On June 26, 2025, FERC formally approved NERC CIP-015-1, mandating Internal Network Security Monitoring for high and medium impact BES Cyber Systems. The October 2028 compliance deadline is now fixed.
Most utilities are focused on the obvious question: which monitoring tools should we deploy?
But there's a harder question nobody is asking yet: when your AI-powered monitoring tool flags something as anomalous, or doesn't flag something that later turns out to be a breach, what documentation will you show the auditor?
The Documentation Gap
CIP-015-1 requires documented processes for detecting and evaluating anomalous network activity. The standard is deliberately technology-neutral, but the implication is clear: you need to be able to explain why your monitoring system reached its conclusions.
This creates a problem for AI-powered solutions.
Traditional rule-based systems are easy to document. "Alert triggered because traffic exceeded threshold X on port Y." The logic is explicit. The audit trail writes itself.
AI-based anomaly detection doesn't work that way. Machine learning models identify patterns that humans can't articulate. That's their strength and their compliance liability.
When an auditor asks "why did your system classify this traffic as normal?" and your answer is "the neural network's internal weights determined it didn't match the anomaly pattern," you have a documentation problem.
"The AI Recommended It" Is Not a Compliance Defense
Duke Energy paid $10 million for CIP violations. NERC cited "lack of managerial oversight, lack of internal controls, deficient processes" as root causes.
Now imagine that scenario with AI in the loop. An AI monitoring tool misclassifies malicious traffic as benign. The breach occurs. The auditor arrives.
Your defense cannot be "we trusted the AI." That's not a documented process. That's faith.
The utilities that will struggle with CIP-015-1 aren't the ones without monitoring tools. They're the ones whose monitoring tools can't explain themselves.
The Shift From Post-Hoc to Pre-Decision
Here's how compliance works today: deploy tools, collect evidence, hope the auditor agrees with your interpretation, find out 18 months later if you got fined.
That made sense when decisions were slow and documentation was manual.
It makes zero sense when AI is making thousands of determinations per day.
The shift that's coming: verification before the decision executes, not after.
What does that look like in practice?
Consider a methodology where AI determinations are challenged before they're acted upon. An advocate system argues for the conclusion. An adversary system challenges it: "This traffic pattern was classified as normal, but it matches characteristics of lateral movement seen in the 2024 Volt Typhoon campaigns." An arbitrator evaluates the debate and renders a verdict with full reasoning.
Every challenge. Every response. Every ruling. Documented in real-time.
When the auditor arrives, you don't explain what the AI decided. You show them the debate that led to the decision.
This is adversarial verification. It's the difference between trusting AI and verifying AI.
What To Do Now
CIP-015-1 compliance is 32 months away for high and medium impact systems. That sounds like plenty of time. It isn't.
Deploying monitoring tools takes 6-12 months. Training staff takes another 6 months. Building documentation processes that will survive audit scrutiny takes longer than most utilities expect.
If your AI compliance strategy is "deploy tools and document outputs," you're building on sand.
Start asking harder questions:
For every AI tool in your compliance stack, can you reconstruct why it reached a specific conclusion?
If an AI determination leads to a violation, can you demonstrate due diligence in your verification process?
When the auditor asks "how do you know the AI got it right?" what's your answer?
The utilities that figure this out first will have audit-ready documentation while everyone else is scrambling to explain their black boxes.
Post-hoc auditing is already obsolete. The only question is whether you'll realize it before or after the auditor does.