AI Governance · OT/ICS Security · Critical Infrastructure

AI governance and OT security for critical infrastructure

I develop research, frameworks, and assurance models for governing AI in high impact operational environments, with a focus on the electric sector, ICS/OT cybersecurity, and cyber physical AI risk. Author of AAIGF-E, the first control mapped AI governance framework built for the Bulk Electric System.

Cybersecurity GRC experience across smart city, critical infrastructure, and OT/ICS aligned environments, including governance work connected to a national smart city development program aligned with Saudi Vision 2030.

Presented accepted IEEE Scientific Sessions paper at ICCSDFAI 2026 in Istanbul, Türkiye. ACP Model published on SSRN as part of a growing research portfolio on AI governance, OT/ICS security, and cyber physical AI risk.

Suhail Ahmad Rana
AAIGF-E AuthorNIST AI Profile · NCCoEISA99 / 62443 ContributorOWASP Agentic AI ReviewerIEEE P3396 Working GroupIEEE and ISA Senior MemberAAISM · AAIA · CISM · CISA · CRISCISO/IEC 42001 Lead ImplementerISO/IEC 27001 Lead Auditor8 SSRN papers · 1,100+ views · 300 downloadsORCID: 0009-0008-5460-5001

AAIGF-E Framework

Full paper on SSRN →
111Controls
11Risk domains
7Lifecycle anchors
5Framework mappings

The Adaptive AI Governance Framework for the Electric Sector closes the governance gap that exists when AI systems operate inside the Bulk Electric System. No existing mandatory standard currently governs model integrity, adversarial threats, drift detection, or AI output influence on operators. AAIGF-E is a CIP overlay, not a replacement.

NERC CIPMITRE ATLASNIST AI RMFISA/IEC 62443ISO/IEC 42001
AAIGF-E Executive Brief — 4 page management overviewDownload PDF

Pilot AAIGF-E in Your Environment

AAIGF-E is available for research aligned pilot assessments with electric sector, OT/ICS, smart infrastructure, and critical infrastructure organizations.

Request an AAIGF-E Pilot Assessment

A pilot assessment can help identify AI governance gaps, map existing controls against AAIGF-E, and evaluate how AI related risks such as model integrity, drift, adversarial inputs, operator influence, monitoring, response, and recovery are addressed within current governance and compliance processes.

Electric utilitiesGrid operatorsOT/ICS asset ownersSmart infrastructure programsAI governance teamsCybersecurity and GRC teams

AAIGF-E Pilot Assessment Request Form

Use this short form to prepare a pilot assessment inquiry. When you submit it, the request will be securely sent through Formspree.

AAIGF-E Maturity Assessment

The AAIGF-E maturity assessment is being developed as a board oriented review model to help organizations evaluate AI governance readiness across lifecycle ownership, control coverage, assurance, monitoring, incident response, and recovery readiness.

01

Governance maturity snapshot

Summarizes current AI governance readiness and accountability across high impact AI use cases.

02

Control coverage mapping

Maps current governance and cybersecurity practices against AAIGF-E control expectations.

03

Board ready summary

Translates AI governance gaps into leadership level risk themes and recommended next steps.

Standards and Community Engagement

NIST

AI Profile and NCCoE Engagement

Participant in NIST AI Profile public discussions, including feedback related to AI governance, assurance, and critical infrastructure risk. Member of the NCCoE Manufacturing Sector Community of Interest for cybersecurity guidance related to manufacturing and OT environments.

ISA99 / 62443

Industrial cybersecurity standards activity

Participant in ISA99 related standards discussions, including JT 62443 06 activity. Submitted comments on ISA IEC 62443 SR 3.1 to SR 3.5 focusing on AI/ML security gaps, and contributed feedback on Security Level Representation options.

OWASP

Agentic AI security and governance

Reviewer and contributor to OWASP agentic AI security and governance work, with emphasis on AI risk scoring, assurance, and governance considerations.

