AI Agents and the Future of Critical Infrastructure

A quiet shift is underway: the most active “users” of the internet over the next few years may not be people at all. They’ll be autonomous AI agents—software systems that can plan, browse, negotiate, purchase, schedule, and coordinate with other agents to get outcomes, not just answers.

If you work in energy and utilities, this isn’t a Silicon Valley curiosity. It’s a preview of how digital infrastructure changes when machines become the primary operators. Utilities already run complex, distributed systems with strict reliability and safety requirements. An agentic web—where agents talk to agents—looks a lot like a modern grid: many actors, many constraints, and constant negotiation over scarce resources.

Here’s what matters most: the same capabilities that make AI agents efficient also expand the attack surface. And the same coordination that could simplify operations can also amplify failures. The utilities that prepare now—technically and operationally—will adopt AI automation faster without gambling with resilience.

What an “agentic web” really changes (and why utilities should care)

Answer first: The agentic web shifts online interactions from human-driven interfaces to machine-to-machine workflows, which forces new standards for identity, permissions, payments, and safety—exactly the things critical infrastructure depends on.

Researchers and security experts are increasingly describing a near-future internet where your “browser” isn’t a human clicking through pages. Instead, a user’s agent communicates with a vendor’s agent, pulling huge volumes of information, negotiating options, and executing transactions.

Dawn Song (UC Berkeley), a leading voice in AI security, frames it simply: today’s web is designed around human limits—screen space, attention, scrolling, comparison fatigue. Agents don’t have those limits. They can:

• Read and summarize thousands of documents in parallel
• Decide what they need next and fetch it automatically
• Negotiate with other agents programmatically
• Take actions (including purchases) using delegated privileges

Utilities should care because this is the same direction enterprise operations are heading. Replace “websites” with “grid assets,” “service providers,” and “market operators,” and the parallels get uncomfortable fast.

From web UI to machine contracts

In a human web, design is about menus and pages. In an agentic web, design becomes about contracts:

• Who is this agent?
• What is it allowed to do?
• How does it prove that?
• How are actions logged, billed, reversed, or disputed?

For energy and utilities, that maps directly to realities like switching orders, outage management actions, DER dispatch requests, or market bids. When agents execute, auditability and authorization are the product.

The protocols are the point: identity, permissions, and payments

Answer first: AI agents won’t scale safely without shared protocols for tool use, agent-to-agent communication, identity, and payment—and those same primitives will show up in utility operations platforms.

The RSS summary highlights emerging open protocols such as Anthropic’s MCP (tool use) and Google’s A2A (agent-to-agent communication). Whether these specific standards dominate is less important than the direction: the internet is moving toward interoperable agent ecosystems.

Song also calls out what’s missing but inevitable:

• Agent identity: knowing which agent you’re talking to, who owns it, and what it’s certified to do
• Agent payments: enabling automated transactions for services and outcomes

Utility translation: machine identity and “bounded autonomy”

In utilities, agent identity can’t be a nice-to-have. It becomes foundational to:

• Grid optimization workflows where an agent requests telemetry, forecasts congestion, and proposes switching plans
• Predictive maintenance where an agent orders inspections or spare parts based on condition-based signals
• Customer operations where an agent schedules service appointments, validates eligibility, and issues credits

But the winning pattern won’t be “fully autonomous.” It’ll be bounded autonomy:

1. The agent can act freely inside tight constraints (time, money, operational envelope)
2. Higher-impact actions require approvals (human or policy gate)
3. Every step is logged for audit and rollback

This is where many early AI deployments go wrong: they focus on model accuracy and ignore the operational scaffolding.

Multiagent orchestration looks like a modern grid

A grid is already a system of systems—SCADA, OMS, ADMS, DERMS, EMS, work management, asset performance management, market systems. A realistic AI architecture in 2026–2027 will likely be multiagent by necessity:

• One agent manages field work planning
• Another monitors asset health and failure probability
• Another optimizes feeder-level constraints
• Another handles customer communications during outages

Coordination isn’t optional. It’s the feature.

Efficiency is real—but it’s not “free efficiency”

Answer first: AI agents can increase operational efficiency by compressing decision cycles and automating routine actions, but only if you redesign workflows around verification, escalation, and accountability.

The promise in the RSS content is clear: humans are the bottleneck. In energy operations, bottlenecks show up everywhere—storm response triage, asset prioritization, interconnection queues, switching coordination, and even basic customer service.

Here’s where agentic systems can deliver practical value in utilities without hype:

Demand forecasting and renewable integration

Agents are well-suited to tasks that require continuous ingestion of signals and fast re-planning:

• Pull weather updates, revise load forecasts, and propose dispatch adjustments
• Monitor solar and wind ramps and pre-stage flexible resources
• Coordinate with market data and constraint models to reduce imbalance costs

A strong agent doesn’t just produce a forecast; it produces a plan and updates it when conditions change.

