AI governance in energy and utilities.

EU AI Act — critical infrastructure

AI used in the management and operation of critical infrastructure — electrical grids, water systems, gas networks, heating infrastructure — is classified as high-risk under Annex III. This applies to AI in SCADA systems, grid balancing tools, demand response AI, and infrastructure maintenance decision systems.

NIS2 Directive

The EU Network and Information Security Directive 2 creates cybersecurity governance obligations for essential entities, including energy operators. AI systems that affect the security or reliability of critical infrastructure create additional NIS2 compliance considerations.

Sector-specific regulation

Energy regulators including OFGEM (UK), AEMO (Australia), FERC (US), and national energy regulators across the EU have increasing interest in AI use in regulated energy assets. Governance must address sector-specific regulatory expectations alongside general AI regulation.

Environmental and emissions reporting

AI systems used in emissions monitoring, environmental reporting, or carbon accounting must produce accurate, auditable outputs. AI-generated environmental data submitted to regulators requires the same governance rigour as other regulated reporting.

Grid AI and distributional shift

AI grid management systems trained on historical demand patterns have encountered scenarios — extreme weather events, rapid renewable penetration changes, unexpected demand surges — outside their training distribution, producing unstable or incorrect outputs. Grid stability consequences can be systemic.

Predictive maintenance false negatives

Predictive maintenance AI that misses equipment failures in critical infrastructure — transmission lines, turbines, pumping stations — creates safety and supply continuity risk. The cost of false negatives in critical infrastructure is asymmetric to the cost of false positives.

Cybersecurity AI in adversarial environments

AI security monitoring systems deployed in critical infrastructure are potential targets for adversarial attacks specifically designed to evade detection. Governance must address AI system security as well as the security functions the AI performs.

Automated control systems without human oversight

Highly automated grid management and infrastructure control systems that remove meaningful human oversight create governance risk where AI errors can propagate to physical systems before humans can intervene. Human oversight mechanisms must be genuine, not nominal.

Have you classified your AI systems against the EU AI Act Annex III critical infrastructure category — and assessed your deployer obligations for each?

For AI in operational technology and control systems, what human oversight mechanisms exist — and are they capable of genuine intervention before AI outputs affect physical systems?

How do you assess and test your AI systems for performance under conditions outside the training distribution — extreme weather, demand spikes, novel grid conditions?

What is the cybersecurity assessment for AI systems deployed in critical infrastructure — specifically, have they been assessed against adversarial attack scenarios?

Does your NIS2 compliance assessment cover AI systems that affect the security or reliability of essential services?

What is your AI incident response plan for a failure in an AI system controlling critical infrastructure — including escalation timelines and regulatory notification obligations?