From ISA/IEC 62443 to AI Governance: What Industrial Safety Teaches Us About Agent Systems

Everyone building AI agents is reinventing governance from scratch. New frameworks. New taxonomies. New acronyms. As if no one has ever had to secure a system where autonomous components make decisions with real-world consequences.

Except someone has. For decades.

Industrial control systems — the systems that run power plants, water treatment facilities, and manufacturing lines — have been solving this exact problem since the 1990s. The framework they use is ISA/IEC 62443, and its principles map to AI agent governance with uncomfortable precision.

I know because I've applied them. My background is in industrial automation, and when I started building VNX Orchestration — 11 AI agents in production — I didn't start with AI governance frameworks. I started with the framework I already knew.

Five Principles That Transfer Directly

1. Security Levels → Agent Trust Levels

ISA/IEC 62443 defines four security levels (SL-1 through SL-4) based on risk assessment. A water pump controller gets SL-1. A nuclear reactor safety system gets SL-4. The controls at each level are different because the consequences of failure are different.

AI agents need the same tiered approach. Not every agent deserves the same level of autonomy. In VNX Orchestration:

• Level 1 (Assisted): Agent suggests, human decides. Every output reviewed. Used for new agents and unfamiliar tasks.
• Level 2 (Supervised): Agent executes, human reviews all outputs before they ship. The default for most production work.
• Level 3 (Monitored): Agent operates within boundaries. Human reviews outcomes, not individual actions. Reserved for agents with proven track records.
• Level 4 (Autonomous): Agent handles most work independently. Human intervention is exception-based. Earned, not granted.

The key insight from 62443: you define the target security level based on risk assessment, then identify the controls needed to meet it. You don't give everything the same controls. You match the governance to the risk.

📖 Read also: From Human-in-the-Loop to Human-on-the-Loop — the graduation path between these trust levels

2. Zones and Conduits → Agent Boundaries

In industrial systems, zones are logical groupings of assets with the same security requirements. Conduits are the controlled pathways between them. A manufacturing robot doesn't talk directly to the internet. It talks to a local controller, which talks to a gateway, which talks to the enterprise network. Each boundary has explicit rules about what data can cross.

I applied the same architecture to agent communication. In VNX:

• T0 (Orchestrator) is a zone. It reads, plans, and dispatches. It never writes code directly.
• T1/T2 (Workers) are separate zones. They receive dispatches, execute tasks, and produce outputs. They never talk to each other.
• T3 (Deep Work) is an isolated zone for complex tasks requiring extended reasoning.
• Conduits between zones are dispatch files with explicit schemas. No direct communication. No shared state. Every interaction is logged.

This isn't just clean architecture. It's containment. If T1 hallucinates, the damage stays in T1. The cascade of doom — where one agent's bad output becomes the next agent's input — is architecturally impossible because agents never read each other's outputs directly.

3. Defense in Depth → Governance Layers

ISA/IEC 62443 mandates defense in depth: multi-layered controls across people, processes, and technology. Not one firewall. Not one check. Multiple independent layers, so that a failure in any single layer doesn't compromise the system.

In VNX Orchestration, governance has four layers:

1. Quality Gates— Every dispatch goes through a**quality gate** before the output is accepted. This is the first line of defense.
2. Receipt Ledger— Every decision is logged to an append-only**NDJSON audit trail**. No edits. No deletions. Full traceability.
3. Confidence Scoring — Patterns are ranked by proven adoption. Low-confidence patterns fade automatically. High-confidence patterns surface.
4. SPC Monitoring — Statistical Process Control detects anomalies in agent behavior using the same X-bar charts that Toyota has used for 50 years.

If a quality gate fails to catch a bad output, the receipt ledger still records it. If the receipt ledger misses a pattern, SPC monitoring catches the statistical anomaly. No single layer needs to be perfect. The system needs to be collectively robust.

4. Secure Development Lifecycle → Governed Agent Lifecycle

62443-4-1 requires a secure-by-design software development lifecycle for industrial control systems. Security isn't bolted on after development. It's embedded in every phase: requirements, design, implementation, testing, deployment, maintenance.

The same principle applies to agent governance. You don't add governance after your agents are in production. You design it in from the start:

• Requirements: What is this agent allowed to do? What is it explicitly not allowed to do?
• Design: What boundaries, quality gates, and escalation paths does it need?
• Testing: 131 tests in VNX don't just test features — they test governance constraints. test_update_terminal_constraints_writes_pending_rules_json ensures rules never auto-activate.
• Deployment: Graduated autonomy. Start at Level 1. Earn your way up.
• Maintenance: Nightly learning cycles update confidence scores. Stale patterns are flagged for archival.

5. Patch Management → Context Rotation

This is the mapping that surprised me most. In industrial systems, patch management is critical because unpatched vulnerabilities compound over time. A system that was secure last month may not be secure today.

AI agents have an analogous problem: context degradation. The longer a session runs, the more the context window fills with irrelevant information. Quality drops. Hallucination rates increase. I documented this as context rot.

The solution mirrors patch management: regular, automated rotation. My agents don't run indefinitely. They get a fresh context at defined intervals, with a structured handover document that preserves essential state while clearing accumulated noise. Just as industrial systems need regular patching to maintain security posture, AI agents need regular context rotation to maintain output quality.

Why This Matters Now

ISA has published a position paper explicitly endorsing 62443 for securing industrial AI — covering AI in robotics, predictive maintenance, and digital twins. The paper states that 62443 ensures "AI systems are transparent, secure, reliable, and aligned with operational technology requirements."

Meanwhile, new AI standards are emerging. ISO/IEC 42001 for AI management systems. The NIST AI Risk Management Framework. The EU AI Act. All of them share principles with 62443: risk-based assessment, layered controls, lifecycle governance, traceability.

If you're building AI agents today and you're struggling to define your governance model, you don't need to wait for a new AI-specific framework. The framework already exists. It's been battle-tested in nuclear power plants, chemical facilities, and manufacturing lines for decades.

The principles are the same. Only the substrate has changed.

📖 Read also: Glass Box Governance: What 2,472 Dispatches Taught Me — how these principles look in production AI

What You Can Apply Today

You don't need to implement the full 62443 standard. Check my AI architecture approach for how these principles look in practice, or start with these three:

Define trust levels for your agents. Not every agent needs the same governance. A content research agent that drafts summaries needs less oversight than an agent that sends emails to customers. Match the controls to the risk.

Isolate your agent communication. Don't let agents talk directly to each other. Route all communication through an orchestrator with explicit schemas. This prevents cascading failures and gives you a single audit point.

Layer your defenses. Don't rely on one quality check. Stack multiple independent checks: output validation, audit trail, statistical monitoring, human review. Any single check can fail. The system should still catch problems.

These aren't theoretical ideas. They're production patterns from an industry that can't afford the luxury of "move fast and break things" — because when industrial systems break, people get hurt.

The AI industry hasn't reached that level of consequence yet. But it's heading there. Better to build the governance now than to retrofit it later.

The full VNX governance architecture is open source on GitHub. Every trust level, every boundary, every test — inspectable. Because the first principle of any safety standard is transparency.