will later struggle to govern. Public procurement standards are among the most powerful levers available — faster to apply than legislation and with immediate market effect.
The Choice Is About Defaults
The next five years will not be determined by a single dramatic invention. They will be determined by defaults.
Whether systems record by default. Whether models retain by default. Whether devices identify by default. Whether employers measure by default. Whether public agencies automate first and establish accountability later. Whether citizens can meaningfully refuse.
Technology is always ahead of legislation in the trivial sense: deployment precedes statute. But it should not be years ahead of democratic control. That gap is a political failure, not a technical inevitability.
The task for architects and regulators alike is to move upstream: from harm response to design rules, from consent banners to structural constraints, from isolated compliance to stack-level governance.
Europe has built the beginning of such a model. The AI Act, EHDS, Data Act, DSA, and Cyber Resilience Act are imperfect, sometimes heavy, sometimes contested. But together they represent a necessary claim: the digital economy must remain governable, and technology must remain contestable.
The summer of 2026 is not the resolution of the AI debate. It is the opening of the next privacy settlement. The question is whether the institutional infrastructure to shape that settlement can be built before the sensor state hardens around it.
References
- European Parliament & Council. Regulation (EU) 2024/1689 (AI Act). eur-lex.europa.eu
- European Commission. European Health Data Space — Regulation. eur-lex.europa.eu
- European Parliament & Council. EU Data Act (Regulation 2022/868). eur-lex.europa.eu
- European Parliament & Council. Cyber Resilience Act (Regulation 2024/2847). eur-lex.europa.eu
- NIST. AI Risk Management Framework 1.0. nist.gov
- WHO. Ethics and Governance of Artificial Intelligence for Health. who.int
- OECD. AI Principles (updated 2024). oecd.ai
- European Commission. Digital Services Act (Regulation 2022/2065). eur-lex.europa.eu
- European Commission. Virtual Worlds Strategy — Web 4.0. digital-strategy.ec.europa.eu
- EU AI Act Explorer. Full Text and Timeline. artificialintelligenceact.eu