137AI > Governance > Critical Infrastructure Policy Intersection
AI Critical Infrastructure Policy
The critical infrastructure policy intersection is the governance boundary where AI regulatory frameworks meet critical infrastructure protection frameworks. The boundary is structurally significant because AI regulators have AI-specific authority but limited critical infrastructure jurisdiction, while CIP regulators have infrastructure authority but limited AI-specific capability. The intersection has no clear regulatory home in most jurisdictions, and the governance gap this produces is one of the substantive concerns that the analytical work elsewhere on the site develops.
The page addresses the institutional architecture, the specific governance gaps, the international dimension, and the work being done to address the intersection. The risk landscape that creates the policy need is covered in Critical Infrastructure Compromise. The analytical framework explaining why the threat calculus has shifted is developed in A Thousand Cuts. The engineering practice that bounds the risk is covered in OT/ICS Integration Controls. This page is the systematic governance analysis.
The Dual Jurisdiction Problem
AI governance and critical infrastructure governance operate as separate domains in most jurisdictions. The separation produces the foundational problem of the intersection.
AI regulators have authority over AI systems and their deployment. The EU AI Act creates the EU AI Office and national competent authorities with substantial AI-specific jurisdiction. The US lacks horizontal federal AI authority but has AI-relevant authority distributed across NIST, sectoral regulators, the FTC, and emerging executive branch coordination through the AI executive orders. The AI regulators have AI expertise, AI-specific frameworks, and authority over AI systems generally.
CIP regulators have authority over critical infrastructure sectors. CISA in the United States, the European Union Agency for Cybersecurity (ENISA), member state CIP authorities in the EU, and sector-specific regulators globally have substantial infrastructure jurisdiction. CIP regulators have infrastructure expertise, sector-specific frameworks, and authority over the operators of critical infrastructure.
The intersection sits between the two jurisdictions. AI deployed inside critical infrastructure operations engages both AI considerations and CIP considerations. Consumer and commercial AI agents whose aggregate behavior affects critical infrastructure engages AI considerations with CIP consequences but typically without CIP regulatory authority. AI components in the supply chain of CIP systems engages AI considerations through paths that CIP regulation does not address directly.
The dual jurisdiction problem produces specific operational realities. Operators of critical infrastructure that deploy AI face guidance from sector regulators on AI without always-clear authority. AI vendors whose products end up in critical infrastructure face limited specific AI-CIP regulation. The intelligence community and law enforcement that address nation-state threats to CIP face AI-mediated threats without specific AI authority for response.
The US Framework Architecture
The US critical infrastructure framework operates through a multi-layer architecture that the AI dimension intersects with at multiple points.
The Presidential Policy Directive 21 (PPD-21) framework, succeeded by National Security Memorandum 22 (NSM-22) in 2024, identifies 16 critical infrastructure sectors and assigns Sector Risk Management Agencies (SRMAs) responsible for sector-specific risk management. The sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation systems, and water and wastewater.
CISA serves as the national coordinator for critical infrastructure security and resilience. CISA operates the National Risk Management Center, the Joint Cyber Defense Collaborative, and substantial cross-sector coordination infrastructure. CISA's AI-specific work has been expanding through the Roadmap for Artificial Intelligence and adjacent initiatives, but CISA's authority is primarily coordination rather than direct regulation.
Sector Risk Management Agencies engage with AI at varying levels of capability and authority. The Department of Energy has substantial AI engagement for the energy sector. The Treasury Department engages financial services AI through OCC, FRB, and other regulators. HHS engages healthcare AI through FDA and CMS. DHS engages transportation through TSA and CISA. The variance produces inconsistent treatment of AI-CIP issues across sectors.
Sector-Specific Plans, ISACs, and the broader sector coordination infrastructure produce sector-level coordination on AI-CIP issues. The infrastructure is uneven across sectors with some highly developed (financial services through FS-ISAC, healthcare through H-ISAC) and others less developed.
The intersection with the AI executive orders and Congressional AI proposals adds another layer. Executive Order 14110 on AI from 2023 included specific provisions on AI in critical infrastructure; subsequent actions have built on this foundation. The Congressional AI legislation that has been proposed includes various CIP provisions; the legislative path remains uncertain.
The EU Framework Architecture
The European Union framework operates through a different architecture that combines AI-specific regulation with critical infrastructure-specific regulation.
