Securing Agent Access to the UNS Guardrails for Autonomous Actions
The moment you allow an AI agent to publish a setpoint change to a production line's control topic, you have moved beyond data analytics and into autonomous action. That shift changes the security model fundamentally. The question is no longer "who can see this data?" but "who, or what, is allowed to act on it, under what constraints, and with what recourse when something goes wrong?"
Agentic AI for Operations refers to AI agents that consume real-time operational data, reason over it, and take governed action in industrial environments. Securing agent access to the Unified Namespace (UNS) is the architectural challenge that determines whether those agents remain safe, auditable, and trustworthy, or become a liability.
This post addresses the four pillars of that challenge: agent identity, topic-level permissions, write-action constraints, and audit with revocation. The audience is IT/OT solutions architects designing systems where MQTT-based UNS architectures must accommodate both human operators and autonomous agents without compromising safety or uptime.
Why Does Agent Access to the UNS Require a Different Security Model?
Human users authenticate once, operate within well-understood workflows, and exercise judgment before taking action. Agents do none of these things reliably without explicit architectural enforcement. An agent operating on the UNS might subscribe to hundreds of topics simultaneously, process thousands of messages per second, and publish write commands in milliseconds. The blast radius of a compromised or misconfigured agent is orders of magnitude larger than a compromised human session.
Traditional MQTT security, typically TLS for transport encryption and username/password or client certificate for authentication, was designed for device-to-broker communication patterns. It answers the question "is this client allowed to connect?" but does not address "is this agent allowed to publish a temperature setpoint to site/area-3/line-7/oven/setpoint at 2:00 AM on a Sunday?"
In a manufacturing UNS organized along ISA-95 hierarchies (enterprise, site, area, line, cell), the topic namespace reflects the physical and logical structure of operations. Agent access policies must be equally granular. An energy optimization agent might legitimately need read access across an entire site's power metering topics, but write access to only a narrow set of HVAC control topics within a specific area. A predictive maintenance agent might need broad read access to vibration and temperature sensors, but zero write access to any control topic.
The security model must account for three realities that are unique to agentic workloads:
Agents operate at machine speed. A misconfigured publish can propagate faster than any human can intervene.
Agents may be multi-tenant. Multiple agents from different vendors or internal teams may share the same broker cluster.
Agent behavior changes over time. Model updates, retraining, and configuration changes can alter an agent's behavior without altering its credentials.
How Should AI Agent Identity Be Established on the UNS?
Every agent connected to the UNS must have an identity that is cryptographically verifiable, uniquely scoped, and revocable.
Certificate-Based Identity
The strongest approach for production deployments is mutual TLS (mTLS) with per-agent X.509 certificates. Each agent receives a unique certificate issued by an internal certificate authority (CA) or an intermediate CA dedicated to agent workloads.
HiveMQ Broker supports mTLS natively and can extract identity attributes from client certificates through its security extension framework. This allows architects to embed agent metadata (team ownership, environment, authorized scope) directly into the certificate, which the broker evaluates at connection time and on every publish or subscribe action.
A practical certificate naming convention for agents on a manufacturing UNS:
Certificate Field | Example Value | Purpose |
|---|---|---|
CN |
| Unique agent identifier |
OU |
| Organizational unit for agent workloads |
SAN (URI) |
| Version-specific identifier for policy binding |
SAN (DNS) |
| Network-resolvable identity |
Short-Lived Credentials and Rotation
Static credentials, even certificates, become liabilities over time. Agents should use short-lived tokens or certificates that rotate automatically. OAuth 2.0 client credentials grants, integrated with HiveMQ Broker via the Enterprise Security Extension (ESE), provide a mechanism for issuing time-bound access tokens. An agent authenticates to an identity provider, receives a JWT with scoped claims, and presents it to the broker. Token expiry forces re-authentication, limiting the window of exposure if credentials leak.
For environments where OAuth infrastructure is not available at the edge, certificate rotation with short validity periods (24 to 72 hours) combined with automated renewal through a secrets manager achieves a similar effect.
Identity Binding to Policy
The critical architectural decision is how identity maps to authorization policy. HiveMQ's extension framework allows custom authorization logic that evaluates the authenticated identity against a policy store on every MQTT operation (CONNECT, SUBSCRIBE, PUBLISH). This policy store can be an external system (LDAP, OPA, a custom API) or policies defined within HiveMQ Pulse's governance layer, which provides centralized policy management across the UNS.
The key principle: identity is not authorization. Verifying that an agent is who it claims to be is necessary but insufficient. The broker must also verify, on every action, that the authenticated agent is permitted to perform that specific action on that specific topic at that specific time.
How Do Topic-Level Permissions Constrain Agent Behavior?
Topic-level access control lists are the primary enforcement mechanism for agent behavior on the UNS. They determine which topics an agent can subscribe to (read) and which topics it can publish to (write). For agentic workloads, these ACLs must be significantly more granular than typical device ACLs.
Read vs. Write Separation
The most important structural decision is treating read and write permissions as fundamentally different risk categories. An agent that reads site/chicago/area-3/+/temperature gains information. An agent that writes to site/chicago/area-3/line-7/oven/setpoint changes physical reality. These two actions should never share the same permission grant.
In practice, this means defining separate ACL entries for SUBSCRIBE and PUBLISH, even when they apply to the same agent and overlapping topic spaces. HiveMQ Broker's authorization model supports this separation natively.
Wildcard Restriction
MQTT's wildcard subscriptions (+ for single-level, # for multi-level) are powerful for data consumption but dangerous for agent workloads if unrestricted. An agent subscribing to site/chicago/# receives every message published under that site's namespace, potentially including topics it should never see (personnel data, financial metrics, security system states).
Best practice for agent ACLs:
Never grant
#(multi-level wildcard) subscribe access to an agent. Enumerate the specific topic branches the agent needs.Use single-level wildcards (
+) sparingly and only when the agent's function genuinely requires cross-entity visibility at a specific hierarchy level (e.g.,site/chicago/area-3/+/vibrationfor a maintenance agent monitoring all lines in an area).Prohibit wildcard publish entirely. An agent should always publish to a fully qualified topic. No exceptions.
Role-Based Agent Groupings
As agent populations grow (and they will; a mature manufacturing UNS deployment might host 50 to 200 agents across predictive maintenance, quality, energy, logistics, and scheduling domains), managing per-agent ACLs becomes unwieldy. Role-based groupings map agent functions to permission sets:
Agent Role | Subscribe Topics (Examples) | Publish Topics (Examples) |
|---|---|---|
Predictive Maintenance Reader |
| None |
Predictive Maintenance Actor | Same as Reader |
|
Energy Optimizer |
|
|
Quality Inspector |
|
|
An agent can hold multiple roles, and roles can be composed. HiveMQ's extension framework supports evaluating role membership as part of the authorization chain, pulling role definitions from an external policy engine (such as Open Policy Agent) or from HiveMQ Pulse's governance policies.
Temporal and Contextual Constraints
Static ACLs are insufficient for environments where agent permissions should vary by context. Consider:
An energy optimization agent should only adjust HVAC setpoints during production hours, not during maintenance windows.
A quality inspection agent should only issue hold commands when a production batch is active.
A scheduling agent should only publish to line-assignment topics during shift transitions.
These constraints require contextual authorization, where the broker evaluates not just "who is publishing to what topic" but "under what conditions is this publish allowed." HiveMQ's Data Hub policy engine can evaluate message context (payload content, timestamp, session metadata) against rules before allowing a publish to proceed. Combined with external context sources (MES state, shift schedules, maintenance calendars), this enables time-aware and state-aware agent permissions.
What Controls Should Govern Agent Write Actions?
If read access gives agents information, write access gives them influence. Every control discussed so far (identity, ACLs, temporal constraints) applies to both reads and writes, but write actions demand additional safeguards.
Payload Validation
An agent authorized to publish to site/chicago/area-3/line-7/oven/setpoint should not be able to publish arbitrary content to that topic. HiveMQ Data Hub enforces schema validation on publish, ensuring that payloads conform to a defined JSON Schema or protobuf schema before the broker accepts and distributes them.
For agent writes, payload validation should enforce:
Type correctness. A temperature setpoint must be a numeric value, not a string.
Range constraints. A setpoint of 2,000°C for a curing oven is almost certainly wrong. Define min/max bounds in the schema.
Required fields. Every agent-initiated write should include a correlation ID, the agent's identity, a timestamp, and a reason code. This metadata is essential for audit trails.
Structural integrity. The payload must match the expected schema version. Agents running outdated models that produce deprecated payload formats should be rejected.
Rate Limiting
An agent that publishes 1,000 setpoint changes per second, whether due to a bug, a feedback loop, or adversarial manipulation, can destabilize physical processes before any monitoring system reacts. Rate limiting at the broker constrains the maximum publish rate per client, per topic, or per topic pattern.
HiveMQ Broker supports configurable rate limits through its extension framework. For agent workloads, rate limits should be calibrated to the physical process:
A setpoint change for a thermal process (oven, furnace) might legitimately change once per minute. Rate limit: 2 publishes/minute with burst allowance.
A conveyor speed adjustment might change once per 10 seconds. Rate limit: 10 publishes/minute.
A quality hold flag is a binary state change. Rate limit: 1 publish/minute per batch ID.
Approval Chains for Safety-Critical Writes
Some agent actions should never execute without human confirmation. HiveMQ's agentic layer supports the concept of trusted delegation, where an agent proposes an action and a human approves it before execution. This pattern applies directly to UNS write security.
The architecture for approval-gated writes:
The agent publishes a proposed action to a staging topic:
site/chicago/area-3/line-7/oven/setpoint/proposed.An approval service (or human operator via dashboard) evaluates the proposal against business rules and current operational context.
If approved, the approval service publishes the action to the live topic:
site/chicago/area-3/line-7/oven/setpoint.The agent never has direct publish access to the live control topic; it only accesses the staging topic.
This pattern uses the UNS topic structure itself as the enforcement mechanism, no additional infrastructure required beyond the broker and an approval service. The agent's ACL permits publish only to */proposed topics. The approval service, authenticated with a separate, tightly controlled identity, holds publish access to live control topics.
Action Budgets
Beyond per-message rate limits, agents should operate within cumulative action budgets. An energy optimization agent might be permitted to adjust HVAC setpoints up to 20 times per shift but no more. This prevents scenarios where individually valid actions compound into operationally dangerous aggregate behavior (e.g., oscillating setpoints that stress mechanical systems).
Action budgets are enforced by maintaining a counter per agent per action type, evaluated in the broker's authorization extension on each publish. When the budget is exhausted, subsequent publishes are rejected until the budget resets (typically at shift boundaries or after explicit operator approval).
How Do Audit Logging and Revocation Complete the Security Model?
If you cannot prove what an agent did, when, and why, then you cannot investigate incidents, satisfy regulatory audits, or build organizational trust in autonomous operations.
Comprehensive Audit Logging
Every agent interaction with the UNS must be logged with sufficient detail to reconstruct the sequence of events after an incident. The minimum audit record for an agent publish:
Field | Description |
|---|---|
Timestamp | Broker-side timestamp (not agent-reported) |
Agent Identity | Extracted from mTLS certificate or OAuth token |
Agent Version | From certificate SAN or token claims |
Topic | Fully qualified publish topic |
Payload Hash | SHA-256 of the payload (or full payload for low-volume control topics) |
Authorization Decision | ALLOW or DENY, with the policy rule that produced the decision |
Correlation ID | Links the action to the agent's reasoning chain |
Broker Node | Which cluster node handled the publish |
HiveMQ Broker's audit logging capabilities capture connection, subscription, and publish events. The Enterprise Extension for Kafka enables streaming these audit events to a durable event store (Apache Kafka, then to a SIEM or data lake) for long-term retention and analysis.
For regulated manufacturing environments (pharmaceutical, automotive, food and beverage), these audit logs map directly to FDA 21 CFR Part 11, IATF 16949, and similar requirements for electronic records and traceability of automated actions.
Real-Time Revocation
When an agent behaves unexpectedly, the response must be immediate. "We'll rotate the certificate at the next renewal window" is not acceptable when an agent is publishing erroneous setpoints to a live production line.
HiveMQ Broker supports real-time client disconnection and credential revocation through its extension API. A revocation workflow for agents:
Detection. Anomaly detection on the UNS (potentially powered by HiveMQ Pulse's anomaly detection capabilities) identifies unusual agent behavior: publish frequency outside norms, payload values outside expected ranges, or publishes to topics outside the agent's normal pattern.
Automated quarantine. The agent is immediately moved to a restricted ACL that permits subscribe-only access (so it can still observe but cannot act). Its publish permissions are revoked.
Notification. The operations team receives an alert with the agent's identity, the triggering anomaly, and the quarantine action taken.
Investigation. Using the audit log, the team reconstructs what the agent did and determines root cause.
Resolution. The agent is either restored with its original permissions, restored with modified permissions, or permanently revoked.
This workflow requires the authorization system to support dynamic policy updates without broker restart. HiveMQ's extension framework supports hot-reloading of authorization policies, making real-time revocation operationally viable even in high-availability cluster deployments.
Certificate Revocation at Scale
For mTLS-based agent identity, standard CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) mechanisms provide the cryptographic layer of revocation. However, CRL distribution lag can leave a window of vulnerability. For agent workloads, supplement certificate-layer revocation with broker-layer revocation (explicitly disconnecting the client and blacklisting the client ID) for immediate effect, with CRL/OCSP providing the durable cryptographic backstop.
What Does a Production-Ready Architecture for Securing Agent Access to UNS Look Like?
Bringing these four pillars together, a production-grade architecture for securing agent access to a manufacturing UNS includes:
Identity layer. mTLS with per-agent certificates, short-lived tokens via OAuth 2.0, identity attributes embedded in credentials.
Authorization layer. HiveMQ Broker extensions evaluating topic-level ACLs per operation, with role-based groupings, wildcard restrictions, and contextual constraints fed by HiveMQ Data Hub policies.
Write control layer. Payload validation via Data Hub schemas, rate limiting per agent and topic, approval chains for safety-critical topics using staging topics, and cumulative action budgets.
Audit and revocation layer. Comprehensive logging streamed to Kafka and SIEM, real-time anomaly detection triggering automated quarantine, and dynamic policy updates for immediate revocation.
HiveMQ Pulse's governance capabilities tie these layers together by providing centralized visibility into what agents exist on the UNS, what they are authorized to do, and what they have actually done. The Semantic Graph within Pulse can model agent-to-topic relationships, making it possible to visualize and query the security posture of the entire agent fleet.
This architecture does not require replacing existing OT security infrastructure. It layers on top of network segmentation, firewall rules, and SCADA security controls that should already be in place. The broker becomes the policy enforcement point for agent behavior within the UNS, complementing (not replacing) network-level controls.
Frequently Asked Questions
Securing agent access to the UNS is not a feature to enable after deployment. It is an architectural decision that shapes every subsequent capability. Organizations that build identity, authorization, write constraints, and auditability into their UNS from the start will scale their agent deployments with confidence. Those that retrofit security onto an already-populated agent ecosystem will face exponentially higher complexity and risk.
The HiveMQ platform, with the Broker as the enforcement surface, Data Hub for payload governance, and Pulse for centralized policy management and visibility, provides the infrastructure to implement these guardrails without building from scratch.
Schedule a consultation with our solutions architects to design an agent security architecture for your UNS deployment. For a deeper look at how HiveMQ Broker's security framework supports advanced authorization patterns, explore the enterprise security documentation. Organizations already running HiveMQ in production can explore how HiveMQ Pulse's governance capabilities extend security policy management across the UNS.
Kudzai Manditereza
Kudzai is a tech influencer and electronic engineer based in Germany. As a Senior Industrial Solutions Advocate at HiveMQ, he helps developers and architects adopt MQTT, Unified Namespace (UNS), IIoT solutions, and HiveMQ for their IIoT projects. Kudzai runs a popular YouTube channel focused on IIoT and Smart Manufacturing technologies and he has been recognized as one of the Top 100 global influencers talking about Industry 4.0 online.
