Preparing networks for the arrival of AI.
AI agents no longer just observe your industrial systems, they act on them. Prepare the network to deploy AI without losing control.
For years, industrial AI mostly stayed in observation: predictive maintenance, vision, dashboards. A new generation of agents is starting to go further: querying APIs, issuing commands, triggering processes. Adoption is only just beginning, but the direction is clear, and it gradually shifts the risk profile.
As these uses spread, agentic AI raises less a classic security problem than an architecture problem. No access policy or endpoint solution truly constrains an agent operating in the context of a legitimate user. The strongest guarantee, the one that does not delegate the constraint to the entity it is meant to control, remains the network. The right time to prepare the architecture is now, while deployment is still starting.
of European industrial firms are deploying AI in production in 2026.
Cisco, Industrial AI Readiness 2026
of enterprise applications will incorporate AI agents by end 2026, up from 5% in 2025.
Gartner, 2025
OWASP Top 10 for Agentic Applications: the risks are no longer content problems, they are architecture problems.
OWASP
The classic OT risks are documented: legacy protocols, flat networks, unpatchable equipment. Agentic AI adds three more, of a different nature.
Agentic means the act
An AI agent does not observe the network, it acts on it. It queries equipment, changes configurations, triggers processes. A badly issued command, a valve actuated out of sequence, a parameter changed without validation: the consequences are not corrupted data, they are operational incidents.
New technologies in old environments
OT has long lifecycles: automation gear meant to last twenty years, protocols designed before security was a concern. Inserting a recent, evolving, connected AI software layer creates a new attack surface that legacy OT is not equipped to absorb: unmanaged updates, software-supply-chain dependencies, model-specific vulnerabilities.
Traceability of actions
Who did what, on whose instruction, at what time? With an autonomous agent the causal chain grows complex, and existing system logs were not designed to capture that granularity. After an incident, reconstruction becomes laborious, and sometimes impossible.
An AI agent cannot take a network path that does not exist. If the connection between the segment where it runs and the target automation device is not established at the network level, escalation is impossible, whatever its application rights or its behavior after an update.
This is a guarantee of a different order. It holds even if the agent is compromised.
Microsegmentation defines what a segment can do: which equipment it reaches, read or write, on which protocols. Applied to AI, it produces an enclave: the agent can read a sensor, but cannot send a command to the automation device. That rule lives in the routing table, not in the agent's configuration, and it survives a model update.
Access Gate is a Zero Trust solution for industrial and operational environments. No agent on the equipment, no network reconfiguration, no production stop. In an AI deployment, it covers four functions.
Asset inventory and mapping
Visibility from day one: automation devices, sensors, HMIs, SCADA servers. The starting point for defining enclaves and interaction rules.
Granular enclaves
Logical network segments with precise flow rules: which equipment is reachable, read or write, on which protocols, during which time windows. Without physical rewiring.
Controlling AI interactions
Every flow between the AI enclave and the OT network passes through the Access Gate proxy: session authentication, authorization rules, activity recording. The agent reaches what it is authorized for, nothing else.
Audit and traceability
A complete trace of every session: identity, equipment contacted, commands issued, duration, results. Stored out of the agent's reach, usable by a SIEM or in forensic investigation.
Preparing networks for the arrival of AI.
What changes with agentic AI, the three risks for OT, and why the network remains the only guardrail. Eight pages, sourced.
Deploys in 3 weeks
Visibility from day one, enclaves at the pace of AI projects. No agent, no rewiring, no downtime. Production comes first.
AI stays useful
A prepared network does not stop AI from being useful. It stops it from being dangerous, and makes a progressive, documented adoption possible.
For the architecture that makes this possible, see OT network security and Zero-Trust access control.
Agentic AI and the industrial network
new risks to cover
Agentic AI refers to systems that no longer only observe, they act: they query APIs, issue commands, change parameters and trigger processes, without an intermediate validation step. Unlike a passive AI that produces recommendations a human then executes, an agent executes itself. In an industrial context this shifts the control point: the agent inherits the network rights of the user in whose context it runs.
Generative AI produces content, text, image or code, on demand. Agentic AI goes further: it chains actions to reach a goal, calling tools, APIs and systems. Generative AI responds, agentic AI acts. It is that capacity for autonomous action that changes the risk profile on an industrial network, because an agent that can reach an automation device can send it commands.
The most reliable constraint is the network, not the agent's configuration. You isolate the AI deployment in a microsegmented enclave whose interactions with the OT are described and enforced at the network level: the agent reaches what it is authorized for, nothing else, and every flow is traced independently of it. Access Gate does this with no agent on the equipment and no production stop. If the network path does not exist, escalation is impossible, even if the agent is compromised.
A passive AI produced recommendations a human then executed. An agentic AI executes itself, and it inherits the network rights of the user in whose context it runs. If the agent can reach a PLC's HMI, it can send it commands. The human decision-maker leaves the loop, and with them goes the natural control point that existed until now.
An agent runs in the context of a legitimate user, with their credentials and session, and it is optimized to accomplish its task. Asking the agent, or the application layer, to constrain itself is delegating the constraint to the entity you are trying to control. Only the network imposes a limit that holds even if the agent is compromised: if the network path does not exist, escalation is physically impossible.
A VLAN segments broadcast traffic but does not control flows between segments with the necessary granularity. A device in one VLAN can still reach another if a route exists and no rule prevents it. Zero Trust microsegmentation inverts the principle: everything is denied by default, and each allowed flow is explicitly described, in the routing table rather than in the agent's configuration.
No. Access Gate deploys with no agent on existing equipment, no network reconfiguration and no production stop, as an overlay on the infrastructure in place. Visibility is available from day one, enclaves are built at the pace of AI projects. A typical deployment, mapping then AI enclave then progressive hardening, spans three weeks for a standard-sized site.
NIS2 requires documenting and controlling access to critical systems, including automated access. An AI agent acting autonomously must be controlled, traced and contained exactly like human access. Without network traceability independent of the agent, integrating AI into a NIS2, NERC CIP or audited environment remains a risk that is hard to document and defend.