Ready or Not, AI Agents Are Here for OT

Even without a sanctioned rollout, AI may be operating on devices with access to critical systems.

Almog Apirion
Apr 3, 2026
Agentic Ai Parradee Kietsirikul
istock.com/ParradeeKietsirikul

I’ve been hearing the same assumption in industrial circles for quite some time:

“AI hasn’t reached OT yet. We are careful not to enroll any AI tools in our environment.” 

While it’s true that most plants have not formally deployed AI agents inside cyber-physical systems (CPS) and operational technology (OT) environments, this doesn’t mean AI-related risk doesn’t apply to industrial control systems (ICS). Because even without a sanctioned rollout, AI may already be operating on devices that have authorized access to critical OT systems and processes.

Modern AI tools can run locally, integrate with installed applications, and function within the permissions of the logged-in user. In industrial environments – where engineers routinely connect to SCADA dashboards, maintenance systems, and remote access portals – this detail matters.

The bottom line: AI does not need to be embedded inside a PLC or control application to influence operations. It only needs to operate within an account that already has access to such environments.

How AI on Authorized Endpoints Introduces Risk

Engineers and technicians are natural problem solvers. An employee might install a local AI agent on their device to help them automate reports, analyze logs, or simply to experiment with new technology. In other cases, AI capabilities may already be embedded within approved productivity software.

The key question is not why the agent is there – it’s what the device can access. An AI agent operates within the same authenticated session as the user. If the device already has authorized access to configuration interfaces, remote access portals, or operational dashboards, the agent inherits that same access.

Neither the employee nor the AI tool needs to be malicious for problems to arise. The risk comes from the inherited privilege. When an AI agent gains the same operational reach as a trusted user, its actions can affect systems far beyond the device itself.

The Real Risk of AI in OT

Industrial control systems are cyber-physical by design. Digital commands trigger mechanical movement, pressure changes, and energy release. When AI agents function inside OT environments using legitimate credentials, even well-intentioned actions can produce physical consequences.

Let’s consider two examples:

Scenario 1: When a Helpful Assistant Makes the Wrong Call.

An engineer instructs an AI agent to help make his laptop run faster. The agent decides that removing large, unused files is the best way to improve performance and promptly deletes several folders.

What the AI cannot recognize is that some of the deleted files are not actually unused data. They are located on a D: drive shared network accessed through the engineer’s remote session and contain archived OT production records required for compliance reviews and operational investigations.

From the system’s perspective, deleting the files is a legitimate action. The engineer had permission to access the files, and they appeared inactive. But the AI agent lacks the operational context to understand that those records contained crucial historical production data.

No attacker took part in this incident – just a well-intentioned tool acting on authorized access without realizing the operational consequences.

Scenario 2: When Fixing One Problem Creates Another

After a routine software update, a technician suddenly loses the ability to connect to a remote engineering system needed for maintenance work. To resolve the issue quickly, she asks an AI agent for help restoring the connection.

The agent identifies the recent software update as the likely problem and recommends reverting to the system’s previous configuration. The technician removes the software update as recommended, and the connection returns.

But once again, the AI agent cannot see the broader context. The update it advised removing addressed a serious security vulnerability affecting remote connections. By rolling the system back, the endpoint becomes operational – but it is also exposed to the very risk the update was meant to prevent.

The New Reality of Shadow AI Access

The examples above illustrate a challenge many OT teams have yet to account for: Shadow AI access. Shadow AI access occurs when AI tools operate through legitimate pathways into operational systems, but without formal oversight or governance.

When AI operates through shadow access paths, it amplifies risk in three critical ways:

  1. Inherited Privilege at Machine Speed: If a technician has the permission to delete a file or roll back a patch, their AI assistant inherits that same reach.
  2. Lack of Operational Context: AI tools lack the safety-critical "why" behind OT security protocols. They prioritize the immediate digital task (like improving performance) without understanding the physical or regulatory consequences.
  3. Automated Scaling: Because AI tools function within the permissions of the logged-in user, well-intentioned changes can scale across connected SCADA dashboards and configuration interfaces in seconds.

Why Access Control Is the Most Effective Safeguard

While traditional OT security measures like perimeter defenses and asset detection remain essential, they cannot stop an AI agent that is already operating within an authenticated session.