The Network and Information Systems Directive (NIS2), which entered into force in 2023 with transposition deadlines through 2024, expanded the EU framework for cybersecurity of essential and important entities. The directive covers a substantial portion of the EU economy including critical infrastructure sectors, with cybersecurity risk management requirements that reach AI components in covered entities.
The Critical Entities Resilience Directive (CER), adopted alongside NIS2, addresses physical and operational resilience of critical entities. The directive complements the cybersecurity focus of NIS2 with broader resilience considerations that reach AI deployment in critical infrastructure operations.
The EU AI Act intersects with both NIS2 and CER. AI systems used in critical infrastructure operations may qualify as high-risk under the AI Act and face conformity assessment requirements covered in EU AI Act Conformity Assessment. The interaction between AI Act compliance and NIS2/CER compliance is being worked out through guidance from the European Commission and the relevant authorities.
ENISA serves as the EU cybersecurity agency with coordination and technical authority across member states. ENISA's AI-specific work has been substantial including publications on AI cybersecurity, threat landscapes for AI, and AI security in critical sectors.
The EU framework includes substantial member state implementation. NIS2, CER, and the AI Act all require national implementation that produces variance across member states. Operators in EU markets navigate both the EU framework and the specific member state implementation.
The Council of the EU and European Commission AI cybersecurity work continues to develop the framework. The combination of AI-specific regulation and CIP-specific regulation in the EU produces more integrated treatment than the US framework but with its own complexity from the dual-track structure.
Information Sharing Infrastructure
Information sharing among operators, regulators, and across sectors is foundational for CIP cybersecurity and has been adapting to address AI-specific dimensions.
Information Sharing and Analysis Centers (ISACs) provide sector-specific information sharing infrastructure. FS-ISAC for financial services, H-ISAC for healthcare, E-ISAC for electricity, ICS-ISAC for industrial control systems, and additional ISACs across sectors operate as established information sharing infrastructure. The ISACs have been incorporating AI-specific threat intelligence and the AI dimension of broader threats.
The Joint Cyber Defense Collaborative (JCDC) at CISA provides cross-sector and public-private coordination on critical cyber threats. The JCDC has engaged AI-specific threats through specific initiatives and the broader integration of AI considerations into cybersecurity coordination.
The Cybersecurity Information Sharing Act (CISA, 2015) provides the US legal framework for information sharing including liability protection for sharing in good faith. The framework supports operator participation in information sharing infrastructure without creating excessive liability exposure.
The Cyber Threat Intelligence sharing through STIX/TAXII and equivalent formats has standard frameworks for representing cyber threat indicators. AI-specific threat indicators are being added to the standard formats as the threat landscape develops.
Private threat intelligence sharing through commercial vendors, industry consortia, and academic partnerships supplements the formal infrastructure. The private infrastructure has been particularly active in AI-specific threat intelligence given the velocity of AI threat evolution.
The structural difficulty in cross-operator AI threat detection is that patterns spanning operators are hardest to detect within any single operator's data. The information sharing infrastructure addresses the gap but with operational limits including timing delays, attribution concerns, and varying participation across operators.
The Intelligence Community Intersection
The intelligence community engagement with critical infrastructure protection has been substantial for nation-state threats and is extending to address AI-specific dimensions.
FBI, NSA, CIA, and other US intelligence community elements engage critical infrastructure protection through varied authorities and missions. The engagement includes threat warning to operators, joint advisories with CISA, and specific actions against documented threats. AI-specific threats from nation-state actors are increasingly part of this work.
The Foreign Intelligence Surveillance Act and related authorities permit intelligence collection against foreign threats with substantial implications for AI-CIP threat awareness. The intelligence collected supports threat advisories and operator warnings without typically being disclosed publicly.
The EU member state intelligence services and the broader EU intelligence coordination engage similar threats. ENISA and EUROPOL coordinate cybersecurity intelligence at EU level with national intelligence service participation.
NATO Cyber Defence Pledge and broader NATO cyber work address allied coordination on cyber threats including those reaching critical infrastructure. AI-specific NATO work has been expanding through the NATO Centre of Excellence for Cooperative Cyber Defence and related infrastructure.
Five Eyes and other intelligence sharing arrangements among allied nations include AI-relevant intelligence sharing. The arrangements operate at classification levels that limit broader visibility but produce operationally significant coordination on the highest-stakes AI-CIP threats.
