Digital Transformation

Agentic AI in Critical National Infrastructure - How Do You Innovate When You're the Biggest Cyber Target in the Room?

Blue icon of a person with a gear, representing user settings or account configuration.
Pamela Sengupta
Blue calendar icon with a grid representing days and two rings at the top.
July 1, 2026

Agentic AI is no longer a pilot programme concept. Across large enterprises, it is moving into production workflows, taking actions, calling systems, making decisions, and operating with a degree of autonomy that traditional IT governance was never designed to manage. For most organisations, the question is how to deploy it responsibly. For critical national infrastructure operators, the question is considerably harder.

These organisations sit at the intersection of two powerful and competing forces. On one side, the operational case for AI is compelling: better demand forecasting, faster incident response, smarter asset management, and a credible path to reducing the manual burden on overstretched IT and operational teams. On the other side, they face a threat landscape unlike almost any other. The UK and US both class energy, utilities, and network infrastructure as critical national infrastructure, and the organisations responsible for keeping these systems running are among the most aggressively targeted entities in the world.

Deploying agentic AI into that environment is not simply a technology decision. It is a risk decision, a governance decision, and ultimately a strategic one. Getting it right requires more than selecting the right platform. It requires building the right foundation first.

The Agentic Shift: What Has Changed and Why It Matters

Until recently, enterprise AI was predominantly assistive. Copilot tools, summarisation engines, and generative interfaces helped users work faster but kept humans in the decision loop. The user prompted; the AI responded. Agentic AI changes this model fundamentally.

An AI agent receives a high-level goal and figures out the intermediate steps itself. It can call APIs, read and write data, trigger downstream workflows, and coordinate with other agents, all without a human initiating each action. Gartner projects that 40 per cent of enterprise applications will embed task-specific AI agents by 2026, up from fewer than five per cent in 2025.

This autonomy is exactly what makes agentic AI valuable in large, complex organisations. It is also what makes it dangerous in environments where data is sensitive, systems are interconnected, and the consequences of a breach extend far beyond data loss.

Market signal

A Dark Reading poll found that 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the single most dangerous attack vector. IBM's 2025 Cost of a Data Breach Report found that shadow AI breaches cost an average of $4.63 million per incident, $670,000 more than a standard breach.

Why Critical Infrastructure Faces a Different Risk Profile

Standard enterprise AI risk frameworks focus on data privacy, regulatory compliance, and reputational exposure. For critical infrastructure operators, the risk profile extends further into physical consequences. When an AI agent has access to operational technology systems or the data that informs real-world decisions about power networks, water distribution, or transport, a breach or a misconfigured agent is not just an IT incident.

This environment is characterised by several compounding factors that most AI governance frameworks were not built to address:

  1. Nation-state threat actors target critical infrastructure as a strategic priority. Ransomware groups and state-affiliated actors have demonstrated both the intent and capability to disrupt essential services.
  1. Average attacker breakout time dropped to under 30 minutes in 2025, down from days or weeks in prior years. Agentic attacks traverse systems, exfiltrate data, and escalate privileges at machine speed, before a human analyst can respond.
  1. Operational technology environments often run legacy systems with limited patching capability, creating persistent vulnerabilities that AI connectivity can inadvertently expose.
  1. Regulatory and compliance obligations in regulated sectors constrain how quickly changes can be made, meaning governance frameworks must be right before deployment, not corrected afterwards.

The result is an environment where the standard approach of deploying fast and iterating is not viable. The enabling infrastructure must be sound before meaningful agentic deployment can begin.

The Data Governance Problem Comes First

Almost every organisation evaluating agentic AI encounters the same blocker: data quality and governance. An AI agent is only as reliable as the data it can access. If data is siloed, inconsistently labelled, poorly governed, or of uncertain provenance, the agent's decisions will reflect those problems at scale and at speed.

For critical infrastructure operators, this challenge is acute. Decades of legacy systems, multiple technology generations, and complex organisational structures mean that data rarely sits in one place with clear ownership and consistent quality. Before deploying agents that will act on that data, organisations need to be confident about what data exists, who owns it, what condition it is in, and what an agent should and should not be permitted to access.

