DHS & CISA sharpen guidance on agentic AI in critical infrastructure

A Homeland Security Today feature synthesizes recent U.S. government moves to treat agentic AI as a distinct risk category within critical infrastructure. Drawing on HiddenLayer’s 2026 AI Threat Landscape Report, the piece notes that roughly one in eight reported AI breaches now involve agentic systems and that attacker breakout times have collapsed to under 30 minutes, with some agent-driven compromises measured in seconds. The article emphasizes that agent-specific failures—prompt injection, tool misuse, privilege escalation, memory poisoning, and cascading failures across interconnected agents—do not fit cleanly into traditional intrusion detection frameworks.

What changed. DHS’s Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure, released late last year, and follow-on joint guidance from CISA and allied nations now explicitly call out AI agents embedded in OT and control systems. Recommended requirements include prompt injection defenses, documented human-override mechanisms for consequential decisions, isolation architectures to limit blast radius, and full audit logging of autonomous agent actions.

Why it matters. For teams deploying agents into SCADA, ICS, or other OT/critical infrastructure stacks, regulators are converging on concrete expectations that go beyond generic “secure AI” advice and into operational design: isolation domains, least-privilege tool invocation, and verifiable human-in-the-loop for safety-critical actions.

Builder takeaway. Treat agent orchestration and tool wiring in critical systems as part of your safety case: implement strict tool whitelisting, robust prompt-injection and memory poisoning defenses, immutable audit logs of agent decisions, and clear, testable human override and rollback paths that can be demonstrated to regulators and customers.