Use Cases/Manufacturing Agents

Runtime authorization for manufacturing AI agents.

An optimization or supervisory agent with OPC UA, Modbus, or Ignition access can change a PLC setpoint, push a recipe, or override a safety interlock before an operator can reach the kill switch. Network credentials show the agent has been let into the OT segment. Veto decides whether this specific tag write, recipe push, or batch-record change is allowed given shift, role, deadband, and safety classification, consistent with ISA/IEC 62443 and the plant's site safety case.

ISA/IEC 62443FDA 21 CFR Part 11NIS2 (EU OT)NIST SP 800-82
Sign upRead docs

What can go wrong

OT incidents are rare and high-impact. The shared pattern is concrete: one wrong control action crosses from software into the physical plant. An AI agent that writes to a PLC at machine speed compresses that failure mode into a much smaller review window.

PLC misconfiguration

An optimization agent writes a temperature setpoint of 850°C instead of 85.0°C because the units string got mangled. The downstream furnace tag accepts the write. Material scrap and equipment damage compound until someone notices on the next shift.

Safety-instrumented bypass

An agent disables a SIF or alarm to "stop the noise" while working on a different issue. The interlock stays bypassed and the plant runs unprotected. Functional-safety teams need that action gated before it lands.

Unauthorized SCADA writes

A maintenance agent issues a remote start on a motor that an operator has padlocked out. Lockout/Tagout failures are physical-safety failures, not software warnings.

Supplier-order manipulation

A planning agent doubles a raw-material order, or shifts production to a non-qualified supplier, in response to an out-of-distribution demand signal. The financial exposure shows up at month-end close.

What Veto enforces

Wrap the OPC UA, Modbus, MQTT, MES, and ERP tools your agent uses. Tag-level policies are aware of safety classification, deadbands, role, and shift.

veto/policies/manufacturing-agents.yaml
policies:
  - name: "Safety-critical tag protection"
    match:
      tool: ["opcua.write","modbus.write_register","ignition.write_tag"]
    rules:
      - condition: "tag.safety_classification in ['SIL1','SIL2','SIL3']"
        action: deny
        reason: "Safety-instrumented tag is not agent-writable"
      - condition: "tag.lockout_active == true"
        action: deny
        reason: "Tag is under LOTO; only the owner can release"

  - name: "Setpoint deadband"
    match:
      tool: ["opcua.write","ignition.write_tag"]
    rules:
      - condition: "tag.safety_classification == 'none'
                    && abs(args.value - tag.current) < tag.deadband"
        action: allow
      - condition: "abs(args.value - tag.current) >= tag.deadband"
        action: require_approval
        approvers: ["shift-supervisor@plant"]

  - name: "Recipe push maker-checker"
    match:
      tool: ["mes.push_recipe","batch.commit_recipe"]
    rules:
      - condition: "context.agent_role != 'process_engineer'"
        action: deny
      - condition: "args.recipe.qualification_status != 'validated'"
        action: deny
        reason: "Recipe not in validated state"
      - condition: "args.recipe.changes_safety_parameters == true"
        action: require_approval
        approvers: ["process-safety@plant","qa@plant"]

  - name: "Supplier-order ceilings"
    match:
      tool: ["erp.create_po","sap.update_po"]
    rules:
      - condition: "args.quantity > sku.eoq * 2"
        action: require_approval
        approvers: ["planning-lead@approved.example"]
      - condition: "args.supplier.qualification != 'approved'"
        action: deny
        reason: "Supplier not on approved-supplier list"

Evidence hooks

ISA/IEC 62443-3-3

SR 1.13 use control, SR 6.1 event logging, SR 6.2 decision-record retention. Veto policy YAML and decision records give assessors a concrete control artifact to review.

FDA 21 CFR Part 11

Electronic-record integrity, attribution, and decision records for pharma and medical-device manufacturing. Veto records who approved a governed write, which rule applied, and what changed.

NIS2 (EU)

Essential manufacturing entities need risk-management measures including access controls and incident logging. Veto's decision record is the artifact you can hand to the reviewer.

NIST SP 800-82r3

OT security guidance from NIST. Veto's role-and-shift policies map to AC-2 and AU-2 controls for industrial environments.

Where the risk lands

Industrial agents do not just write rows. They can write setpoints, recipes, supplier orders, and maintenance states. The control must happen before that write crosses into OT.

Veto gives each governed action a policy verdict, approver context, and decision record so operations, safety, and audit teams can inspect what happened without reverse-engineering the agent run.

Frequently asked questions

How does Veto sit alongside a control-system DCS or SCADA HMI?
Veto wraps the OPC UA, Modbus, MQTT, or vendor-specific (Rockwell, Siemens, Honeywell) client your agent uses to read or write tags. The DCS and HMI continue to enforce their own safety interlocks; Veto adds an authorization boundary above them so an AI agent must pass operator-approval policy before a wrapped write. For isolated or DMZ networks, Veto can run on the edge node that bridges OT to the corporate LLM environment.
How does this support ISA/IEC 62443 zone-and-conduit evidence?
IEC 62443-3-3 SR 1.13 requires use control between security zones. When an AI agent in the corporate network calls into the manufacturing zone, Veto's policy check can function as a use-control point on the governed path. Decision records can support SR 6.1 audit-record evidence and incident response under SR 6.2.
What about FDA 21 CFR Part 11 for regulated production?
Part 11 requires electronic-record integrity, unique user attribution, and approval workflows for any electronic record that supports a GMP decision. Veto decision records can include the agent identity, policy version, decision, approver history, and record integrity metadata when configured. Combined with your batch-record system, it supports 11.10 access-control and 11.50 audit-trail evidence.
Can an agent still optimize a non-safety setpoint in real time?
Yes. Setpoint adjustments within a configured deadband, on tags marked non-safety-critical, auto-approve. Writes that cross the deadband, touch any safety-instrumented function tag, or fall outside the shift's operator-on-duty window go to a human. The intent is to enable closed-loop optimization for low-risk tags while routing out-of-policy writes to humans.

Related use cases

Supply Chain Agents

Vendor, PO, and customs controls that complement plant-floor policies.

DevOps Agents

Production deploy and infra-change patterns analogous to OT change control.

Enterprise Agents

Cross-domain policy enforcement for the IT/OT boundary.

Gate the out-of-policy write before it reaches OT.

Tag-level policies on top of your existing DCS and SCADA.

Sign upBook a call