In IT, an AI mistake is a data event. In OT, it's a physical event.

Agentic AI is moving from the enterprise SOC toward operational technology faster than governance is moving with it. That gap is where the risk lives.

This is not a technology-skeptical position. AI genuinely can help OT teams brilliantly with triage, documentation, anomaly detection, and decision support, and in ways that matter for organizations running lean. But anything that can affect a physical process requires a fundamentally higher governance bar than anything that affects only data. This article is about where that bar should be set and how to get there before a vendor's marketing timeline forces the question.

Where Agentic AI Genuinely Helps OT Today

The most useful starting point for AI in OT is as an assistant, not an operator. There are several categories where AI creates real value without introducing unacceptable risk:

• Alert triage and enrichment at machine speed before a human analyst makes a decision. In OT environments where alert fatigue is already a problem, AI that can contextualize and prioritize signals meaningfully is worth having.
• Anomaly baselining by site, process, and schedule. OT environments have seasonal and shift-based traffic patterns that generic baselines miss. AI that learns site-specific normal behavior reduces false positives.
• Documentation, asset inventory reconciliation, and log summarization. These are time-consuming, error-prone tasks that AI handles well and that directly support the foundational work OT security requires.
• Drafting detection logic and response playbooks for human review. AI as a drafting assistant, with a human validating and approving the output before it goes anywhere near production.

Notice what these use cases have in common: the AI supports a human decision but does not replace it. The human remains on the approval gate for anything that results in a change to the environment.

Where AI Must Not Act Autonomously

In OT, a wrong action can create physical consequences. That sentence deserves to be a constraint on system design, not just a risk disclosure.

AI should not autonomously control setpoints, logic changes, device configurations, safety instrumented systems, or containment actions that could trigger fail-safes or push the process into an unsafe state. This applies regardless of the model's confidence level, the vendor's marketing claims, or the time pressure of an incident.

A useful rule of thumb: if a wrong action creates a physical consequence, a human holds authority.

This is not the same standard that applies in IT, where an AI that misclassifies a file or takes a wrong remediation step creates a data problem that is typically reversible. In OT, an AI that misinterprets a process alarm and takes the wrong containment action can create a hazardous condition. The asymmetry is what defines where the boundary should be.

The New Attack Surface AI Agents Bring

AI agents are not just software features. They are identities that hold credentials, take actions, and can chain decisions faster than a human reviewer can track.

That creates several new attack surface dimensions that OT security programs need to account for:

• Agents typically hold API tokens, service account credentials, or privileged access to the systems they work with. A compromised agent is a compromised identity with whatever access that agent was provisioned.
• Prompt injection, where malicious content in logs, tickets, vendor documents, or other data the agent reads manipulates the agent's behavior. is a realistic attack path against AI agents that operate on untrusted input.
• Over-permissioned tokens turn one compromised agent into broad lateral access. This is the same problem as over-privileged service accounts in traditional environments, but amplified by the agent's ability to act autonomously.
• Speed becomes a threat property. An agent that can chain a sequence of actions in seconds compresses the time responders have to detect and interrupt a bad action sequence.

Related: The AI Coding Agent That Deleted a Company's Future in Nine Seconds

Guardrails Before AI Touches Anything Operational

The right sequence for AI adoption in OT is: establish the guardrails, then turn on the capability. Not the reverse.

Before any AI agent is given access to OT or OT-adjacent systems, these controls should be in place:

• Read-only first. No agent gets write access until read-only operation has been validated and monitored.
• Human approval gates on any state change. The agent recommends; the human approves.
• A clear, human-readable description of exactly what an approved action will execute, not a summary, the actual action.
• Unique identity for each agent. No shared agent accounts, for the same reason you should not have shared human accounts in OT.
• Least privilege. The agent can reach only what it needs for its specific function.
• Credential expiry and rotation on a defined schedule.
• Full audit logging of every agent action.
• Sandboxed execution for anything that writes.
• An allowlisted set of permitted actions, defined in advance.
• A kill switch that operations can use immediately. Not a ticket to the vendor.

How to Evaluate Vendor Claims About AI in OT Products

AI is being incorporated into OT products quickly, and not all of it is clearly labeled or well-governed. When a vendor tells you their product uses AI to automatically respond to incidents, or to optimize process parameters, ask these questions before accepting any of it at face value:

• What can the agent write to? What can it only read?
• How are its identity and credentials managed, rotated, and audited?
• How are its actions logged, and can we replay them?
• How is access revoked if the agent's behavior becomes anomalous?
• What happens when the model is wrong, what does a failure look like, and who is accountable?

Vendors who cannot answer these questions clearly have not thought through the operational security implications of their AI features. That should inform how much you trust those features in your environment.

A Maturity Path That Respects the Process

A responsible AI adoption path in OT moves in defined stages, with each stage validated before proceeding to the next:

• Assist: AI supports analysts off-process → triage, documentation, enrichment. No AI writes to anything in the OT environment.
• Recommend: AI recommends actions to human operators, who execute them. The human remains on the action.
• Bound: AI executes a specific, bounded set of reversible actions with mandatory human approval gates. Scope and rollback are defined before this stage begins.
• Decide: Autonomous AI action in limited scope, only where consequence analysis specifically determines the risk is acceptable. This is a deliberate decision, not a default endpoint.

Most OT environments should spend a long time in the Assist and Recommend stages. The temptation to accelerate comes from vendors, not from the process.

30-Day 'Do This Now' Checklist

1. Inventory every AI agent, copilot, and automation that holds credentials or has network access that could reach OT or OT-adjacent systems.
2. Strip each one to least privilege. Remove any permissions beyond what the current use case requires.
3. Confirm that all agent actions are logged and that someone reviews those logs.
4. Write the policy line in plain language: no AI-initiated writes to any process system without named human approval.
5. Run one tabletop where an AI agent with vendor-tool access takes a wrong action at machine speed. Practice the detection and interruption.

Adopt at the Speed of Your Guardrails

The promise of AI in OT is real. So is the new attack surface it creates. Treat every agent like a privileged non-human identity — because that is what it is. Keep humans on the approval gate for anything physical. And adopt at the speed of your guardrails, not your vendors' roadmaps.

In OT, governance is not a constraint on innovation. It is the safety rail that makes innovation sustainable.

Find the content useful? Subscribe to The Catch, our exclusive weekly LinkedIn newsletter focused on real-life experiences doing cyber right in the most highly regulated industries.