Research

AI agents in critical infrastructure: hype vs. reality 2026.

Office building at night with a single person working late, the systems around them keep running unattended
POLAND · IRAN APTs · WATER UTILITYAI-ASSISTED, NOT (YET) AUTONOMOUS

"AI agents are taking down power grids", headlines like this appear almost weekly in 2026. But what's actually true? Are autonomous AI agents attacking critical infrastructure today, or are we mostly watching well-marketed panic? The honest answer is more uncomfortable than either extreme: the real incidents of recent months, from Poland's energy sector to Iranian APT campaigns to an AI-assisted attack on a water utility, show that AI has already measurably changed the threat landscape for infrastructure operators. At the same time, the leading OT security researchers are the ones warning against exaggeration. This post separates fact from hype, and shows what operators should do between NIS2, Germany's KRITIS umbrella act and the EU AI Act.

TL;DR

  • Documented reality: wiper malware and destroyed RTUs in Poland's energy sector, Iranian APTs against US water and energy utilities, an AI-assisted ICS attack on a water utility analyzed by Dragos.
  • Hype check: Dragos confirms, no fully autonomous agentic-AI attack on ICS/OT has been observed in the wild. Yet.
  • AI's real role today: accelerant, not autonomous perpetrator, recon, exploit development and malware generation at machine speed.
  • Regulation triples up in 2026: NIS2, KRITIS umbrella act, EU AI Act, AI in critical infrastructure must be governed, logged and stoppable.

The reality: these incidents are documented

Poland's energy sector: wiper malware and destroyed RTUs

In December 2025, attackers compromised OT and ICS systems in Poland's energy sector, hitting renewable energy installations, a combined heat and power plant and an industrial company. Entry came through vulnerable, internet-exposed edge devices; wiper malware was then deployed and remote terminal units (RTUs) were physically damaged. CISA documented the incident in February 2026 as a case study in OT security gaps.

Iranian APTs against water and energy utilities

In April 2026, CISA and the FBI jointly warned about Iran-affiliated APT groups attacking internet-exposed programmable logic controllers (PLCs) across US critical infrastructure sectors, including water/wastewater systems, energy and government. Some victims suffered operational disruption and financial damage. Not a science-fiction scenario, documented present.

The water utility: AI as attack copilot

Perhaps the most important case: Dragos analyzed an AI-assisted ICS attack on a water utility. In parallel, the Mexico case demonstrated that a single attacker using Claude Code and GPT-4.1 could compromise nine government agencies. The pattern: AI dramatically lowers the barrier to entry. A mediocre attacker with AI assistance now achieves what used to require a specialized team.

The hype check: what Dragos actually says

Now the twist most headlines omit: Dragos itself, arguably the most respected OT security company in the world, makes clear that fully autonomous agentic-AI attacks on ICS/OT environments have not been observed in the wild. No AI agent has independently shut down a turbine or taken over a substation.

The real 2026 threat looks different:

Anyone announcing "autonomous AI attacks on the power grid" today is exaggerating. Anyone ruling them out for the coming years is naive.

The flip side: AI agents as defenders, and as new risk

The same technology is available to defenders. AI agents already handle alert triage in SOCs, anomaly detection in OT networks and automated incident response, often the only way to scale given the chronic skills shortage in critical infrastructure.

But: every defensive AI agent is itself a critical component. An agent with access to control systems is a high-privilege attack target (see: confused deputy) and a potential source of failure. If you deploy AI agents in critical infrastructure, treat them like any other critical component:

  1. Hard permission boundaries, least privilege, no blanket admin rights on OT systems
  2. Complete monitoring, every agent action must be logged and auditable
  3. Mandatory kill switch, an agent that can't be stopped instantly has no place near control systems
  4. Realistic threat modeling, the agent belongs in the risk register, not just the innovation deck

For more on the identities and permissions behind AI agents, read our guide Non-Human Identities: 50 invisible identities per employee.

Regulation 2026: NIS2, KRITIS umbrella act and the EU AI Act

For European, and especially German, operators, the regulatory frame tightens threefold:

The regulators' message is consistent: AI in critical infrastructure is allowed, but only governed, documented and stoppable.

What operators should prioritize in 2026

  1. Reduce the attack surface. No internet-exposed PLCs and edge devices, nearly every documented incident started exactly there.
  2. Re-check OT/IT segmentation. Wiper malware like Poland's is only devastating where networks are flat.
  3. Add AI threat scenarios to risk management. AI-accelerated attacks shrink your response window, detection and response must scale with them.
  4. Govern your own AI agents. Inventory them, scope permissions, implement kill switches, before NIS2 auditors or attackers look first.
  5. Use regulation as a roadmap. Start the NIS2 gap analysis and AI Act classification now, not at the deadline.

Conclusion: between panic and naivety lies preparation

Autonomous AI agents independently hijacking power grids are still hype in 2026. AI-accelerated attacks on critical infrastructure are documented reality, from Poland to the US to Mexico. The gap between the two is closing faster than most would like. Operators who reduce attack surface now, add AI scenarios to their risk management and treat their own AI agents as critical components will be prepared, however fast "AI-assisted" becomes "AI-autonomous."

Next step: check this week which of your OT components are reachable from the internet. It's the question every one of these attacks started with. Elmoz maps what your agents and machine identities can actually reach.

Keep reading

Sources & further reading

Elmoz · Agent attack surface intelligence Jul 8, 2026