CISA and allies publish secure AI-in-OT guidance for agentic control loops
CISA and six allied cyber agencies released joint guidance on securely integrating AI—including autonomous agents—into operational technology environments that drive physical processes.
Building on growing concern about AI in cyber-physical systems, CISA and cyber agencies from six allied nations have issued joint guidance for securely integrating AI into operational technology (OT) environments. As summarized in the Homeland Security Today coverage, the document pays particular attention to AI agents deployed in systems that directly control physical processes, such as industrial control systems (ICS), manufacturing lines, or critical facility management. The guidance emphasizes that these agents must be treated as untrusted components in a safety-critical control loop, warranting layered defenses beyond the usual IT perimeter security.
The guidance recommends strict segregation between agents and core control networks, use of defensive sandboxes or gateways for agent-issued commands, constrained tool and actuator interfaces, rate limits and sanity checks on actuator instructions, and mandatory human validation for high-risk actions. It also echoes broader DHS advice around logging every autonomous action and designing explicit kill-switch and fallback procedures if anomalous behavior is detected. Together, the recommendations push agent builders toward architectures where agents can propose or stage actions, but execution is mediated by hardened, verifiable OT control layers.
What changed. OT and ICS operators now have multi-agency, internationally aligned guidance that directly addresses AI agents as potential controllers or co-pilots for physical systems.
Why it matters. Organizations experimenting with agentic AI in plants, grids, and facilities can no longer claim there is “no guidance”—security and safety baselines have been articulated, and they will shape procurement and integration decisions.
Builder takeaway. Design OT-facing agents with a gateway pattern: the agent suggests actions, a hardened intermediary validates them against safety and policy constraints, and only then are they applied—while maintaining fine-grained logs, rate limits, and clear human override paths.