In our new age of shadow AI access, the best safeguard is strong identity and access management built on zero-trust principles. Industrial organizations can begin by reinforcing core security practices outlined in frameworks such as ISA/IEC 62443. Least-privilege access, role-based permissions, and segmentation between zones and conduits all help limit the blast radius of both human error and malicious activity. 

These same controls can also help organizations govern the identities and permissions that AI tools inherit when operating within trusted user sessions, even as regulations work to catch up with new AI-driven risks.

Ultimately, the most pressing risk to the modern plant may not be the AI systems organizations choose to integrate, but the AI access paths that already exist.

Latest in Cybersecurity
Best Manufacturing ERP Systems for 2026
Sponsored
Best Manufacturing ERP Systems for 2026
June 1, 2026
Robot Human Hand Connection 000075665883 Small
The Impact of AI on the Identity Attack Surface
June 4, 2026
Industrial Hack Andrey Popov
Your RAID Backup Isn’t Really Backup
June 4, 2026
Phishing Tadamichi
A Simple Tool to Combat Phishing Schemes
June 4, 2026
Related Stories
Nord
Cybersecurity
Secure Browser Built for SMBs
I Stock 2153990274 67efee2e0147a
Cybersecurity
Stryker Says Medical Manufacturing Fully Restored After Cyberattack
Honda
Quality Control
Honda Selects Macrium to Boost Resilience Across U.S. Manufacturing Facilities
Strengthen Your Manufacturing Sales Resiliency
Sponsor Content
Strengthen Your Manufacturing Sales Resiliency
More in Cybersecurity
Best Manufacturing ERP Systems for 2026
Sponsored
Best Manufacturing ERP Systems for 2026
Modern manufacturers need modern management tools. Here are six of the best manufacturing ERP systems you should shortlist.
June 1, 2026
Robot Human Hand Connection 000075665883 Small
Cybersecurity
The Impact of AI on the Identity Attack Surface
Companies are giving AI agents the keys to critical systems faster than safeguards can be established.
June 4, 2026
Industrial Hack Andrey Popov
Cybersecurity
Your RAID Backup Isn’t Really Backup
Avoid finding out the hard way.
June 4, 2026
Phishing Tadamichi
Cybersecurity
A Simple Tool to Combat Phishing Schemes
Consistent email signatures can help support human-centric security and foster a cybersecurity culture.
June 4, 2026
Ai Cybersecurity Ismagilov
Cybersecurity
Trump's AI Order Generates Support, Raises More Questions
'Adversaries are operating at machine speed and the Government is operating at bureaucracy speed.'
June 4, 2026
Patching Istock Pashalgnatov
Cybersecurity
Verizon Report Fuels Feedback on AI, Patching, Vulnerability Management
'The reflex after a report like this is to procure more AI. The data argues against it.'
June 4, 2026
Hacktivist Peshkov
Cybersecurity
CISA, Partners Release Fact Sheet on Securing Automatic Tank Gauge Systems
Threat activity involves bad actors manipulating the readings of internet-exposed ATG systems.
June 3, 2026
Kela
Cybersecurity
Inside The Gentlemen Data Breach
Breaking down how this Ransomware-as-a-Service group has surged in the threat rankings.
June 2, 2026
Phishing Tadamichi
Cybersecurity
Report Details New Phishing Scheme
How calendar invite files are now being used to unleash malware.
June 2, 2026
Hacker In Clouds Leolintang
Cybersecurity
The Expanding OT Threat
These attacks are finally being recognized for impacts that go beyond just a single enterprise.
May 29, 2026
Soc
Cybersecurity
OT Remote Access Compliance Tool Helps Control Audit Costs
Continuous audit evidence is built into OT and CPS remote access - eliminating manual work.
May 29, 2026
Encryption
Cybersecurity
The Risks of Delaying Quantum Encryption Strategies
The mindset is understandable, but dangerous.
May 29, 2026
Ai
Artificial Intelligence
The Hidden Pitfalls of AI Integration in Manufacturing
The question is not whether AI can be useful, but whether it can be integrated without compromise.
May 29, 2026
Ai Cybersecurity Ismagilov
Cloud Computing
How AI Adoption Is Creating Unseen Vulnerabilities on the Factory Floor
The use of agents and generative AI tools are the top concerns of manufacturing security professionals.
May 28, 2026
Ep175
Video
Security Breach: 'Defense in Depth is Dead'
Issuing some reality checks for your cybersecurity strategies and investments.
May 28, 2026