Dieser Artikel ist derzeit auf Englisch verfügbar.
AI Governance in Energy and Utilities: Grid AI, Safety Systems, and Critical Infrastructure Obligations
Energy and utilities operators are deploying AI at scale — grid optimisation, predictive maintenance, demand forecasting, safety monitoring. The critical infrastructure obligations, safety case requirements, and sector-specific governance framework.
Key Takeaways
Energy and utilities operators are designated critical infrastructure owners under the Security of Critical Infrastructure Act (SOCA) — AI systems used in critical operations are within the scope of SOCA's risk management programme obligations.
AEMO (Australian Energy Market Operator) has specific requirements for AI and automated systems used in grid management — operational technology AI must comply with AEMO's market rules and system standards.
AER (Australian Energy Regulator) oversight extends to AI-driven customer systems — AI in retail energy pricing, smart meter analytics, and demand response programmes is subject to AER consumer protection oversight.
Safety case requirements apply to AI in safety-critical energy operations — AI control systems in gas transmission, high-voltage electricity, and liquified natural gas facilities require safety assessment under the relevant WHS and technical safety frameworks.
The energy transition creates specific AI governance challenges: AI forecasting for renewable energy integration, AI in battery storage management, and AI in demand response create new use cases that existing governance frameworks may not adequately address.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
Why AI governance is a critical infrastructure obligation in the energy sector
The energy sector is among the most intensive adopters of AI globally — and one of the most specifically regulated. AI applications in energy span the entire value chain: algorithmic trading in wholesale electricity markets; predictive maintenance for generation, transmission, and distribution assets; grid management and demand forecasting; cybersecurity monitoring; and increasingly, autonomous control systems in critical infrastructure. Each of these applications sits at a different point on the risk spectrum, and each triggers different regulatory obligations depending on the jurisdiction.
The EU AI Act classifies AI used in the management and operation of critical digital infrastructure, road traffic, and essential utilities (water, gas, heating, electricity) as high-risk under Annex III. This is not a border case — it is explicit in the regulation. Failure or malfunction of AI systems used as safety components in critical energy infrastructure could endanger health, safety, or property, and cause serious disruption to essential services. The regulatory logic follows the risk: the more consequential the failure, the more intensive the governance obligation.
EU AI Act — what energy companies must do and by when
In March 2026, Baker Botts published a detailed analysis of the EU AI Act's implications for the energy sector. Their May 2026 update confirmed the timeline impact of the Omnibus agreement: the compliance deadline for high-risk AI systems classified under Annex III — which captures most operational AI used in energy management and critical infrastructure — moves from 2 August 2026 to 2 December 2027. AI embedded in regulated products under Annex I (machinery, safety components) retains the earlier 2 August 2028 timeline.
The extended timeline provides a longer runway but does not change what must ultimately be done. For energy companies operating in or serving the EU market, the high-risk AI obligations include: an AI inventory identifying all AI systems used in covered functions; risk classification and documentation for each system; technical documentation meeting Article 11 and Annex IV requirements; a risk management system with ongoing assessment and monitoring; human oversight architecture — a competent person must be able to understand, monitor, and intervene in AI system outputs; EU database registration before deployment; post-market monitoring; and serious incident reporting within specified timeframes.
Non-EU energy companies supplying products or services to EU infrastructure operators must appoint an EU authorised representative. The question of whether a US, Australian, or other non-EU energy company's AI system is "placed on the EU market" depends on whether the output of that system is used by EU-based operators or affects EU infrastructure. Energy trading algorithms that affect EU electricity market prices, or AI systems used in control rooms of assets supplying EU grids, are likely within scope.
United States — NIST and FERC cybersecurity requirements
In the US, energy sector AI governance operates through sector-specific regulation rather than a horizontal AI law. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards impose cybersecurity requirements on bulk electric system facilities that apply to AI systems used in operational technology environments. NERC CIP-007 (system security management) and CIP-010 (configuration change management) cover AI software deployed in operational technology environments — changes to AI systems in FERC-jurisdictional facilities require configuration management processes consistent with CIP-010.
The NIST AI Risk Management Framework, while voluntary, is increasingly referenced in sector guidance and enforcement investigations as evidence of reasonable care in AI deployment. For energy companies, a NIST profile for AI in critical infrastructure — which NIST is developing — will function as the practical baseline against which regulatory scrutiny is measured. Baker Botts notes that "voluntary" NIST guidance will, within a short window, function as the standard for reasonable care in AI-related litigation and enforcement. Regulators and plaintiffs can point to NIST guidance as evidence of what responsible AI governance looked like at the relevant time.
Cybersecurity obligations specific to AI in energy
AI systems in energy infrastructure create novel cybersecurity risks that existing frameworks are being extended to address. Prompt injection attacks on LLM-based energy management interfaces, adversarial inputs designed to manipulate AI-driven grid control decisions, and data poisoning of predictive maintenance models are threat vectors with no equivalent in traditional energy infrastructure security. APRA's April 2026 letter to Australian financial services — while focused on financial institutions — noted that identity and access management has not yet adapted to non-human actors like AI agents, a finding that applies equally to energy sector operational technology environments where AI systems are interacting with control systems.
Energy sector organisations should ensure: AI systems in operational technology environments are included in CIP/cybersecurity scope; adversarial testing including prompt injection probing is conducted for AI systems with decision-making authority in grid operations; AI supply chain risk is assessed — the vendors providing AI systems used in critical infrastructure create fourth-party dependencies that regulators expect to be identified and managed; and incident response procedures specifically address AI system failures and their operational consequences.
Market manipulation risk in AI-enabled energy trading
Algorithmic and AI-driven trading in wholesale electricity markets creates market manipulation risk that is subject to energy market regulation in all major jurisdictions. In the EU, the Regulation on Wholesale Energy Market Integrity and Transparency (REMIT) prohibits market manipulation and insider trading in wholesale energy markets — AI-driven trading strategies that exploit price signals or create artificial price movements are within REMIT's scope. ACER (the Agency for the Cooperation of Energy Regulators) has enforcement authority over REMIT violations. Energy companies using AI in trading algorithms must document and test those algorithms against REMIT compliance requirements, and maintain audit trails that allow regulators to reconstruct the basis for automated trading decisions.