Research and Publications

All papers on SSRN →
June 2026 · Accepted conference paper

Prompt Injection Through Operational Data Feeds: A Structural Governance Gap in OT Connected Agentic AI Systems

Accepted for presentation at the IEEE Scientific Sessions of the 2026 International Conference on Cybersecurity, Digital Forensics, and AI Applications in Istanbul, Türkiye.

April 2026 · SSRN

AAIGF-E: Adaptive AI Governance Framework for the Electric Sector

Presents a 111 control, 11 domain governance framework for AI systems in Bulk Electric System environments, mapped to NERC CIP, NIST AI RMF, MITRE ATLAS, ISA/IEC 62443, and ISO/IEC 42001.

Read →
May 2026 · SSRN

Operationalizing AI Governance in Bulk Electric Systems: A Control Level Gap Analysis of NERC CIP Using AAIGF-E

Maps AAIGF-E controls against NERC CIP to identify structural gaps in AI governance coverage within existing bulk electric compliance frameworks.

Read →
May 2026 · SSRN

Beyond Digital Adversaries: Extending MITRE ATLAS to Cyber Physical AI Attack Vectors in Critical Infrastructure

Proposes MITRE ATLAS extensions for adversarial AI attack vectors specific to cyber physical systems, OT environments, and critical infrastructure.

Read →
June 2026 · SSRN

Beyond MITRE ATLAS: Defining Adversarial AI Techniques for Industrial Control Systems

Develops a taxonomy of adversarial AI techniques for ICS and OT environments that fall outside current MITRE ATLAS coverage.

Read →
June 2026 · SSRN

The ACP Model: Operational Authority Drift in AI Enabled Industrial Systems

Published on SSRN with 42 views and 20 downloads in the current SSRN record. Introduces the AI Consequence Propagation model as a six stage explanation of how AI reliability degradation, authority drift, and weak governance interception points can create operational, safety, and governance risk in industrial environments.

Read →
January 2026 · SSRN

Adversarial Artificial Intelligence in Industrial Control Systems: A Consequence Oriented Gap Analysis of MITRE ATLAS

Examines consequence oriented gaps in MITRE ATLAS when applied to adversarial AI threats in industrial control system environments.

Read →
October 2025 · SSRN

AI Governance in Smart Grids and Industrial Automation: Integrating RAG with Framework Mapping

Explores how retrieval augmented generation interacts with AI governance requirements in smart grid and industrial automation contexts, including mapping across major AI, cybersecurity, and energy frameworks.

Read →
August 2025 · SSRN

Exploring the Role of RAG in Enhancing Cybersecurity GRC Frameworks

Examines how retrieval augmented generation can support cybersecurity GRC workflows, including compliance traceability, evidence retrieval, and control mapping.

Read →

Speaking and Engagements

Nov 2025

ISACA Astana Chapter and IIA Astana

ISO 42001: Artificial Intelligence Management System · Webinar

Delivered
Dec 2025

ISACA Riyadh Chapter

New ISACA Advanced in AI Audit AAIA Certification Plan · Chapter Technical Session

Delivered
Jan 2026

ISACA Atlanta Webinar Program

How to Audit AI Systems: Practical Steps for IS Internal Auditors · Webinar

Delivered
Oct 2026

ISACA Atlanta Webinar Program

AI Auditing in High Risk Industries: A Practical Approach Beyond ISO 42001 and NIST AI RMF · Webinar · Rescheduled from June due to IEEE Istanbul engagement

Upcoming
Jun 2026

IEEE Scientific Sessions, International Conference on Cybersecurity, Digital Forensics, and AI Applications

Prompt Injection Through Operational Data Feeds: A Structural Governance Gap in OT Connected Agentic AI Systems · Istanbul, Türkiye · Rescheduled from June due to IEEE Istanbul engagement

Upcoming
Jul 2026

Protect It All Podcast

Guest appearance on AI governance, OT/ICS security, and critical infrastructure · Podcast

Delivered

Research Aligned Advisory

A

AI governance reviews

Reviewing AI governance models, assurance controls, and gaps in high impact AI deployment plans for energy and industrial organizations.

