Because SOCI treats identity as part of operational resilience. Weak access control can turn a security incident into a reporting failure, a privilege problem into an availability event, and a staffing change into lingering risk. Governance must therefore cover access design, logging, and offboarding together.
Why This Matters for Security Teams
SOCI shifts identity governance from a narrow IT control to a resilience obligation. For critical infrastructure operators, that means access decisions, logging, and offboarding can no longer be treated as separate hygiene tasks. A weak service account, stale API key, or poorly revoked privileged access can create not just compromise exposure, but also reporting and operational continuity issues under the regime. That is why identity evidence now matters as much as uptime evidence.
NHIMG research shows the scale of the problem: 80% of identity breaches involved compromised non-human identities, and 97% of NHIs carry excessive privileges, which broadens blast radius when something goes wrong. The core lesson aligns with the Ultimate Guide to NHIs and with the resilience focus in the NIST Cybersecurity Framework 2.0: identity governance has to be measurable, continuous, and tied to business service impact.
In practice, many security teams encounter identity failures only after a service outage, an audit request, or a post-incident review, rather than through intentional governance.
How It Works in Practice
Under SOCI, operators should treat identity controls as part of operational readiness. That starts with knowing which human and non-human identities exist, what they can reach, and how quickly they can be removed when a role or system changes. The governance model should include lifecycle ownership, privileged access review, credential rotation, session logging, and offboarding validation as one chain, not isolated controls.
For non-human identities, current guidance suggests prioritising short-lived access over standing credentials. The Lifecycle Processes for Managing NHIs section of NHIMG’s research emphasises rotation, inventory, and revocation discipline because secrets often outlive the system or person that created them. In regulated environments, that means mapping every service account, API key, certificate, and automation token to an owner, a purpose, a review date, and a removal trigger.
- Inventory all privileged identities, including service accounts and automation tokens.
- Assign a business owner and a technical owner for each identity.
- Enforce least privilege and remove broad standing access where possible.
- Use short-lived credentials and revoke them automatically on job completion or role change.
- Log identity use in a way that supports incident response and audit evidence.
This approach is consistent with the reporting and control expectations reflected in the EU NIS2 Directive and with sector guidance from CISA cyber threat advisories. These controls tend to break down when operators have many legacy systems, shared service accounts, or unmanaged vendor connections because ownership and revocation become ambiguous.
Common Variations and Edge Cases
Tighter identity governance often increases operational overhead, requiring organisations to balance resilience benefits against engineering friction and maintenance cost. That tradeoff is especially visible in critical infrastructure, where some systems are legacy, highly available, or difficult to modify without outage risk.
One common edge case is shared operational access in plant, grid, or OT environments. Best practice is evolving, but there is no universal standard for this yet: some environments still rely on tightly controlled shared credentials where per-user identity is not technically feasible. Even then, compensating controls should include strong session logging, vaulting, approval workflows, and periodic replacement of shared secrets.
Another issue is vendor and contractor access. SOCI expectations are harder to meet when external support teams retain dormant access or when offboarding is handled outside the operator’s normal process. NHIMG’s Top 10 NHI Issues highlights why long-lived credentials and poor revocation discipline are persistent failure modes. Where automation and AI are part of the environment, the same logic applies to machine identities: access must be scoped to task, time, and context, not granted as a permanent entitlement. In the real world, the hardest failures come from identities that no one can confidently name, own, or retire.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity and access governance is central to SOCI-style resilience outcomes. |
| NIST CSF 2.0 | PR.PT-1 | Logging and auditability are needed to prove identity control effectiveness. |
| NIST AI RMF | Resilience governance should account for adaptive identity risks and accountability. |
Ensure identity activity is logged, retained, and usable for incident response and reporting.
