Hot-Work Permits Are Decades Old. AI Agents Need Them Too.

This week, Sam Altman announced OpenAI is re-forming its robotics division: "robots to support skilled workers to build our future infrastructure." That phrase — skilled workers, infrastructure — is one industrial safety has organized itself around for decades. The vocabulary OpenAI just adopted is older than its founders.

It's also exactly the vocabulary AI governance has been missing.

The re-formation matters more than the founding would have. OpenAI ran a robotics team for years, built Dactyl (the famous Rubik's-cube-solving robotic hand), and disbanded the effort in 2020. The fact that they're returning — after publicly walking away — is a stronger market signal than a first-time entry would be. The physical-world thesis has matured enough that even the company that gave up on robotics is back.

Five permits, one primitive

Walk through any building site, refinery, hospital, or stock exchange and you'll find a permit before any consequential action:

A building permit. Before you renovate, an inspector signs off on plans, scope, time window, and qualified executor. The record stays with the property forever.

A credit-card pre-authorization. Before the merchant accepts your swipe, the card network checks fraud rules, balance, limits, returns approve/decline, and logs every step. The merchant never sees your full balance; the bank never sees the merchant's pricing logic; you get a signed receipt.

A hot-work permit. Before a welder strikes an arc inside an oil refinery, a permit authority signs off on hazard class, isolation status, fire watch, atmospheric testing, time window, and qualified executor. Multiple parties sign. Anyone with authority can revoke. The signed record is the difference between a routine job and a federal investigation.

A prescription for a controlled substance. Before a pharmacy dispenses Schedule II, a DEA-registered prescriber signs the prescription, the pharmacist records the dispensing, and the records are federally required to be retained for at least two years under 21 CFR 1304.

An AI agent action permit. Before an agent calls a tool, transfers a payment, modifies code, or moves a robot arm — a decision is made about whether the action is allowed. Today, that decision usually lives in a Python if statement somewhere. Sometimes it doesn't exist at all.

These are the same primitive. A pre-action decision, signed by the authorized parties, scoped in time and surface, recorded in a chain anyone can verify later. The industrial world figured this out decades ago. The AI world is rediscovering it now, mostly by accident, mostly without naming what it's building.

Why this matters this week

OpenAI just told you exactly which domain the primitive becomes load-bearing.

"Robots to support skilled workers." Translation: industrial settings. Construction sites. Refineries. Manufacturing floors. Substation work. Logistics yards. These are environments that already run on permits. Every contractor knows what a hot-work permit looks like. Every plant safety manager has signed dozens this week. The vocabulary is there. The compliance reflex is there. The audit infrastructure is there.

What's missing is the cryptographic substrate underneath. Today's industrial permit is a PDF in a filing cabinet, or a row in Enablon or Cority or Sphera. It's evidence in the colloquial sense, not the cryptographic sense. When an AI agent — a vision-language-action model, a teleoperated robot, an autonomous orchestrator — joins the system, the existing permit infrastructure doesn't break. It just doesn't extend.

You can't sign a 2024 hot-work permit on behalf of a 2026 autonomous welding robot. You can't issue a one-shot permit to a foundation model whose behavior depends on training data your safety officer never saw. You can't audit "the agent did what was approved" when neither the approval nor the action carries a verifiable signature.

This is the gap the industrial world will discover the first time something goes wrong. A 2026 Cloud Security Alliance survey — Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises, published April 21, 2026 — found that 65% of enterprises running AI agents had at least one incident in the past 12 months; among them, 61% reported data exposure, 43% operational disruption, and 35% reported financial losses. The industrial buyers OpenAI is courting are well above average at noticing this kind of gap. They will not be the ones who quietly write off the loss.

The lesson the AI world already paid for

October 2, 2023. A Cruise robotaxi struck a pedestrian in San Francisco, then dragged her twenty feet. Cruise reported the incident to the NHTSA. The report omitted the dragging. The company had video evidence the entire time. The omission became the basis for a deferred prosecution agreement, a $500,000 criminal fine, and a federally required Safety Compliance Program.

