Three Updates, One Quarter
The 2026 NERC CIP compliance landscape moved fast this spring.
CIP-003-9 enforcement began April 1, 2026, expanding governance requirements for low-impact BES Cyber Systems — specifically vendor electronic remote access and supply-chain risk management. Entities that hadn't updated their policies for low-impact environments had four months of notice.
CIP-012-2 takes effect July 1, 2026, strengthening protection of real-time operational data exchanged between control centers. Balancing Authorities, Reliability Coordinators, Transmission Operators, and Generator Operators need documented plans to mitigate risks of unauthorized disclosure, unauthorized modification, and loss of availability for that data — six weeks out.
CIP-015-1, approved by FERC Order No. 907 on June 26, 2025, established the first Internal Network Security Monitoring requirements for BES Cyber Systems. The September 2028 compliance deadline for high-impact and medium-impact systems in Control Centers sounds distant. Procurement cycles, implementation timelines, and OT deployment complexity mean it isn't — utilities evaluating OT security platforms today are on schedule; utilities waiting are already behind.
Those are the well-understood changes. Here's the one that isn't in the briefing packets.
The AI Tool Problem Nobody Is Briefing
CrowdStrike's 2026 Global Threat Report found something important for utility CISOs: CrowdStrike discovered more than 1,800 AI applications running across its customer environments, many of them deployed without security team approval. Employees across utilities are experimenting with AI tools and agents that may be operating near sensitive systems without governance.
That's a supply chain problem, a CIP-013 problem, and a CIP-011 problem simultaneously.
CIP-011 governs BES Cyber System Information (BCSI) — the universe of data that could give an attacker a material advantage against grid infrastructure. Configuration files, access lists, architecture diagrams, incident logs, patch status tables, audit evidence. Under CIP-011, entities must identify what constitutes BCSI, develop information handling procedures, and protect it from unauthorized access.
Commercial AI tools are not authorized repositories for BCSI. ChatGPT, Claude, Gemini, Microsoft Copilot — these tools process user input on external servers, may use it for model training depending on organizational settings, and generate logs that live outside utility control. When a compliance analyst pastes a firewall configuration excerpt to ask ChatGPT to summarize gaps, that excerpt is BCSI. When a security engineer uses an AI assistant to draft a CIP-010 change management report and includes baseline configuration details, that data left the Electronic Security Perimeter.
NERC auditors don't draw a distinction between deliberate disclosure and inadvertent disclosure. The standard asks whether BCSI was protected. If it wasn't, it wasn't.
Why This Happens
Utility compliance teams are under real pressure. The regulatory calendar is relentless. CIP-003-9, CIP-012-2, and CIP-015-1 are arriving in sequence. Audit cycles are tightening. The workload to maintain configuration baselines, document change management, run vulnerability assessments, and track supply chain obligations doesn't shrink when the standards update — it expands.
AI tools are genuinely useful for this work. Summarizing audit evidence. Identifying gaps in draft security plans. Cross-referencing asset inventories. Drafting incident response narratives. The productivity argument is real. The compliance argument is also real: none of that utility is worth anything if the process creates a CIP-011 exposure.
The core problem is structural. Enterprise AI tools deployed without governance controls operate on the honor system. Employees make judgment calls about what data is safe to paste. Those judgment calls are inconsistent, undocumented, and unauditable. When a NERC auditor looks at information handling evidence, "our employees know not to paste BCSI into ChatGPT" is not a documented procedure.
When a North American Electric Reliability Corp. auditor asks why an AI system flagged one event but not another, "the model determined it" is not documentation. It is an audit finding waiting to happen.
— Eric Swidey, Utility Dive (March 24, 2026)
Swidey was writing about AI security monitoring tools. The observation applies equally to AI productivity tools used by humans: if you can't document what your staff sent to an external AI tool, and whether that data included BCSI, you don't have an information handling program. You have an aspiration.
The CIP-013 Dimension
CIP-013 adds another layer. Supply chain cyber security risk management extends to the services vendors deliver and the data flows those services create. AI tools are services. When a utility's security team uses a commercial AI assistant configured to retain conversation history, the AI provider becomes part of the supply chain. When a compliance analyst uses an enterprise ChatGPT deployment with vendor data-sharing agreements that haven't been reviewed for BCSI exposure, that's a CIP-013 gap.
The CIP-013 requirement to assess vendor remote access and supply chain risk was already in place. CIP-003-9 expanded it to low-impact systems. The principle is consistent: utilities need to know what data their vendors can access, and they need to control it. AI tools operate as permanent on-ramps to vendor infrastructure. Uncontrolled, they're an unreviewed CIP-013 vendor relationship running through every browser on the compliance team's floor.
What Good Looks Like
The path forward isn't banning AI tools. Productivity gains are real and compliance teams are understaffed. The path forward is governance at the point of use — policy enforcement that operates before BCSI leaves the organization, with audit trails that can withstand NERC scrutiny.
Specifically, that means:
Real-time interception at the browser layer. The governance control needs to work where the risk lives — in the browser, at the point where an employee submits text to an AI interface. Browser-level enforcement intercepts submissions before they reach external AI servers, applies configurable policies (block, warn, or allow-with-log based on content classification), and generates contemporaneous audit records.
Policy defined by content type, not by tool. Blocking ChatGPT entirely is operationally untenable and doesn't address the AI tools approved next quarter. The effective control is content-level: flag or block submissions that contain patterns consistent with BCSI — IP addresses in private ranges, configuration syntax, asset identifier formats — regardless of which AI tool receives them.
Immutable audit logging. NERC CIP audit evidence requires documentation that can withstand scrutiny years after the fact. The same standard that applies to access authorization logs and change management records applies to AI usage logs. Cryptographically timestamped, tamper-evident records of what was submitted, when, by whom, and what policy action was taken.
These aren't aspirational capabilities. They're engineering requirements for any utility that takes CIP-011 information handling seriously in an environment where employees are already using AI tools.
NERC penalties for CIP violations routinely reach seven figures. CIP-011 information handling violations appear when auditors examine how utilities actually operate, rather than how security plans describe operations. The compliance program that documents everything except what employees type into ChatGPT has a meaningful gap.
CIP-003-9 enforcement started. CIP-012-2 is six weeks out. CIP-015-1 is on the two-year clock. The AI governance gap that runs through all three is the one that doesn't have a deadline — because nobody has written a standard for it yet. The utilities that close it proactively are the ones whose compliance programs will still look complete when auditors arrive.
Containment.AI enforces AI usage policies in real time at the browser and proxy layer — intercepting BCSI and other sensitive content before it reaches external AI tools, and logging every interaction with a tamper-evident audit trail. Start a free trial or read the docs.