On April 7, 2026, NIST released a concept note for a new AI Risk Management Framework profile aimed squarely at critical infrastructure operators — the sectors where an AI failure has physical-world consequences.
That is a significant move. Until now, the AI RMF and its Generative AI Profile (AI 600-1) were cross-sectoral. The new effort, the AI RMF Trustworthy AI in Critical Infrastructure Profile, will be sector-aware. It explicitly extends the framework into Operational Technology and Industrial Control Systems environments — where the existing AI RMF was thin and where the surrounding regulatory regimes (NERC CIP and analogous sector cybersecurity standards) were never designed for an employee paste-into-ChatGPT problem.
Read the concept note PDF carefully and you'll see what the profile is actually targeting — and what it is not.
What the profile covers
NIST's framing is clean: critical infrastructure "will increasingly rely on technological advancements such as Artificial Intelligence (AI) across Information Technology (IT), Operational Technology (OT), and Industrial Control Systems (ICS)." The profile is being built to guide CI operators on the AI systems they DEPLOY into those environments.
The eight example AI use cases in the concept note are revealing:
- AI agents for autonomous cybersecurity incident response, with tested, evaluated, validated, and verified guardrails.
- AI-enabled facility and plant monitoring systems hardened against adversarial input.
- AI-enhanced deterministic diagnostic assistants that utilize AI bills of materials to provide traceable, auditable rationales.
- Physics-informed neuro-symbolic AI systems for predicting and maintaining system stability.
- Autonomous robots and vehicles with multimodal sensing and deterministic fail-safe controllers.
- AI-powered digital twins for proactively managing distributed critical data centers.
- AI optimization systems that degrade gracefully and transparently under adverse conditions.
- AI-enabled, transparent, and explainable compliance and risk monitoring systems with human-in-the-loop oversight.
Each of these is an AI system the utility, the water authority, the rail operator BUILDS or PROCURES and INSTALLS. The profile is going to address adversarial robustness across all lifecycle stages, deterministic behavior, graceful degradation, testing-evaluation-validation-verification (TEVV), and fail-safe operation — the engineering properties of AI systems sitting inside the ICS perimeter.
It will help your utility think rigorously about whether the AI in your SCADA estate is worthy of trust. That is genuinely useful work, and the comment period is the right place to push for crosswalks to existing sector cyber regimes.
What the profile does not cover
Look at that list again. Not one of those use cases is "a plant engineer pasting a substation one-line diagram into ChatGPT to ask why a relay is misbehaving." Not one is "an OT analyst dumping a PLC ladder logic export into Claude to refactor it." Not one is "a control room operator asking Gemini to summarize a 200-page incident report that contains BES Cyber System asset identifiers."
That is the gap. The Critical Infrastructure Profile, like AI 600-1 before it, is concerned with the AI you deploy. It is silent on the AI your employees use — informally, on their personal browser sessions, against third-party LLM providers that sit outside your Electronic Security Perimeter, outside your supply-chain risk management plan, outside any TEVV process you'll ever apply to an internal AI agent.
And that gap is the live operational risk today.
NERC CIP-013 requires every responsible entity to develop "documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems." The standard predates the modern LLM era. It does not contemplate that operational data flowing through your CIP-013 plan is being voluntarily sent to OpenAI, Anthropic, Google, or xAI by employees with a browser and a problem to solve.
NIST itself signals this gap in the concept note. The agency is soliciting input on "existing AI, cybersecurity, and other risk management policies and guidance that need to be reinterpreted to apply meaningfully to the use of AI in critical infrastructure" — and on "common questions, points of pain, and sources of confusion, contradiction, and ambiguity relating to the development and adoption of AI in critical infrastructure." The framework gap between sector cybersecurity regimes and modern AI usage is wide, and NIST knows it.
The two enforcement layers you need
The Critical Infrastructure Profile, when it ships, will give your AI program a vocabulary for the AI INSIDE the OT environment. You will be able to articulate what TEVV looks like for an AI-enabled valve controller, what graceful degradation means for an AI optimization layer riding on top of EMS, what adversarial robustness costs in a real plant.
That is layer one. It governs what you build.
Layer two governs what your employees PASTE. It is enforced at the browser, before the data ever leaves your network. It evaluates an outbound prompt against your organization's data classification policy, the destination model provider, the user's role, and the context of the request — then allows or blocks the submission in real time. It logs every attempt, gives the policy owner an immediate audit trail, and proves to your auditor that you have a control for the LLM ingress path that no AI RMF profile alone can give you.
Containment.AI is that second layer. Our browser extension and policy proxy sit between your workforce and the consumer AI surface — ChatGPT, Claude, Gemini, Microsoft Copilot, Grok, and Perplexity. The configured policy decides whether the content gets sent or blocked. The audit trail is real-time.
What to do this week
NIST has opened a Community of Interest for the Critical Infrastructure Profile. If your utility, water district, transit authority, hospital system, or telecom operator has live AI ingress risk today, this is the right comment period to participate in. Two specific asks worth raising:
- The profile should explicitly address shadow AI and employee LLM usage as a CI-specific risk surface — not only the AI systems the operator deploys.
- The profile should crosswalk to NERC CIP, TSA security directives, and the analogous sector cyber regimes so a single control library can satisfy all of them.
Do not wait for the final profile to ship to start enforcing. The horizon for the published profile is the right timeline for governance documentation. The horizon for keeping ICS configuration data and BES Cyber System identifiers out of public LLMs is today.
If you want to see what layer-two enforcement looks like in a real OT shop, we will show you in 30 minutes — book a demo at containment.ai.
Sources: NIST AI Risk Management Framework page; NIST AI RMF Profile on Trustworthy AI in Critical Infrastructure concept note (April 7, 2026); NIST AI 600-1 Generative AI Profile (July 26, 2024); NERC CIP-013 Cyber Security – Supply Chain Risk Management standard.