Which AI systems fall under CISA's new critical infrastructure AI security guidance?

CISA's guidance applies to AI-enabled critical systems: AI components that directly influence or control critical infrastructure operations or inform decisions with safety or continuity implications. This includes OT monitoring, predictive maintenance, grid demand forecasting, fraud detection, and security operations AI. Administrative AI tools such as HR or internal communications systems are explicitly out of scope.

CISA Publishes AI Security Guidance for Critical Infrastructure

Q: What does CISA require for human oversight of AI in critical infrastructure?

CISA explicitly rejects 'human-on-the-loop' oversight (where humans monitor AI decisions retrospectively) as sufficient for high-consequence contexts. For AI systems that can affect physical processes or safety-relevant decisions, CISA requires 'human-in-the-loop' oversight where a human must approve the action before execution.

Q: How does CISA's guidance relate to the NIST AI RMF 2.0?

CISA has published an explicit crosswalk showing that organisations implementing the full NIST AI RMF 2.0 satisfy the majority of CISA baseline requirements. CISA's additions are primarily sector-specific and consequence-focused, addressing physical safety implications of AI failures that receive less emphasis in the framework's technology-agnostic framing.

CISA has published new sector-specific AI security guidance for critical infrastructure operators. Advisory in status, but significant in scope; for organisations subject to CISA oversight in energy, water, transportation, or financial services, “advisory” tends to become “expected” faster than most compliance teams anticipate.

The guidance expands CISA’s AI-specific advisory portfolio with differentiated threat models by sector and a minimum security baseline that aligns with, and extends beyond, NIST AI RMF 2.0. What follows is a summary based on CISA’s published guidance, available in full on the CISA Artificial Intelligence topics page.

What’s In Scope (And What Isn’t)

The guidance applies to “AI-enabled critical systems”: AI components that directly influence or control critical infrastructure operations, or that inform decisions with potential safety or continuity implications. This includes:

AI-assisted operational technology (OT) monitoring and anomaly detection
Predictive maintenance systems in energy and transportation
AI-driven demand forecasting in grid management
Automated fraud detection in financial infrastructure
AI-assisted threat detection in security operations

AI used purely for administrative functions (HR, internal communications) is explicitly out of scope. That’s a useful clarification, and it avoids the trap of treating every chatbot as a regulated asset.

Sector-Specific Threat Profiles

CISA doesn’t try to write one threat model for all sectors, which is the right call. The adversary interests and attack surfaces in energy look nothing like those in financial services.

Energy Sector

Primary threats: Nation-state actors seeking to degrade grid stability via AI manipulation; ransomware groups targeting AI-assisted control systems.

The scenario CISA highlights is worth understanding: AI systems used for grid balancing are trained on historical load data. Data poisoning attacks that introduce subtle biases in that training data could cause the AI to make systematically incorrect load predictions, triggering outages or equipment damage without any direct cyberattack on OT systems. No one touches a PLC. The AI makes a bad recommendation and the human follows it.

CISA minimum requirements: Adversarial robustness testing for AI used in grid balancing; air-gap or strict network segmentation between AI inference infrastructure and OT networks; human-in-the-loop requirements for AI recommendations affecting load above a defined threshold.

Water and Wastewater

Primary threats: Manipulation of AI-assisted chemical dosing or treatment process optimisation.

CISA minimum requirements: AI recommendations for chemical treatment parameters must be validated against hard-coded safety limits before execution. AI systems must not have direct write access to treatment control systems without human approval. This is the sector where the physical consequences of AI manipulation are most immediate and least reversible.

Transportation

Primary threats: Adversarial attacks on AI-based traffic management, flight scheduling optimisation, and rail signalling support systems.

CISA minimum requirements: AI outputs that affect routing or scheduling decisions must be logged in an immutable audit trail. Anomalous AI behaviour (outputs outside historical distribution) must trigger human review before implementation.

Financial Services

Primary threats: AI system manipulation for market advantage; fraud detection bypass by sophisticated adversaries.

CISA minimum requirements: Adversarial robustness testing for fraud detection models; monitoring for systematic patterns in fraud detection false negatives; model provenance documentation. The false negative monitoring requirement is notable; it catches manipulation that isn’t visible as model failure.

The Five Baseline Requirements

Across all sectors, CISA defines five minimum baseline requirements. These aren’t aspirational guidance; they’re the floor.

1. AI System Inventory

Maintain a complete inventory of AI systems meeting the scope definition, covering system function, data inputs, decision outputs, human oversight mechanisms, and responsible owner. Review and update at least annually and following significant system changes.

This sounds obvious. Most organisations don’t have it. If you’re not sure what’s in your inventory, that’s the starting point.

2. Threat Modelling

Each AI system in the inventory must have a documented threat model covering data poisoning risks for training and operational data, adversarial input risks at inference time, model integrity risks (unauthorised modification of weights), and inference attack risks if the model is accessible via API.

Notably, CISA doesn’t just ask for a threat model; it specifies the categories. Teams that have done generic threat modelling but haven’t addressed adversarial ML specifically will have gaps here.

3. Incident Response Integration

AI systems must be included in existing cybersecurity incident response plans. CISA specifies that AI-specific incident types (adversarial manipulation, data poisoning, model integrity failure) must have defined response procedures distinct from conventional cyber incidents.

The distinction matters operationally. A data poisoning incident doesn’t look like a ransomware incident. If your IR playbooks don’t cover it, you’ll improvise under pressure.

4. Human Oversight for High-Consequence Decisions

Here’s the line CISA draws explicitly: “human-on-the-loop” oversight (where humans monitor AI decisions retrospectively) is not sufficient for high-consequence contexts. For AI systems that can affect physical processes or safety-relevant decisions, CISA requires “human-in-the-loop” oversight where a human must approve before execution.

This will create friction with organisations that have deployed AI to accelerate decision-making. That friction is the point.

5. Supply Chain Verification

Third-party AI components (pre-trained models, ML libraries, training datasets) must be assessed for supply chain risk before deployment. Minimum: verify cryptographic hashes of model weights against supplier-published values; assess training data provenance for high-risk applications.

The NIST AI RMF Crosswalk

CISA has published an explicit crosswalk between its guidance and the NIST AI RMF 2.0 functions. Organisations implementing the full AI RMF satisfy the majority of CISA baseline requirements. CISA’s additions are primarily sector-specific and consequence-focused; the physical safety implications of AI failures in critical infrastructure are less prominent in the RMF’s technology-agnostic framing.

If your organisation has already worked through AI RMF implementation, you’re not starting from scratch. The delta is manageable. If you haven’t started at all, the sector-specific CISA worksheets (published alongside the guidance for energy, water, transportation, and financial services) are a more immediately actionable starting point than the full RMF.