NIST: AI rules for critical infrastructure

The National Institute of Standards and Technology has started writing a new artificial intelligence rulebook for power plants, pipelines, factories and other critical systems. (nist.gov) On April 7, 2026, the agency released a concept note for a “Trustworthy AI in Critical Infrastructure Profile,” a sector-specific guide built on its Artificial Intelligence Risk Management Framework. NIST said the profile is meant for operators using artificial intelligence-enabled tools in critical infrastructure environments. (nist.gov) A profile in NIST’s framework is a tailored set of risk-management outcomes for a specific use case, not a new law. NIST’s Artificial Intelligence Risk Management Framework is voluntary, and the agency says profiles help organizations map current practices against a target state. (nist.gov) Critical infrastructure is the federal label for sectors such as energy, transportation, water, communications and manufacturing, where a software failure can interrupt physical services. NIST’s concept note says the new profile will sit at the intersection of artificial intelligence, information technology, operational technology, industrial control systems, software development and cybersecurity. (nist.gov) The document focuses less on abstract principles and more on operating discipline: who owns an artificial intelligence system, what gets logged, when humans intervene, and how incidents escalate. NIST says the profile should help organizations “harmonize and bridge” guidance across artificial intelligence and industrial environments. (nist.gov) NIST’s examples are concrete. The concept note points to artificial intelligence agents for autonomous cyber incident response, and plant-monitoring systems that must be hardened against adversarial inputs and watched for operation outside verified conditions. (nist.gov) The project lands as federal agencies keep adding artificial intelligence guidance for essential services. In 2024, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency issued cross-sector safety and security guidelines for artificial intelligence in critical infrastructure, and in late 2025 CISA joined international partners on guidance for owners integrating artificial intelligence into operational technology systems. (industrialcyber.co 1) (industrialcyber.co 2) NIST is also expanding the machinery around its framework. The agency’s Artificial Intelligence Resource Center says it supports testing, evaluation, verification and validation work, and notes that Artificial Intelligence Risk Management Framework 1.0 is being revised. (nist.gov 1) (nist.gov 2) For vendors, the draft signals the paperwork and engineering evidence buyers may start asking for: documented controls, tested guardrails, clear lines of responsibility and proof that systems fail safely. NIST said it is creating a community of interest to gather feedback before the profile is developed further. (nist.gov) The immediate next step is consultation, not enforcement. But for operators putting artificial intelligence into systems that move electricity, water, freight or fuel, NIST has now defined the question in operational terms: what happens when the model is wrong. (nist.gov)