CISA and the Australian Cyber Security Centre (ACSC), together with international partners, published joint guidance on December 3, 2025, that gives operational technology (OT) owners and operators a concrete playbook for securely integrating artificial intelligence into industrial environments. The 23-page document – titled "Principles for the Secure Integration of Artificial Intelligence in Operational Technology" – zeroes in on machine learning (ML), large language models (LLMs), and AI agents, outlining how to balance the efficiency gains from AI with the safety, security, and reliability demands of systems that control physical processes.

The Playbook's Core Principles

The guidance is structured around four action-oriented principles that move beyond high-level warnings and into operational reality:

  • Understand AI: Build organizational literacy around ML, LLMs, and agents. That means role-based training for engineers, operators, and security staff on failure modes like hallucinations, model drift, and data poisoning. Procurement teams should demand model provenance documentation, training data summaries, and known failure mode disclosures from vendors.

  • Assess AI Use in OT: Every AI pilot must start with a risk assessment that maps the model's data flows, touchpoints with control loops, and potential blast radius. Low-impact, reversible deployments with manual failovers and strict change control are the starting point. Data hygiene is critical – label data lineage, scrub sensitive telemetry before feeding it to third-party models, and avoid dumping unredacted engineering documents into LLM prompts.

  • Establish AI Governance: Governance extends existing OT change control into the AI domain. Maintain a model registry that records lineage, training data provenance, hyperparameters, retraining dates, and known failure modes. Contracts must require vendor model cards, explainability artifacts, and restrictions on using customer data for training. Continuous validation – both in CI/CD pipelines and in production – should detect drift, accuracy degradation, and adversarial inputs.

  • Embed Safety and Security: Human-in-the-loop (HITL) gates are non-negotiable for any action that could affect safety or availability. Immutable logging of model inputs, outputs, tool calls, and egress paths is required for forensics. Deterministic output validators and schema checks must scrutinize every AI-generated command before it reaches an actuator or database.

Where Windows Meets the Factory Floor

For Windows administrators who support manufacturing, energy, water, or transportation systems, this guidance lands squarely on familiar turf. Most modern HMIs, engineering workstations, and even many PLC programming environments run on Windows 10/11 or Windows Server. The same Active Directory, Group Policy, and endpoint security tooling that secures enterprise IT often extends into these OT-adjacent systems.

The guidance's emphasis on identity-first connectors, managed identities, and least-privilege access maps directly to Windows security capabilities. For example:

OT Control Windows Implementation
Managed identities for AI agents Azure AD managed identities or group-managed service accounts (gMSAs) on-premises
Least-privilege model access Just-in-time (JIT) privileged access via Microsoft Entra, or tiered admin models
Immutable logging of AI inputs/outputs Windows Event Forwarding with secured storage, or Azure Monitor Agent for hybrid logs
Sandboxed agent runtimes Windows Sandbox, Hyper-V isolated containers, or AppLocker/WDAC policies
Output schema validation Windows Defender Application Control (WDAC) can restrict what executables an AI agent can spawn; custom PowerShell validators can inspect schemas

Practical steps like enforcing credential hygiene for agent service accounts, segmenting OT-facing Windows servers from IT networks, and applying strict application whitelisting are table-stakes controls that directly reduce the risk of AI misbehavior in OT contexts.

From Pilot to Production: A Roadmap

The guidance doesn't assume organizations will go from zero to fully-autonomous AI overnight. It outlines a crawl-walk-run path that Windows admins in industrial roles can adopt immediately:

  1. Inventory and classify: Document all Windows-based OT assets and map potential AI insertion points. Classify each by safety criticality.
  2. Run a sandboxed pilot: Deploy a single AI model – for predictive maintenance or anomaly detection, for example – within an isolated Windows Sandbox or container. Enforce output verification via a simple PowerShell script that checks values against operational limits before triggering any action.
  3. Layer on governance: Create a lightweight model registry (even a SharePoint list or Azure DevOps wiki with required fields) and mandate that any model touching OT data provide a model card.
  4. Harden the full stack: Move from ad-hoc identity usage to managed identities or gMSAs. Turn on enhanced logging via Sysmon or Windows Event Collector. Integrate AI-focused alerts into existing SIEM dashboards.
  5. Red team and iterate: Adversarially test the model with unexpected inputs – including prompt injection attempts if the model accepts natural language queries. Measure how quickly your team detects and responds to abnormal model behavior.

How We Got Here

Industrial operators have been under pressure to adopt AI for years – predictive maintenance alone can cut downtime by double digits. But OT systems value availability and deterministic behavior above all else. Introducing a probabilistic technology like ML, or an agentic system that can chain unexpected tool calls, creates a direct tension with that safety culture. CISA and its allies have been publishing OT security guidance for over a decade, but the proliferation of LLMs in enterprise workflows made it inevitable that unvetted AI would start interacting with OT connectors and engineering tools. The new guidance fills that gap, explicitly calling out the need to treat AI as a component that changes the system-of-systems around control environments.

What to Watch Next

Vendor opacity remains the biggest obstacle. Many model providers still refuse to disclose training data provenance or internal safety testing, making it hard for operators to certify low-risk models for OT use. The guidance leans heavily on contractual levers – demanding transparency, audit rights, and explicit warranties – which will only work if operators collectively push back on black-box models. Expect follow-on sector-specific guides from agencies like TSA or DOE, and watch for regulatory frameworks that may mandate AI-specific risk assessments for critical infrastructure operators. In the meantime, Windows admins who support industrial environments should keep a close eye on CISA’s ICS advisories and begin piloting AI with the same conservative, safety-first posture they apply to any new control system.