The boundary between intelligence community work and regulatory CIP work involves substantial operational complexity. Intelligence-derived warnings reach operators through formal channels that protect sources and methods while providing actionable information. The operational integration has been developing through years of practice but the AI dimension adds new considerations.
International Coordination
International coordination on AI-CIP intersection is at early stage but developing through multiple channels.
G7 coordination on AI safety has included CIP-relevant elements. The G7 Hiroshima AI Process and successor frameworks have addressed AI in critical infrastructure as one of several focus areas. The coordination is policy-level rather than operational but shapes national action.
The Council of Europe Framework Convention on Artificial Intelligence, signed in 2024, provides the first legally binding international AI treaty. The Convention includes provisions relevant to CIP without specifically focusing on it.
OECD work on AI policy and the AI Principles influences national approaches to AI-CIP intersection. The OECD AI Policy Observatory maintains comparative data on national AI policy with CIP-relevant elements.
UN coordination through the AI Advisory Body and the Global Digital Compact addresses AI governance with CIP-relevant considerations. The UN coordination operates at policy framework level with limited operational consequence.
Bilateral arrangements between major jurisdictions including the US-EU Trade and Technology Council and equivalent bilateral mechanisms address AI-CIP coordination on specific topics. The bilateral path has been more operationally productive than multilateral frameworks for specific coordination needs.
Industry-led international coordination through standards bodies and industry consortia supplements the government coordination. The bodies discussed in Standards Bodies contribute to the international landscape that operators navigate.
The aggregate international landscape is uneven and produces operational complexity for AI vendors and CIP operators operating across borders. The trajectory is toward more coordination but the pace is substantially slower than the AI deployment trajectory the coordination is meant to address.
The Federalism Dimension
The relationship between national, regional, and subnational authority shapes operational reality in ways that the national-level framework does not capture.
In the United States, the federalism dimension produces substantial variance. State autonomous vehicle regulation, state biometric privacy laws, state AI legislation, state critical infrastructure protections, and state attorney general enforcement all operate with substantial state-level authority. CIP-related state authority varies widely and the interaction with federal AI-CIP work is uneven.
In the European Union, member state implementation of NIS2, CER, and the AI Act produces variance across the member states. Some member states implement more aggressively; others implement minimally. The variance affects operators across the EU and shapes practical compliance.
In federated jurisdictions including Canada, Australia, and others, the federal-state-provincial division creates similar dynamics. AI governance and CIP governance both involve federal-subnational coordination that operates with its own complications.
The federalism dimension complicates international coordination because national-level commitments may not reflect operational reality at subnational levels. Bilateral arrangements between national governments may not bind subnational actors who exercise relevant authority.
For operators, the federalism dimension means that compliance with national-level frameworks may not address subnational-level requirements. Multi-jurisdiction operators implement practice that addresses both levels with substantial operational complexity.
The Governance Gap Specifics
Several specific gaps in the AI-CIP governance landscape have been documented through analysis and operational experience.
| Gap | Why It Exists | Operational Consequence |
|---|---|---|
| AI deployed inside CI operations | Sector regulators have CI authority with limited AI expertise; AI regulators have AI authority with limited CI authority | AI failure modes in CI operations may not be adequately addressed by either regulator; operators face uneven guidance |
| Consumer AI affecting CI | Consumer AI is governed by AI regulators without CI authority; CI regulators do not have authority over consumer AI | The aggregation dynamic from consumer AI to CI harm has no clear regulatory home |
| AI component supply chain | Foundation model providers operate outside both AI regulation and CI regulation | Supply chain compromise of AI components reaches CI through paths neither regulator has authority over |
| Sector regulator AI engagement | Sector regulators have varying AI capability; some highly developed, others minimal | Operators in heavily AI-using sectors face inconsistent requirements across the sectors they touch |
| Cross-sector coordination on AI-CIP | CISA has coordination authority but limited AI capacity; sector ISACs vary in AI engagement | Cross-sector aggregation patterns are difficult to detect and respond to at the coordination level |
| Intelligence-regulatory boundary | Intelligence community operates under different authorities than regulators; integration is complex | Intelligence-derived warnings on AI-CIP threats reach operators through limited channels |
| International coordination | Bilateral and multilateral AI-CIP coordination is at early stage with varying participation | Attacks that span jurisdictions or attacker resources operating across borders face fragmented response |
Proposed Remedies and Their Prospects
Several specific remedies have been proposed to address the AI-CIP governance gap. The proposals face varying prospects and produce different operational implications.