B

OT/ICS AI risk workshops

Structured sessions on agentic AI risk, operational data trust, cyber physical threats, and assurance design for OT environments.

C

Framework mapping

Mapping AI governance requirements to NERC CIP, NIST AI RMF, ISA/IEC 62443, MITRE ATLAS, and ISO 42001 for utilities and asset owners.

For AAIGF-E pilot assessments, maturity reviews, framework reviews, and advisory engagements, inquire for scope and availability.

Research Impact

8Public SSRN papers across AI governance, OT/ICS security, RAG, adversarial AI, and cyber physical AI risk.
1,100+SSRN paper views across publicly available research outputs.
300SSRN downloads indicating early research and practitioner engagement.
1IEEE Scientific Sessions conference paper presented at ICCSDFAI 2026 in Istanbul, Türkiye.
NISTAI Profile public discussions and NCCoE Manufacturing Community of Interest.
ISA99ISA/IEC 62443 related comments including AI/ML gaps and Security Level Representation.
OWASPAgentic AI security and governance review contribution.

ACP Model Published

SSRN · Published Research

The ACP Model: Operational Authority Drift in AI Enabled Industrial Systems

The ACP Model introduces AI Consequence Propagation as a six stage model explaining how AI reliability degradation, authority drift, and weak governance interception points can create operational, safety, and governance risk in industrial environments.

Core Concept

Operational authority drift

The paper explains how dependency on AI outputs can exceed authorized decision boundaries without explicit reconfiguration, creating governance and assurance risk in industrial settings.

Research Direction

From AI failure to operational consequence

The model supports practical conversations about AI governance, human oversight, incident response, and control validation for AI enabled industrial and critical infrastructure systems.

Conference Highlight

Suhail Ahmad Rana presenting the ICCSDFAI 2026 paper beside the projected title slide
ICCSDFAI 2026 · Istanbul, Türkiye

Accepted paper presented at IEEE Scientific Sessions

Presented the paper “Prompt Injection Through Operational Data Feeds: A Structural Governance Gap in OT Connected Agentic AI Systems” at ICCSDFAI 2026 in Istanbul, Türkiye.

The presentation addressed OT connected agentic AI risk, operational data feed manipulation, and governance gaps affecting AI enabled critical infrastructure environments.

The certificate of participation confirms the paper presentation, co authorship with Dinara Kozhamzharova, and contribution to ICCSDFAI 2026.

Suhail Ahmad Rana presenting research on OT connected agentic AI risk at ICCSDFAI 2026
Presenting research on OT connected agentic AI risk and operational data feed manipulation.
Suhail Ahmad Rana standing in front of the ICCSDFAI 2026 conference banner in Istanbul
ICCSDFAI 2026 conference venue in Istanbul, Türkiye.
Suhail Ahmad Rana participating in an ICCSDFAI 2026 session discussion
Session engagement and technical discussion during the conference.
Suhail Ahmad Rana with conference participants at ICCSDFAI 2026
Professional engagement with conference participants and research community.

Selected Activity

Energy Digital Q and A forthcomingSSRN · 8 public papers · 1,100+ views · 300 downloadsACP Model · published on SSRNICCSDFAI 2026 · paper presentedProtect It All Podcast · upcoming guest appearanceISACA Atlanta webinar · rescheduled to Oct 2026NIST AI Profile · NCCoE · ISA99 / 62443 · OWASP engagement

Available for research aligned advisory work

If your work involves NERC CIP compliance, OT/ICS security, AI deployment at a utility, smart infrastructure assurance, or AI governance research, I would value a conversation.

For pilot assessment inquiries, please include:
  • Organization type and sector
  • AI system or use case context, if available
  • Relevant frameworks or compliance drivers
  • Whether the need is pilot assessment, maturity review, briefing, or framework mapping