The technical failure wasn't the collision — those are statistically inevitable as autonomous fleets scale. The institutional failure was that the company's report didn't match its own video. When AI systems take physical actions, the integrity of the after-the-fact record becomes existential. Not because regulators will catch you — though they will — but because no one can defend a system whose post-hoc account is selectable.

The industrial world solved this problem decades ago. A hot-work permit isn't just an authorization. It's a signed record that survives the work, the workers, the company, and the investigation. When the OSHA inspector arrives, the permit either exists, signed by the right people, with the right scope, or it doesn't. There is no editing it later.

AI needs the same property. Not eventually. Now, as the first robotaxi fleets scale, as the first warehouse orchestrators run autonomously through night shifts, as the first deployments from OpenAI's re-formed robotics team enter customer environments.

What the permit primitive actually requires

Four properties, all with decades of standards backing them:

Pre-action decision. A permit is issued before the action, not reconstructed after. The decision is itself an artifact: the policy at the moment, the parties who agreed, the scope they agreed to.

Multi-party signature. A meaningful permit is never one signature. A hot-work permit needs the issuing authority, the receiving executor, and a safety officer or witness. A controlled-substance prescription needs the prescriber and the dispensing pharmacist. A wire transfer needs the requester and the approver. AI agents need the equivalent: the operator who delegated authority, the system that executed, and increasingly, a human in the loop for consequential decisions.

Time-bounded scope. Industrial permits expire — at end of shift, end of task, end of inspection window. The expiry isn't bureaucratic friction. It's a forcing function: scope cannot be silently extended; re-authorization requires re-evaluation.

Tamper-evident record. Not just logged. Cryptographically signed, chained, and externally anchored such that an independent third party — auditor, regulator, insurer, court — can verify the record was not edited after the fact. This is what transparency-log standards (RFC 9162, IETF SCITT, Sigstore Rekor) provide for software supply chains. The same primitive applies to permits.

These aren't novel inventions. They're the union of industrial safety culture (ISO 45001, OSHA 29 CFR 1910.119 Process Safety Management), regulated finance (PCI DSS, SOX), pharmaceutical authority (DEA 21 CFR 1304), and modern transparency-log infrastructure. The permit primitive sits at their intersection.

What changes when AI enters

Three things compress at once:

Speed. An industrial permit is signed in minutes; an AI agent issues hundreds of actions per second. The substrate has to be fast enough to be invisible at agent timescale, durable enough to survive subpoena at company timescale.

Cross-vendor scope. A hot-work permit covers one welder, one work cell, one shift. An AI agent permit may cross a foundation model, a tool provider, an orchestrator, a downstream API, and a human approver. The signature chain has to compose across vendor boundaries without requiring any of them to trust each other.

Volume of evidence. Industrial safety produces one permit per task. Agent governance produces one per action, sometimes thousands per session. The evidence infrastructure has to make this surveyable, not just storeable.

These are tractable engineering problems. They are not, however, problems that get solved by adding a logging library after the fact. They require the permit primitive to be load-bearing in the architecture, not bolted on.

The vocabulary already exists

If you work in industrial safety, you already know what Permit-to-Work means. If you work in finance, you know what pre-authorization means. If you work in healthcare, you know what prior-auth and DEA prescription authority mean. If you've ever renovated a house, you know what a building permit is.

The work over the next 18 months — as OpenAI's re-formed robotics team ships, as Anthropic and Google follow, as the first autonomous industrial deployments enter Fortune 500 plants — is bringing the vocabulary the rest of the world already has into the AI world. Decide what your AI can do, before it does it. Prove what it did, in a way someone else can verify.

That's not a new idea. It's the oldest idea in safety-critical operations, applied to a new substrate.

The companies that build it correctly will be the ones who treated the permit primitive as foundational. Not the ones who decided governance was something to figure out after launch.