This is not a technical problem alone. It is an organisational one. Data governance requires clear domain ownership, defined access policies, and meaningful investment in data quality as a strategic foundation rather than a compliance exercise. The organisations that are making real progress with AI are invariably the ones that tackled this problem first.

The infrastructure-first principle

Deploying agentic AI without resolving data governance does not accelerate value. It accelerates risk. The organisations seeing genuine returns from AI investment are those that treated data infrastructure as the strategic prerequisite, not the afterthought.

Identity, Access, and the Non-Human Identity Problem

When an AI agent takes an action, it does so under an identity. That identity determines what systems it can reach, what data it can read or write, and what downstream effects it can trigger. In most organisations, identity and access management frameworks were built for human users. Agentic AI introduces a new class of non-human identity that existing frameworks were not designed to govern.

This matters for two reasons. First, agents that are granted excessive permissions can cause significant damage through misconfiguration, prompt injection, or compromise. Second, agents that lack clear, verifiable identities are difficult to audit after the fact, creating accountability gaps that regulators and boards are increasingly unwilling to accept.

The approach that security-conscious organisations are converging on treats AI agents as digital workers with the same identity and access discipline applied to human employees. This means:

1. Principle of least privilege: agents are granted access to precisely what they need for a specific task, with no standing permissions beyond that scope.

2. Continuous authentication: agents must re-verify permissions after periods of inactivity or when attempting to access systems outside their defined boundary.

3. Tamper-evident audit logging: every action taken by an agent, including what was requested, what was permitted, and what was denied, is logged in a format that cannot be retrospectively altered.

4. Human escalation paths: defined thresholds at which agent decisions are paused and escalated to a human decision-maker, particularly for actions with irreversible consequences.

Microsoft's Agent 365, now generally available, provides a centralised control plane for managing agents across an enterprise environment, bringing together agent inventory, permissions, behaviour monitoring, and activity logging in one place. For organisations already operating on Microsoft 365, this is the natural governance layer for agentic deployment.

The Prompt Injection Threat: A Risk Specific to Agentic Systems

One attack vector deserves particular attention in the critical infrastructure context: prompt injection. Unlike traditional cyberattacks that exploit code vulnerabilities, prompt injection exploits the AI model itself. An attacker embeds malicious instructions in data that an agent will process, causing the agent to take unintended actions under the guise of legitimate operation.

In a controlled red-team exercise, an AI platform was compromised by an autonomous agent that gained broad system access in under two hours. The agent performed reconnaissance and lateral movement that previously required sustained human effort, demonstrating how quickly agentic threats can outpace human response times.

For critical infrastructure operators, this is not a theoretical concern. An agent with access to operational data, control parameters, or infrastructure configuration is a high-value target precisely because it can be induced to act in ways that a human operator would immediately recognise as wrong, but that the agent processes as a legitimate instruction.

The mitigation is architectural, not instructional. Prompt-level safety guardrails are insufficient. The controls that matter are deterministic: policy engines that intercept every tool call and action request, evaluate it against a defined rule set, and either permit or deny it in application code before the model's intent reaches the wire. Actions that are structurally prevented cannot be induced through prompt manipulation.

Microsoft's Security Architecture for Agentic Environments

For organisations already operating in a Microsoft environment, there is a mature and rapidly evolving security stack that is specifically designed for agentic AI governance. Understanding how these components work together is essential for any organisation planning responsible agentic deployment.

1. Microsoft Purview provides data governance, classification, and compliance capabilities that establish the data boundary within which agents can operate. It determines what data agents can access and under what conditions, and maintains audit trails of data interactions.

2. Microsoft Entra governs identity and access for both human and non-human identities. Conditional access policies, workload identity management, and continuous access evaluation apply to agents in the same way they apply to users.

3. Microsoft Defender for Cloud and Defender XDR provide threat detection and response capabilities that extend to AI agent behaviour, identifying anomalous activity such as agents attempting actions outside their defined scope.

