Manufacturing organizations run on a layered technology stack that most enterprise AI governance guidance was not written with in mind. Enterprise resource planning systems handle procurement and finance. Manufacturing execution systems coordinate the production floor. Quality management systems are tied to regulatory and customer requirements. And a growing layer of operational technology -- sensors, controllers, and industrial systems -- traditionally sits behind a hard air gap from corporate IT. As manufacturers introduce AI agents to automate scheduling, procurement exception handling, supplier communication, and production reporting, those agents often need to read from or write to several of these layers to be useful. That requirement puts AI agent governance directly in tension with decades of deliberate segmentation between IT and OT environments.
Understanding this tension is the starting point for any manufacturer evaluating or scaling an AI agent deployment. The governance questions that matter are not purely technical. They involve change management, production safety, audit readiness, and the organizational accountability structures that manufacturing operations already have in place for changes that touch the production floor.
Why Manufacturing Has a Distinct AI Agent Governance Problem
Enterprise-wide research on agentic AI adoption identifies manufacturing among the industries moving from pilot to production deployment, alongside financial services and healthcare. Legacy system integration is one of the most commonly cited barriers to scaling these deployments. That barrier is not purely technical. Many manufacturers have well-established change management and safety review processes for anything that touches production systems, and those processes were not designed around software that acts autonomously and can vary its behavior from one execution to the next.
Governance frameworks built for general enterprise AI adoption often assume access to conventional business applications. They need adaptation to address the specific boundary between an AI agent reading a demand forecast in ERP and an AI agent triggering a change to a production schedule that has physical, safety, and quality consequences. This distinction -- between reading and acting, and between business-system actions and production-adjacent actions -- is the central governance challenge that manufacturing-specific implementations need to address.
Several characteristics of the manufacturing environment make this challenge particularly pronounced:
- IT and OT segmentation. Industrial environments maintain deliberate separation between business IT systems and operational technology. AI agents that span both domains, or that can affect OT systems through actions taken in IT systems, require governance boundaries that reflect this segmentation rather than ignore it.
- Safety-critical downstream effects. A schedule change in a manufacturing execution system can affect machine utilization, staffing, and product quality in ways that an equivalent change in a business application cannot. Agents operating in these environments need action-level controls calibrated to those stakes.
- Supplier-submitted content at scale. Manufacturing supply chains routinely involve large volumes of documents and data submitted by external suppliers -- purchase orders, certificates of conformance, shipping documents, quality records. Agents that process this content are exposed to the same indirect prompt injection risks documented across other AI agent deployments.
- Regulatory and customer audit requirements. Manufacturers with quality management obligations, whether under industry standards or customer contractual requirements, need to demonstrate what actions were taken on regulated data, by what system, under what authorization, and when. AI agent activity that touches quality records needs to be captured in a form that satisfies these requirements.
Where AI Agents Are Entering Manufacturing Workflows
AI agents in manufacturing settings are being applied across several operational categories. Understanding where they are entering workflows is a prerequisite for identifying where governance controls need to apply.
| Workflow Area | Typical Agent Activity | Systems Involved |
|---|---|---|
| Production scheduling | Reading demand signals and adjusting schedules based on capacity and order priority | MES, ERP |
| Procurement and supplier management | Reconciling purchase orders, invoices, and supplier records; handling exceptions automatically | ERP, supplier portals |
| Quality and compliance documentation | Drafting, updating, and routing quality records tied to regulatory or customer requirements | QMS, document management |
| Supply chain exception handling | Identifying delays or shortages and initiating responses such as expedite requests or alternative sourcing | ERP, logistics platforms |
| Production reporting | Aggregating and distributing operational performance data across shifts and production lines | MES, ERP, reporting tools |
Each of these workflow categories carries a different risk profile depending on how directly agent actions can affect the production floor or regulated records. An agent that aggregates and distributes a production report carries materially different risk than one that writes changes to a production schedule or updates a quality record that will appear in a customer audit.