Predictive maintenance that actually closes the loop

Many utilities have predictive models that flag risk but don’t consistently drive action. Agents can bridge the “last mile” by:

• Creating a work order draft with evidence attached
• Checking crew availability and required clearances
• Confirming parts inventory and lead times
• Scheduling outages within policy constraints

The outcome is less about fancy AI and more about reliable automation of tedious coordination.

Faster outage communications with fewer missteps

During major events (and December is a reminder—winter storms stress both grid and call centers), customer updates must be fast and consistent. Agents can:

• Draft updates aligned to OMS milestones
• Tailor messages by feeder or neighborhood
• Reduce call volume by proactively pushing accurate ETAs

But the guardrails matter: no agent should invent restoration times. If the OMS doesn’t know, the agent shouldn’t “sound confident.”

The security risk isn’t theoretical—agents widen the blast radius

Answer first: Autonomous agents expand the attack surface by combining access to sensitive data with authority to take actions, and attackers can manipulate them through prompts, tools, or other agents.

Song’s warning is blunt: autonomous agents operating on an open web with high privileges create unprecedented security risks. The core problem is simple:

When a system can both decide and do, mistakes and attacks become operational incidents.

For utilities, the obvious fear is “agents controlling the grid.” In reality, the near-term risk is broader and more mundane—and therefore more likely:

• Agents leaking sensitive data (customer PII, account details, internal procedures)
• Agents being tricked into taking actions outside intent (fraud, bad work orders, unsafe recommendations)
• Agents being used as a pivot point into internal networks through tools and integrations

Common agent failure modes utilities should plan for

1. Prompt injection via untrusted content

   • An agent reads a document/email/ticket containing malicious instructions that override its task.

2. Tool misuse

   • If the agent can call APIs (work management, procurement, customer account actions), a small error becomes a costly action.

3. Privilege creep

   • Early pilots start with minimal permissions, then expand “temporarily,” and suddenly the agent can do too much.

4. Shadow automation

   • Teams build agent scripts outside governance because “it’s faster,” creating untracked risk.

Secure-by-design is the only sane approach

Song mentions secure-by-design agent frameworks and the rise of automated red teaming (including multiagent red teams testing other agents). That’s exactly the posture utilities need.

A practical security checklist for agent deployments in energy and utilities:

• Least privilege by default: start with read-only; add write permissions only with explicit policy
• Action gates: require second-factor approvals (human or system) for high-impact steps
• Separation of duties: one agent proposes; another validates; a third executes
• Immutable logging: every tool call, input, and output is recorded for audit
• Data minimization: agents shouldn’t ingest raw PII unless the task truly requires it
• Rollback plans: treat agent actions like deployments—have a reversal path

If you can’t explain how an agent is prevented from ordering $500,000 of transformers at 2 a.m., it’s not ready.

A pragmatic roadmap for utilities adopting agentic systems in 2026

Answer first: Utilities should start with “closed-loop-but-contained” use cases, build governance and identity foundations, then expand autonomy only when monitoring and incident response are proven.

Many organizations approach AI agents as a product feature. Utilities should treat them as operators—digital workers with credentials, scopes, and supervision.

Step 1: Pick high-value, low-blast-radius workflows

Good early candidates share three traits: repetitive, measurable outcomes, and reversible actions.

• Drafting work orders from inspection notes
• Summarizing operational logs and producing shift handover reports
• Triaging customer emails and preparing responses for approval
• Generating switching plan options for engineer review

Step 2: Build identity and policy early

Before scaling, define:

• Agent identity standards (naming, ownership, certification)
• Permission tiers (read-only, propose, execute with approval, execute autonomously)
• Policy-as-code rules (what actions are allowed under what conditions)

This is where the “agentic web” lesson lands: protocols come before scale.

Step 3: Measure reliability like an operations system

If you want leads and momentum internally, measure what leadership cares about:

• Mean time to decision (MTTD) for operational triage
• Work order cycle time reduction
• Percentage of agent actions approved vs rejected
• Incident rate per 1,000 agent actions

Treat agent deployments like any other critical system: pilot, monitor, harden, expand.

Where this is headed: from the web to the grid

The agentic web isn’t just a new way to shop online. It’s a preview of a world where software negotiates with software constantly—over prices, priorities, schedules, and risk. Utilities already live in that world, except today the negotiations happen through humans and brittle integrations.

As part of this AI in Energy & Utilities series, my stance is straightforward: AI agents will become standard in utility operations, but the winners won’t be the ones who automate the fastest. They’ll be the ones who automate with identity, security engineering, and operational discipline baked in.

If you’re exploring AI for grid optimization, demand forecasting, predictive maintenance, or outage communications, the next practical step is to map one workflow and ask: What would we allow an agent to do on day one—and what must it never do without a gate? The quality of your answer will predict whether your first agent rollout becomes a capability… or an incident.