Critical Infrastructure Secure Context Profile

What this is. A critical-infrastructure readiness layer for the Secure Context Layer thesis. It turns current NIST, OWASP, CISA, and MCP guidance into generated evidence and a runtime evaluator before agents retrieve context or act near high-stakes systems.

SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. That position is more credible if the project can answer the hardest enterprise question: “Can this help us pilot agents in critical infrastructure without weakening safety, availability, privacy, oversight, or incident response?”

The Critical Infrastructure Secure Context Profile is the answer. It does not claim compliance with a future NIST profile. It creates an enterprise-ready scaffold now: sector profiles, hazard flags, required evidence, rollout lanes, reviewer views, and deterministic allow, hold, deny, or kill decisions.

Generated artifact

  • Source model: data/assurance/critical-infrastructure-secure-context-profile.json
  • Generator:
  • Evidence pack: data/evidence/critical-infrastructure-secure-context-pack.json
  • Runtime evaluator:
  • MCP tools: recipes_critical_infrastructure_secure_context_pack,

Regenerate and validate the pack:

Evaluate a read-only pilot decision:

Evaluate a held high-impact action:

Why this matters now

NIST’s April 2026 concept note says critical infrastructure will increasingly rely on AI across IT, OT, and ICS, and that the profile will help operators communicate trustworthiness requirements across AI and CI lifecycles and supply chains. That is exactly where SecurityRecipes can be useful: not by claiming agents are safe, but by forcing context, authorization, operator approval, telemetry, and incident evidence to exist before agents act.

This profile also reflects current MCP security guidance:

  • protected MCP calls need authorization, resource metadata, and scope minimization;
  • token passthrough, shadow MCP servers, unsafe local launches, and raw secret access are kill signals;
  • read-only context pilots are the default starting lane;
  • high-impact action classes require operator approval, a safety-case id, risk acceptance, receipt evidence, and severe-risk clearance.

Sector profiles

Sector Default decision Why it is high stakes
Energy, OT, and ICS hold_for_ci_safety_case Process control, grid reliability, safety interlocks, vendor remote access, and maintenance windows.
Healthcare and public health hold_for_ci_safety_case Regulated health data, care operations, clinical workflow availability, and emergency coordination.
Financial services hold_for_ci_safety_case Funds movement, market impact, model-route risk, fraud monitoring, and regulated-data leakage.
Water and wastewater hold_for_ci_safety_case Treatment operations, remote access, field response, and public-service continuity.
Transportation systems hold_for_ci_safety_case Passenger safety, logistics availability, signaling support, maintenance, and continuity.
Communications, cloud, and DNS hold_for_ci_safety_case Cross-sector dependencies, routing, identity, DNS, metadata services, and tenant isolation.

Runtime decisions

Decision Meaning
allow_ci_read_only_context Read-only or evidence-only context has identity, authorization, egress, and context hash evidence.
allow_ci_supervised_action A supervised action has sector safety-case evidence, operator approval, risk acceptance, receipt, authorization, egress, and severe-risk clearance.
hold_for_ci_safety_case Sector, run, approval, safety-case, risk, receipt, or policy evidence is missing.
deny_untrusted_ci_context Context is untrusted or lacks a context package hash.
kill_session_on_ci_hazard_signal Token passthrough, shadow MCP, unsafe local launch, raw secret access, or another runtime hazard appeared.

Product strategy

This is a stronger enterprise story than another static checklist.

Layer Value
Open foundation Public profile, generator, evidence pack, evaluator, docs, and MCP tools.
Production MCP server Hosted sector profiles, authorization checks, safety-case lookup, receipts, and policy evaluation.
Design-partner wedge Regulated teams can start with read-only context and prove whether agent evidence lowers review friction.
trust review fit Frontier labs, cloud providers, and security platforms need a credible way to sell agents into high-stakes sectors.

MCP examples

Get the summary:

{}

Get the energy profile:

{
  "sector_id": "energy-ot-ics"
}

Evaluate a critical-infrastructure read-only context request:

{
  "sector_id": "energy-ot-ics",
  "workflow_id": "vulnerable-dependency-remediation",
  "action_class": "read_only_context",
  "agent_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "run_id": "ci-readonly",
  "identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "tenant_id": "ci-tenant",
  "context_package_hash": "sha256:context",
  "authorization_decision": "allow_authorized_mcp_request",
  "egress_decision": "allow_internal_context"
}

Source anchors

See also