AI in OT security: what cryptographic identity changes for teams

TL;DR: NSA and CISA guidance on integrating AI into OT says organizations need strong authentication, integrity protection, and auditability because AI agents can make autonomous decisions with physical consequences, according to DigiCert. The trust model now has to follow the actor, not just the system, or operational automation becomes an identity problem.

NHIMG editorial — based on content published by DigiCert: The NSA and CISA Just Confirmed Why Intelligent Trust Matters More than Ever

Questions worth separating out

Q: How should security teams govern AI agents in OT environments?

A: They should govern AI agents as cryptographically identified actors with explicit lifecycle ownership, not as ordinary automation.

Q: Why do AI systems in OT require stronger identity controls than normal automation?

A: Because AI can change behaviour at runtime and influence physical outcomes, so static trust assumptions are too weak.

Q: What breaks when organisations rely on approval models built for human-paced operations?

A: They miss the fact that AI can complete decisions and actions before the next review cycle or human intervention point.

Practitioner guidance

• Inventory AI-controlled OT trust paths Map where AI systems influence sensors, setpoints, decision engines, and automation pipelines, then identify which identities sign those actions and which systems verify them.
• Bind AI actions to cryptographic identities Require certificates or signed assertions for AI agents, control services, and OT components so every material action has a verifiable origin and an auditable trail.
• Make lifecycle events operational controls Treat issuance, renewal, revocation, and expiration for AI and OT identities as production controls with owners, alerts, and rollback paths.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• How the vendor maps PKI to AI agents, OT devices, and control systems in practice.
• Operational examples of certificate issuance and renewal for AI-enabled production environments.
• The article's own view of post-quantum readiness for identity foundations.
• Product framing around lifecycle management and policy enforcement inside DigiCert ONE.

👉 Read DigiCert's analysis of AI trust requirements in operational technology →

AI in OT security: what cryptographic identity changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →