For the first time in Forescout's annual ranking of the riskiest OT protocols, BACnet made the list in 2026.
BACnet is the backbone of building automation. It controls HVAC, lighting, access, and fire systems in the majority of commercial real estate in North America. And in 2026, it joined BACnet/IP, Modbus, and EtherNet/IP on a list that OT security professionals use to prioritize network segmentation and monitoring.
The reason: "living off the land" attacks — where adversaries use legitimate building automation commands to traverse building networks — have moved from theoretical to documented. Dragos was named a Gartner Magic Quadrant Leader for Cyber-Physical Systems Protection Platforms in 2026 partly because this threat category is real enough to warrant enterprise-grade tooling.
This changes the AI buildings conversation.
The Architecture Question You Should Be Asking Every Vendor
If an AI system claims to "autonomously control" your HVAC — optimizing setpoints, adjusting damper positions, overriding BAS schedules — you now have a security, liability, and governance question to ask before a performance question.
Specifically: who is accountable when the AI makes the wrong call?
Not in theory. In practice. When your building's AHU-3 runs at 58°F supply air because an autonomous AI decided that was optimal, and your tenants file a comfort complaint, and your insurer asks for the decision audit trail — who answers?
This is why the most rigorous AI building architectures in 2026 are designed to recommend, not control.
Microsoft's Reference Architecture Already Made This Call
Microsoft's open-source Digital Twin building copilot reference architecture (leestott/DigitalTwin on GitHub) includes an explicit design constraint: the AI copilot refuses to touch the BMS. It reads sensor data, runs diagnostics, surfaces fault hypotheses, and recommends corrective actions — but it will not send commands to the BAS.
The architects who built this aren't being timid. They're being correct. The value of an AI copilot isn't in replacing the human decision-maker. It's in giving the human decision-maker better information, faster, with better reasoning — so that the human's accountability is backed by AI-grade analysis.
When Microsoft's reference architecture for enterprise building AI explicitly refuses BMS control, that's a signal about where the industry is heading, not where it's been.
Three Governance Architectures — and Why Only One Is Defensible
| Architecture | Full AI Autonomy | AI-Assisted Hybrid | Recommend-Only (AISB/Microsoft) |
|---|---|---|---|
| Who sends BAS commands? | AI system directly | AI with human override option | Human always. AI never touches BMS. |
| Audit trail | Algorithm log (opaque to tenants, insurers, regulators) | Partial human record | Human decision log with AI recommendation attached |
| Cybersecurity exposure | HIGH — AI API is a BMS attack surface | MEDIUM — override path partially mitigates | LOW — AI reads sensors, no write path to BAS |
| IPMVP M&V compatibility | Difficult — autonomous changes violate Option A/B baseline integrity | Partial | Full — human-approved changes preserve M&V audit trail |
| Procurement / insurance | Requires novel AI liability framework most insurers don't offer | Gray area | Standard procurement process. No special liability carve-outs needed. |
Why "Recommend-Only" Is More Valuable, Not Less
The counterintuitive truth is that recommend-only AI delivers more durable value than autonomous AI in commercial buildings — for three reasons.
1. Accountability creates better decisions. When a human FM director has to approve a setpoint change recommended by the AI, they engage with the reasoning. They catch edge cases the AI missed. They build domain expertise that makes the next decision faster. Autonomous AI bypasses this loop and degrades operator skill over time.
2. IPMVP M&V stays clean. Energy performance contracts and green financing instruments require a verifiable baseline. Autonomous AI changes introduce uncontrolled variables that IPMVP Option A and Option B cannot accommodate. Recommend-only preserves the measurement boundary, which means every efficiency gain remains bankable. Buildings pursuing IPMVP verification cannot afford an AI system that writes to the BAS without a human decision gate.
3. Procurement is straightforward. When you present a recommend-only AI system to a REWS procurement committee, facilities insurance carrier, or building owner's legal team, the liability question has a clear answer: the AI advises, the human decides, and the human's decision is logged. This is the framework that reflexive AI procurement processes are converging on in 2026. Full-autonomy AI requires novel liability instruments that most CRE organizations are not equipped to handle.
How AISB's CSIO Platform Is Built
AISB's Chief Smart Building Intelligence Officer (CSIO) platform is designed around the recommend-only principle from the ground up. The platform reads sensor telemetry, integrates with BMS data exports, runs multi-source diagnostics, and delivers recommendations with evidence — but it has no write path to the BAS.
Every recommendation includes:
- The fault hypothesis and evidence weighting
- The ASHRAE or IPMVP reference that backs the recommendation
- The specific field check to confirm before acting
- The expected outcome and measurement method post-implementation
This is AI that makes the human FM director more effective — not one that makes them redundant. And in the current BACnet threat environment, it's also AI that doesn't introduce a new attack surface into your building's control network.
The Question for Your Next Vendor Conversation
When an AI building vendor says their system "autonomously optimizes" your HVAC — ask them: does your system send commands to the BAS, or does it recommend actions to your operations team?
If the answer is autonomous BAS control, ask what their liability framework looks like when an autonomous decision causes a comfort failure, an IPMVP baseline violation, or a cybersecurity incident.
If they don't have a clear answer, you have your answer.
Ask the AISB agent a governance question about your building's AI architecture.
Related reading: The Reflexive AI Procurement Gate — how to document AI-first decisions in CRE. And What Is an Agentic Building? — the operational model behind governance-first AI.