A Risk Tier Framework for Agent Actions
The practical starting point for manufacturers is classifying agent actions by their proximity to physical production and regulated systems. This classification supports calibrated authorization controls: granting agents useful access to the data they need for demand forecasting, procurement, and reporting, while requiring a higher bar -- additional verification, human review, or an outright block -- for actions that touch production scheduling, quality records, or anything adjacent to operational technology.
| Risk Tier | Example Actions | Governance Posture |
|---|---|---|
| Low | Reading inventory levels, querying demand forecasts, generating draft reports | Standard authorization; full audit logging |
| Medium | Updating purchase orders, routing supplier communications, creating quality draft records | Scoped authorization with action-level review thresholds |
| High | Writing production schedule changes in MES, modifying finalized quality records, any action with a path to OT systems | Human-in-the-loop approval; restricted tool access; complete audit trail |
This kind of tiered approach is not unique to manufacturing -- it reflects general principles for agentic AI authorization applied to the specific system boundaries that matter in industrial environments. The value of making these tiers explicit is that they create a shared framework for IT, OT security, and operations teams to agree on what agents are allowed to do before deployment, rather than discovering disagreements after the fact.
Applying Runtime Governance to the Manufacturing Stack
Runtime governance refers to the controls that operate continuously as an agent executes, as distinct from the policies set during initial configuration. In manufacturing environments, runtime governance needs to address several specific patterns.
Action authorization at the tool level
AI agents accomplish tasks by invoking tools -- API calls, database writes, document updates, and similar operations. Governing which tools an agent can invoke, under what conditions, and with what parameters is more precise and reliable than trying to govern agent behavior through prompt-level instructions alone. For manufacturing environments, this means mapping each tool invocation back to the risk tier classification above and enforcing authorization decisions at that level, not just at the initial agent prompt.
Treatment of supplier-submitted content
Manufacturing supply chains routinely involve documents and data submitted by external suppliers. Agents that process this content -- reading a certificate of conformance, extracting data from a supplier invoice, or parsing a shipping document -- are exposed to the same indirect prompt injection risk documented across other industries. The governance principle is straightforward: supplier-submitted content should be treated as untrusted data, not as trusted instructions. Runtime controls that enforce this boundary prevent a malicious or malformed document from redirecting an agent's behavior in ways the organization did not authorize.
Audit logging sufficient for quality and regulatory review
Manufacturers with existing regulatory or customer audit obligations around quality documentation need AI agent activity to be captured in a form that satisfies those requirements. A complete, queryable record of what an agent did, what data it accessed or modified, what tool it invoked, and what policy authorized the action provides the foundation for both internal quality reviews and external audits. This is not a capability that should be added after deployment -- it needs to be built into how agent activity is captured from the beginning.
None of the major AI governance standards currently include manufacturing-specific provisions. The framework described here reflects the disciplined application of general agentic AI governance principles to the specific system boundaries, risk profiles, and audit requirements that manufacturing environments present.
Organizational Readiness Considerations
The governance challenge in manufacturing is not only technical. Manufacturers with mature change management processes for production systems often find that the organizational question -- who is accountable when an AI agent takes an action that affects the production floor -- is harder to resolve than the technical question of how to limit what the agent can do.
Several organizational patterns support effective AI agent governance in manufacturing contexts:
- Treat AI agent deployment decisions for production-adjacent systems through the same change management review process used for other production system changes, not as a general IT software deployment.
- Define explicit accountability for agent actions before deployment: which team owns the agent's behavior, who reviews escalations, and what the escalation path is for unexpected actions.
- Establish the audit logging and review cadence that quality management obligations require before any agent touches quality records, not after.
- Involve OT security alongside IT when evaluating any agent workflow that could have direct or indirect effects on operational technology systems, even if the agent itself only operates on IT-side applications.
- Start with read-only or draft-only tool access in new deployments, expanding to write access as governance controls are validated in practice.
These are not obstacles to AI agent adoption in manufacturing. They are the conditions under which adoption can be sustained and scaled without creating the kind of operational incidents that cause organizations to pull back from agentic deployments altogether.
Adoption Context
Manufacturing organizations are at different stages of AI agent adoption. Some are running initial pilots in procurement or supply chain management, where the systems involved are furthest from the production floor and the governance requirements are most similar to other enterprise applications. Others are evaluating agents for scheduling and MES integration, where the proximity to physical production raises the stakes considerably.
In both cases, the governance architecture put in place early -- the tool authorization model, the audit logging approach, the human review thresholds -- shapes what is possible at larger scale. Organizations that establish these controls in early deployments are in a better position to expand agent scope responsibly. Those that defer governance as a later-stage concern often find themselves retrofitting controls under pressure, after an incident has already demonstrated the need.