How AI security gaps in energy create high-consequence risks

The recent Data Security and Compliance Risk: 2026 Forecast Report reveals that 91% of energy organisations lack network isolation for their AI systems. 

Think about that for a second. AI systems in critical infrastructure environments have unrestricted network access, in a sector explicitly targeted by nation-state adversaries.

Energy and utilities face a threat landscape that other sectors do not. Nation-state actors have demonstrated intent and capability to target energy infrastructure. The consequences of successful attacks extend beyond data compromise to physical effects: power outages, pipeline disruptions, grid instability.

AI systems embedded in these environments – whether for predictive maintenance, load balancing, grid optimisation, or anomaly detection – become high-value targets with high-consequence potential.

Energy's AI security gaps are severe and interconnected

Beyond the 91% lacking network isolation, 73% lack kill switches and 64% lack purpose binding. The sector cannot isolate AI systems from broader networks, cannot terminate them quickly when they misbehave, and cannot enforce limitations on what they are authorised to do.

This creates a compounding vulnerability: AI systems with broad network access, unlimited scope, and no emergency stop capability.

Consider the implications for grid operations. An AI system designed for load forecasting might have access to real-time grid data, historical patterns, and control system interfaces.

Without network isolation, that AI system can potentially reach across the operational technology environment. Without purpose binding, there is no technical constraint ensuring it only performs load forecasting.

Without a kill switch, there is no rapid way to terminate it if it begins behaving unexpectedly. An adversary that compromises or manipulates this system gains a foothold in critical infrastructure with broad lateral movement potential.

The governance-versus-containment gap

The report identified what it calls the governance-versus-containment gap. Organisations have invested in monitoring AI systems but not in stopping them.

Energy exemplifies this pattern in its most dangerous form. Organisations may have human-in-the-loop oversight and continuous monitoring, but these governance controls only allow observation.

Have you read?
EU cybersecurity gets a boost with new partnership
Energinet doubles down on security at electricity and gas plants

When an AI system in an operational technology environment begins behaving unexpectedly, observation without containment means watching a problem develop without the ability to stop it.

The 15–20-point gap between governance and containment controls that the report identifies globally becomes potentially catastrophic in energy environments where AI connects to physical infrastructure.

AI vendor handling

The report found that third-party AI vendor handling is the top security concern across industries. For energy, which increasingly relies on vendor-provided AI for operations optimisation, predictive maintenance, and cybersecurity monitoring, this concern is particularly acute.

Only 36% of organisations have visibility into how vendors handle data in AI systems. Energy organisations deploying vendor AI into operational technology environments cannot see how those vendors' systems operate.

They cannot verify network isolation within vendor systems, cannot confirm purpose binding in vendor AI, and cannot ensure kill switch capability exists for vendor-provided tools. This is a problem.

AI anomaly detection gap

The AI anomaly detection gap leaves the energy industry blind to compromise. The report found that three in five (60%) organisations globally lack AI-powered anomaly detection.

For energy, where AI systems may be targets of sophisticated adversaries employing novel attack techniques, the inability to detect unexpected AI behaviour creates extended exposure windows.

Nation-state actors are patient; they may compromise systems and wait months before acting. Without anomaly detection, that compromise may go unnoticed.

The report also found that half (51%) of organisations run manual incident response playbooks. In energy environments where AI incidents may cascade quickly into operational impacts, manual response processes may be too slow to prevent physical consequences.

Training data security

The training data security dimension affects both AI systems and operational intelligence.

The report found that 59% lack encryption for training data. Energy AI systems trained on grid data, operational parameters, and infrastructure patterns represent significant intelligence value.

Unencrypted training data accessible to adversaries provides insight into how critical infrastructure operates. Useful for planning future attacks even without immediate exploitation.

The report also found that three quarters cannot trace training data provenance. For energy, this means AI systems may be trained on data whose security classification and sensitivity are unknown.

Incident response

The incident response gaps are concerning for a critical infrastructure sector. Some 89% of organisations have never practiced incident response with vendors and 87% lack joint incident response playbooks.

When a vendor AI incident affects operational technology (and in modern integrated environments, it will) energy organisations will improvise their response.

For critical infrastructure, improvised response during an active incident creates additional risk. The report also found that over half of organisations have not tested their recovery time and recovery point objectives.

Energy organisations do not know how long restoring AI systems will take until they are in the middle of an incident affecting grid operations.

Lack of reliable inventory

Almost three quarters (72%) of organisations cannot produce a reliable inventory of their software components. Energy organisations deploying AI systems cannot identify what components those systems contain.

The AI supply chain is even less visible than the software supply chain. When vulnerabilities are discovered in AI dependencies, energy organisations will scramble to determine exposure.

Also of interest
NATO cyber advisor ready to work with energy sector to bolster security

The report notes that there is no standard AI SBOM format and no widely adopted attestation framework for AI model supply chains. Energy organisations cannot demand visibility that the industry has not yet standardised.

The path forward requires energy to prioritise network isolation and containment controls immediately.

AI systems with any connection to operational technology environments should be isolated by default.

Kill switches should be implemented before additional AI systems deploy.

Purpose binding should constrain what AI systems can do to their authorised functions only. These controls should be non-negotiable prerequisites for AI deployment in critical infrastructure, not aspirational improvements to be addressed when resources allow.

The report projects that containment control gaps will narrow through 2026 but will not close.

Energy organisations cannot wait for industry norms to evolve. The sector is targeted by adversaries with nation-state capabilities and patience. AI systems deployed without containment controls represent attack surfaces that sophisticated adversaries will discover and exploit.

The uncomfortable reality is that energy organisations are deploying AI systems into critical infrastructure environments without network isolation, kill switches, or purpose binding.

In a sector where nation-state adversaries have demonstrated capability and intent, these gaps are not theoretical risks. They are operational vulnerabilities that defenders must assume adversaries are already exploring. The 91% network isolation gap is not a statistic, it is an attack surface.

About the author

Dario Perfettibile is the General Manager, EMEA GTM & Customer Operations at Kiteworks. In 2001, Dario co-founded totemo, a provider of secure electronic communication, and served as CEO for 15 years when the company was acquired by Kiteworks. He has over 25 years of experience in the enterprise software industry, with a focus on general management, finance, sales, and corporate development.