
Jori VanAntwerp
For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.
Agentic AI in OT is moving into operational workflows faster than anyone is governing it. Every helpful one is a credential you didn’t badge and an actor you likely aren’t watching. Here’s how to keep your own robots from becoming someone else’s.
The premise of the original Mega Man is quietly brilliant. Dr. Light built a set of robots to do real work, construction, firefighting, cutting, all of them helpers designed for honest jobs. Then Dr. Wily reprogrammed them, and your friendly industrial robots became the Robot Overlords you have to fight your way through. The horror of it isn’t just that someone built a war machine, but that the war machines were the helpers all along. Every useful robot was one reprogram away from being pointed back at you.
That’s a remarkably good description of where agentic AI in OT is heading. We’re starting to put autonomous agents into operational workflows (note that we’re talking about “operational workflows” and not “OT processes”) because they’re genuinely useful. They monitor, they correlate, they take action, they save overstretched teams real time. None of that is bad. The trouble is that every one of those helpers is an identity, and almost nobody is governing them.
In practice, agentic AI in OT means autonomous software agents that can monitor, correlate, recommend, or take action inside operational workflows.
The Agentic AI Workforce You Cannot See
The scale of this is easy to miss because it happened fast. By some counts, autonomous agents already outnumber humans by something like 82 to 1, and most organizations have no consistent way to provision, track, or retire those non-human identities. Think about that ratio for a second. For every human you onboarded, badged, trained, and will eventually offboard, there are dozens of machine actors that got none of that treatment.
In an enterprise IT setting, that’s a serious identity problem. In OT, where these actors may sit close to systems that move physical things, it’s something more. An over-permissioned agent near process control is an unaudited hand on the controls. And because it was introduced to help, it doesn’t look like a threat. It looks like a helper doing its job, right up until it’s doing something it shouldn’t.
We badge the humans and forget the machines. We have decades of muscle memory around hiring, access reviews, and walking someone out the door when they leave. Yet we have almost none of that for an agent that was spun up in an afternoon, handed broad access so it could be useful (maybe even during a CEO’s weekend vibe-coding session), and then forgotten. Nobody collected its keycard, because nobody thinks of it as having one.
A Helper Is Just a Compromise Away From a Boss
Here’s the Wily problem applied to your process. The danger is more than a malicious agent someone sneaks in… It’s the legitimate, useful agent that gets compromised, misconfigured, or simply over-trusted, and then acts with all the access you gave it back when you only thought about what it could do for you.
An agent with standing credentials and broad permissions is an attractive target precisely because it’s trusted. Compromise the helper and you inherit its access without having to break anything. The same automation that made it valuable, the ability to act quickly and at scale across your environment, is exactly what makes it dangerous in the wrong hands. A reprogrammed Robot Overlord is more frightening than a random intruder because it was built with capability and handed the keys.
And this lands on top of an adversary already using automation on their side of the fight. The same kinds of tools are being used to scale reconnaissance, protocol analysis, and social engineering against industrial targets (Shieldworkz). Agents are showing up on both sides of the wall. That’s all the more reason to know exactly which ones are operating inside yours.
You Cannot Govern What You Can’t See
The way through this is to treat agents like what they are: actors in your environment that deserve the same scrutiny as any human or any device, if not more.
Inventory them like assets. You can’t manage a workforce you’ve never counted. Every agent operating in or near your OT environment is a thing that exists, talks on your network, holds some level of access, and it belongs in your asset picture alongside the PLCs and the workstations.
Scope them tightly and lock them down accordingly. The single most effective limit on a reprogrammed helper is how little it was allowed to touch in the first place. Least privilege may not be glamorous, but it’s the difference between a compromised agent being an incident and being a catastrophe. Retire the ones nobody uses, the same way you would revoke access for an employee who left.
Watch what they actually do. This is the part that ties everything together, and it’s where visibility earns its keep. In agentic AI in OT, an agent that starts behaving outside its normal pattern looks exactly like any other anomaly on the wire, if you’re watching the wire. Passive visibility into what’s actually talking in your environment doesn’t care whether the new or misbehaving actor is a human, a device, or an agent. It sees the conversation that doesn’t belong. That’s the layer EmberOT was built to provide, and it’s what lets you spot the helper that has quietly become a problem before it finishes the job.
You’ve Got This
Agentic AI in OT is going to be genuinely good for defenders. The robots aren’t the villain. Ungoverned identity is. The fix isn’t to send the helpers away, but rather to treat them like members of your team operating in your environment that you can name, scope, and watch, the same discipline you already (hopefully) apply to people and devices.
Dr. Light’s mistake was never building the robots. It was not having a plan for the day one of them got turned around. You have that plan available to you right now. Count your helpers. Limit what they can reach. And keep an eye on what they’re actually doing, so that if one ever gets pointed the wrong way, you’re the one who notices first.
No noise. Just signal.
~Jori 🤘🔥
Become a Subscriber
EMBEROT WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.