Sector-specific AI guidance development by SRMAs and equivalent bodies is the most operationally tractable remedy. Sector regulators developing AI-specific guidance for their sectors addresses the gap without requiring new authority. The discipline has been expanding across sectors with varying speed and quality.
CISA capacity expansion for AI work is being pursued through specific initiatives and the broader CISA AI roadmap. The expansion produces incremental improvement in cross-sector coordination on AI-CIP issues without requiring new authority.
Dedicated AI-CIP authority at the federal level has been proposed in various forms. Some proposals would create a specific AI-CIP coordinating body; others would expand existing CISA authority; others would create new sectoral AI authority. The political path for new authority is uncertain.
Sector-specific AI mandates through SRMA action or congressional legislation could close specific gaps. Targeted mandates for AI in financial services, healthcare, energy, and other heavily-AI-using sectors have been proposed and partially implemented.
EU AI Act high-risk category expansion has been considered to cover additional AI uses in critical infrastructure. The trajectory has been toward expansion as deployment experience accumulates and gaps are identified.
Information sharing infrastructure expansion supports detection of cross-operator patterns that single-operator infrastructure cannot detect. The expansion has been ongoing through ISAC development and the broader Joint Cyber Defense Collaborative.
International coordination mechanisms specifically for AI-CIP have been proposed through G7, OECD, and other channels. The pace of international coordination is substantially slower than the AI deployment trajectory.
The aggregate trajectory is toward gradual gap closure rather than rapid resolution. Operators navigate the current period with deliberate compliance practice that anticipates likely directions rather than waiting for full resolution.
Practical Implications for Operators
For operators at the AI-CIP intersection, the governance gap produces several practical implications.
Multi-regulator engagement is the operational baseline. Operators with AI deployed in CI contexts engage AI regulators, sector regulators, CIP coordination authorities (CISA, ENISA, national equivalents), and where applicable intelligence community channels. The engagement requires sustained relationships and substantial coordination capacity.
Standards adoption supports compliance across the dual jurisdiction. ISO/IEC AI standards, sector-specific cybersecurity standards, NIST AI Risk Management Framework, and EU AI Act conformity assessment all combine to produce operational compliance that addresses multiple regulator expectations.
Information sharing participation supports threat awareness and demonstrates compliance discipline. ISAC membership, JCDC participation where applicable, and broader threat intelligence engagement all contribute to operational posture.
Documentation discipline supports compliance examination across the multiple regulators that may engage. Documentation that addresses AI considerations, CI considerations, and the intersection prepares operators for inquiry from any of the relevant authorities.
Anticipatory compliance practice prepares for likely regulatory directions. Operators that wait for full regulatory clarity face the risk of substantial retrofit when frameworks develop. Operators that implement practice consistent with likely directions face less disruption.
Incident response planning addresses the multi-regulator dimension. AI-CIP incidents engage multiple regulators with different reporting timelines, different evidence preservation requirements, and different post-incident expectations. The response planning anticipates this complexity.
The Reframe
The critical infrastructure policy intersection is one of the more consequential governance gaps in the agentic AI ecosystem. The dual jurisdiction problem between AI regulators with AI authority and CIP regulators with infrastructure authority produces specific gaps that affect AI deployed in CI operations, consumer AI affecting CI, AI component supply chain, sector regulator engagement, cross-sector coordination, intelligence-regulatory boundaries, and international coordination. The US framework operates through CISA coordination, Sector Risk Management Agencies, and the broader National Security Memorandum 22 architecture. The EU framework combines NIS2, the Critical Entities Resilience Directive, and the AI Act through ENISA coordination and member state implementation. Information sharing infrastructure including ISACs and the Joint Cyber Defense Collaborative supports cross-operator coordination. The intelligence community engagement adds another layer for nation-state threats. International coordination is at early stage but developing. The proposed remedies include sector-specific guidance, CISA capacity expansion, dedicated authority proposals, and information sharing expansion, with varying prospects and operational implications. Operators at the intersection navigate the gap through multi-regulator engagement, standards adoption, information sharing participation, documentation discipline, anticipatory compliance, and integrated incident response planning. The work of closing the AI-CIP governance gap is one of the substantive regulatory projects the agentic AI era requires.
Related Coverage
Governance | A Thousand Cuts | Critical Infrastructure Compromise | OT/ICS Integration Controls