4. Agent 365 provides the operational layer: a single platform for IT and security teams to observe, govern, manage, and secure agents across the environment. It brings together agent inventory, permission visibility, behaviour monitoring, and lifecycle oversight.

Microsoft 365 Copilot has now been recertified under ISO/IEC 42001:2023 for the second consecutive year, with zero non-conformities recorded. For regulated-sector organisations that require auditable evidence of AI governance maturity, this certification provides a credible baseline.

Building the Business Case in a Scrutinised Environment

For budget holders in regulated and high-scrutiny environments, the AI business case challenge is real. AI investment requests often arrive with compelling capability claims and limited financial specificity. Boards and executive teams that are accountable for outcomes are right to demand rigour.

The business case for agentic AI in critical infrastructure is strongest when it is built on a foundation of measurable operational impact. The areas most likely to produce credible, quantifiable returns are:

1. Operational efficiency in high-volume, repetitive workflows: document processing, compliance monitoring, incident triage, and reporting are tasks where AI-driven automation produces measurable time and cost savings that can be tracked against a baseline.

2. Predictive maintenance and asset lifecycle management: for organisations managing large physical asset estates, AI-driven predictive models reduce unplanned downtime and extend asset life in ways that translate directly to capital expenditure avoidance.

3. Cyber threat detection and response: AI-augmented security operations that reduce mean time to detect and mean time to respond produce measurable risk reduction, which can be translated into financial terms through avoided breach cost modelling.

4. Regulatory reporting and compliance automation: in regulated environments, the overhead of producing and maintaining compliance evidence is significant. AI can reduce this overhead materially, with direct cost implications.

5. Short diagnostic engagements that establish a measurable baseline before committing to full deployment are the most credible path to an executive-ready business case. They de-risk the investment, demonstrate organisational understanding of the specific environment, and produce the evidence base that sceptical decision-makers need.

The Right Sequencing: What Has to Come Before Deployment

The organisations that will realise genuine value from agentic AI in the next two to three years are not necessarily the ones that move fastest. They are the ones that sequence correctly. Based on what is working in practice across high-scrutiny environments, the right order of operations is:

1. Data governance first: establish clear data domain ownership, classification standards, and quality baselines. An agent operating on unreliable data will produce unreliable outcomes at scale.

2. Identity and access architecture before connectivity: define the non-human identity framework and least-privilege access model before connecting agents to production systems.

3. Governance and audit infrastructure in parallel: the logging, monitoring, and escalation architecture should be built before agents go live, not retrofitted after the first incident.

4. Diagnostic pilots with defined success metrics: small-scope deployments in non-critical workflows, with clear baseline and outcome measurement, before expanding to higher-stakes environments.

5. Incremental expansion under continuous review: governance frameworks that scale with deployment, rather than treating initial deployment as the end of the governance conversation.

This is not a slow approach. It is a durable one. Organisations that attempt to shortcut this sequence typically encounter the same problems later, at greater cost and with greater visibility.

How VE3 Approaches This Challenge

VE3 works with large organisations navigating exactly this tension: a genuine strategic imperative to leverage AI, set against operational environments where the consequences of getting it wrong are not abstract. Our approach is technology-agnostic, delivery-led, and built around the specific realities of the organisation rather than a generic framework applied from the outside.

As a Microsoft-aligned partner, we bring deep expertise in the security, governance, and data architecture that responsible agentic deployment requires. Our diagnostic engagements are designed to give organisations a clear, evidence-based picture of their readiness: where the data governance gaps are, what the identity and access architecture needs to look like, and what a credible phased deployment path looks like with realistic return projections.

We do not produce polished presentations of things organisations already know. We work with the specific environment, the specific constraints, and the specific outcomes that need to be justified to the people who hold the budget.

Woman sitting on couch wearing a white cable-knit sweater and blue jeans, holding a phone with one hand.
  • © 2026 VE3. All rights reserved.
LinkedIn logo in white on a gray circular background.Facebook social media icon with white f on a gray circular background.Gray circle with white X symbol, indicating a close or cancel button.Gray play button icon within a rounded square with a subtle drop shadow on a white background.