Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI in OT security: what cryptographic identity changes for teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: NSA and CISA guidance on integrating AI into OT says organizations need strong authentication, integrity protection, and auditability because AI agents can make autonomous decisions with physical consequences, according to DigiCert. The trust model now has to follow the actor, not just the system, or operational automation becomes an identity problem.

NHIMG editorial — based on content published by DigiCert: The NSA and CISA Just Confirmed Why Intelligent Trust Matters More than Ever

Questions worth separating out

Q: How should security teams govern AI agents in OT environments?

A: They should govern AI agents as cryptographically identified actors with explicit lifecycle ownership, not as ordinary automation.

Q: Why do AI systems in OT require stronger identity controls than normal automation?

A: Because AI can change behaviour at runtime and influence physical outcomes, so static trust assumptions are too weak.

Q: What breaks when organisations rely on approval models built for human-paced operations?

A: They miss the fact that AI can complete decisions and actions before the next review cycle or human intervention point.

Practitioner guidance

  • Inventory AI-controlled OT trust paths Map where AI systems influence sensors, setpoints, decision engines, and automation pipelines, then identify which identities sign those actions and which systems verify them.
  • Bind AI actions to cryptographic identities Require certificates or signed assertions for AI agents, control services, and OT components so every material action has a verifiable origin and an auditable trail.
  • Make lifecycle events operational controls Treat issuance, renewal, revocation, and expiration for AI and OT identities as production controls with owners, alerts, and rollback paths.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • How the vendor maps PKI to AI agents, OT devices, and control systems in practice.
  • Operational examples of certificate issuance and renewal for AI-enabled production environments.
  • The article's own view of post-quantum readiness for identity foundations.
  • Product framing around lifecycle management and policy enforcement inside DigiCert ONE.

👉 Read DigiCert's analysis of AI trust requirements in operational technology →

AI in OT security: what cryptographic identity changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cryptographic identity is now the trust layer for AI in OT. The guidance reflects a simple reality: if AI can act on physical systems, trust has to be anchored to something stronger than model output or network location. Identity, integrity, and auditability are the minimum controls that turn AI from an opaque decision source into a governed actor. For practitioners, that means the security model shifts from access to provenance.

A few things that frame the scale:

  • Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Which frameworks should teams align to when AI identities touch OT systems?

A: Teams should align AI identity governance to NIST Cybersecurity Framework 2.0, Zero Trust architecture principles, and AI risk controls where autonomous behaviour is involved. For OT, the practical test is whether identity, integrity, and auditability can be proven at the point of action.

👉 Read our full editorial: AI in OT needs cryptographic identity, not just automation



   
ReplyQuote
Share: