Agent Conflicts- When Multiple AI Systems Disagree in OT

 By Muhammad Ali Khan ICS/ OT Cybersecurity Specialist — AAISM | CISSP | CISA | CISM | CEH | ISO27001 LI | CHFI | CGEIT | CDCP

The Core Insight: The First Real AI Risk in OT Is Misalignment

Operational Technology is entering a phase few plants are prepared for: multiple autonomous AI systems making concurrent decisions over the same physical process. Not human versus AI, but AI versus AI.

Each system is individually “correct.” Each is optimized. Each is acting within its design envelope. And yet, the plant becomes less safe, less stable, and less predictable. This is a failure of coordination.

The industry has spent decades preparing for human error, device failure, and external cyber threats. What it has not named and therefore has not designed for is intra-machine conflict: situations where autonomous agents disagree silently inside an OT environment.

This is not hypothetical. It is already emerging in plants that combine:

  • AI-driven process optimization
  • AI-based anomaly detection
  • Autonomous cybersecurity response
  • Predictive maintenance and reliability agents

Each system sees a different truth, acts on a different clock, and enforces a different priority. The result is a new class of operational risk, one that does not look like an attack, a fault, or an alarm. It looks like a drift.

Defining the Conflict Types (This Is Where the Risk Actually Lives)

To reason about this problem, it needs names. Without names, it will be dismissed as “edge cases” or “integration issues.”

These are not integration problems. They are agent conflicts.

1️⃣ Optimization Conflict

What it is:
 Two or more AI agents optimize for different objectives over the same control surface.

Why OT is vulnerable:
 Industrial systems have competing truths baked into them — throughput, energy efficiency, equipment life, safety margin, and quality are not naturally aligned.

OT reality example:

  • A process optimization agent adjusts furnace temperatures to maximize yield and minimize energy usage.
  • A predictive maintenance agent observes rising thermal stress patterns and begins subtly lowering operational thresholds to extend asset life.

Neither system is wrong. Neither triggers an alarm.

But the control loop begins oscillating, temperature adjustments counteracted by protective corrections, creating micro-instability that operators struggle to diagnose because nothing is “broken.”

The plant doesn’t trip. It degrades.

Cybersecurity implication:
An attacker doesn’t need to inject commands, only influence one agent’s reward model and let the conflict do the damage.

2️⃣ Temporal Conflict

What it is:
Agents operate on incompatible time horizons while sharing authority over the same process.

Why OT is vulnerable:
ICS environments mix milliseconds, minutes, and months in the same decision space.

OT reality example:

  • A real-time control AI stabilizes pressure every 50 milliseconds.
  • A cybersecurity response agent correlates anomalies over hours and begins rate-limiting certain control actions.
  • A reliable AI plans maintenance over weeks and preemptively derates capacity.

Each agent is correct within its own timeframe. Collectively, they introduce latency, hesitation, and control uncertainty. The control system becomes indecisive.

Operators observe:

  • Slower response to disturbances
  • Controls that “feel soft”
  • Safety margins eroding without a clear fault

Cybersecurity implication:
Temporal desynchronization becomes an attack surface. Delayed responses are indistinguishable from cautious AI behavior.

3️⃣ Authority Conflict

What it is:
 Multiple agents believe they have final control authority, or none clearly does.

Why OT is vulnerable:
 OT architectures evolved with clear hierarchies: sensor → controller → operator. AI collapses those layers.

OT reality example:

  • A safety AI overrides a setpoint adjustment to preserve margin.
  • A production AI reasserts the adjustment to meet contractual throughput.
  • A cybersecurity AI inserts a compensating constraint to prevent perceived manipulation.

No alarm is raised. No override is logged as malicious. The system enters control contention, commands are issued, undone, and reissued. Operators see inconsistency, not failure.

Cybersecurity implication:
This is indistinguishable from a low-and-slow control attack, except it’s entirely self-inflicted.

Grounding This in OT Reality (Not Hypotheticals)

Plants fail quietly. They don’t explode, but they age badly.

Agent conflicts manifest as:

  • Increased nuisance alarms
  • Rising operator workload
  • Control loops that require manual “babysitting.”
  • Maintenance schedules that stop matching reality

Most dangerously, post-incident analysis finds no root cause, because each AI behaved as designed. Traditional safety models assume:

  • One decision-maker at a time
  • Clear escalation paths
  • Deterministic logic

Multi-agent OT systems violate all three.

The Cybersecurity Pivot (Without Forcing It)

This matters for cybersecurity because conflict is camouflage. In a multi-agent environment:

  • Malicious influence looks like disagreement
  • Degradation looks like optimization tradeoffs
  • Control interference looks like safety logic

Security teams will chase ghosts, tuning alerts, and adjusting thresholds, while the real issue is unmanaged agent interaction. Attackers don’t need zero-days. They need agent misalignment.

A New Concept: Multi-Agent Safety Debt

This risk deserves a name.

Multi-Agent Safety Debt

The cumulative operational risk is introduced when autonomous agents act independently within shared physical systems without explicit coordination, arbitration, or conflict resolution.

Like technical debt, it accrues quietly. Like safety debt, it compounds under pressure.
Unlike either, it is invisible to traditional monitoring.

Every new agent added “for resilience” increases complexity unless interaction itself is designed as a first-class safety concern.

Left unmanaged, safety debt converts into incidents — not spectacular ones, but expensive, reputation-eroding, regulator-attracting ones.

No Tools. Only Principles.

No product fixes this and no dashboard reveals it.What’s needed is a shift in how AI is designed into OT, not bolted on.

Design Principles for Agentic OT Systems

  1. Explicit Authority Hierarchies
     Every agent must know not just what it controls, but when it must yield.
  2. Conflict Awareness by Design
     Agents should detect disagreement, not just anomalies, and surface it to humans.
  3. Shared Safety Models
     Optimization, security, and reliability agents must reference the same safety envelope, not independent interpretations.
  4. Temporal Alignment Contracts
     Agents operating at different timescales must declare assumptions about latency and persistence.
  5. Human Legibility Over Autonomy
     If operators cannot explain why the plant is behaving a certain way, autonomy has exceeded safety.

Closing Thought

The next generation of OT incidents will not begin with alarms. They will begin with polite disagreement between machines.

No one will notice, until the system becomes fragile, the margins disappear, and the plant starts failing in ways that don’t make sense. This is not fear-mongering. Rather It’s pattern recognition.

Those who recognize agent conflict early will design safer systems. Those who don’t will spend years chasing problems that never quite reproduce.



Location: Texas, USA

Comments

Post a Comment

Popular posts from this blog

Agentic AI as a New Failure Mode in ICS/OT

Image
Industrial systems usually fail in predictable ways. A machine part gets stuck, a sensor provides incorrect data, a controller malfunctions, or a human makes an error. These problems are slow, easy to see, and well understood. Agentic AI changes this. When autonomous AI is integrated into ICS and OT systems, it introduces new types of failures that are unfamiliar and do not conform to traditional safety models. The risk isn’t that AI makes a bad choice; it’s that the system starts behaving in ways people don’t recognize or know how to fix quickly. Press enter or click to view image in full size Traditional OT Failures Are Linear Imagine a control room where an AI is continuously adjusting a compressor to keep it perfectly within operating limits. Each adjustment is technically correct and within safety thresholds. Operators see stable trends on their screens. Months later, vibration-related wear increases, bearings fail early, and no one can point to a single moment where something “we...
Read more

Agentic AI vs ICS & OT Cybersecurity

Image
  When Autonomous Decisions Meet Physical Consequences Industrial cybersecurity is entering an uncomfortable phase. For decades, ICS and OT security have been built on the assumption that humans remain  in control . The process was assumed to be simple: systems monitored, the tools alerted, and the security teams decided. Agentic AI challenges that assumption entirely. Unlike traditional automation or analytics, agentic AI doesn’t just observe or recommend. It  acts , sets goals and plans steps, and executes decisions across systems with minimal human intervention. In IT environments, that’s powerful, and in OT environments, it’s dangerous unless it’s handled correctly. The Reality of Traditional ICS/OT Cybersecurity Most traditional ICS and OT cybersecurity still works reactively. Alerts only appear after something abnormal has already happened. Engineers then have to investigate the issue manually. Decisions take time because of shift changes, approvals, and uncertainty...
Read more

Are You Ready for the 2026 OT Cyber Compliance Wave?

Image
  The clock is ticking. By 2026, industrial operators worldwide will face stricter OT cyber regulations. Fines, operational restrictions, and compliance audits will no longer be a distant threat; they will be a daily reality. Many companies think they’re prepared because they have the latest security tools. They’re not. Compliance isn’t just about technology; it’s about process, governance, and accountability . What the 2026 Rules Are Targeting While each country and industry has specific requirements, the trends are clear: Actionable Policies: Policies must define who can act, when, and how . Automated Reporting & Audit Trails: Manual logs won’t cut it; regulators expect evidence of real-time monitoring and response. Operator Competency & Training: Staff must understand their role in compliance, not just in operations. Integration Across Systems: IT and OT can’t operate in silos; compliance requires coordination. In short, technology alone will not pass the audit . Gov...
Read more