Accountability usually spans OT operations, security engineering, and the owners of shared identity and infrastructure services. If the spread followed a privileged path, the entitlement owner and platform owner both need to explain why the access existed. Frameworks such as NIST-CSF, NIST-800-53, and ISA or IEC 62443 help assign control responsibility.
Why This Matters for Security Teams
When an OT incident moves from a plant environment into enterprise systems, accountability becomes more than an escalation question. It becomes a control ownership question. Security teams need to know who approved the path, who maintained the trust relationship, and who was responsible for the identity, remote access, and segmentation controls that failed. That matters because containment, reporting, and remediation all depend on clear ownership, not just technical detection. NIST guidance such as NIST SP 800-53 Rev 5 Security and Privacy Controls helps organisations map responsibilities to controls, but it does not remove the need for internal accountability assignments.
In OT environments, the operational risk is often amplified by shared identity infrastructure, remote vendor access, and historical exceptions that were never revisited. If an attacker or malware can move from a historian, engineering workstation, or remote access gateway into business systems, then the breach is usually exposing an ownership gap that existed long before the alert. In practice, many security teams encounter this only after lateral movement has already crossed the plant and enterprise boundary, rather than through intentional accountability design.
How It Works in Practice
Accountability in these cases is usually distributed across three layers: OT operations, enterprise security, and shared service owners. OT operations typically own the availability and safety of plant-facing assets, including engineering workstations, historians, controllers, and safety-adjacent support systems. Enterprise security usually owns monitoring, incident response, identity governance, and the controls that govern how trust extends into the plant. Shared infrastructure teams, such as IAM, PAM, network, and endpoint platform owners, are accountable for the access paths that make cross-domain movement possible.
The practical question is not only who detected the breach, but who accepted the risk of the access path that enabled spread. That includes remote access accounts, service accounts, vendor credentials, backup tooling, jump hosts, and any OT-to-IT integration point with broad trust. Where those identities are privileged, the owner of the entitlement should be able to explain why access existed, how it was approved, and what monitoring was in place. For identity-heavy environments, this is where NHI governance becomes relevant, because machine identities and service accounts often outlive the people who approved them.
- Define a single incident owner for coordination, even if control ownership remains split.
- Map each cross-domain access path to a named business, OT, and technical owner.
- Review privileged accounts, service accounts, and remote vendor access as first-class breach paths.
- Record which compensating controls existed, such as segmentation, PAM, MFA, logging, and approval workflows.
- Preserve evidence of who approved exceptions and who revalidated them.
Frameworks such as ISA/IEC 62443 are useful for structuring zones, conduits, and operational responsibilities, while NIST control families help translate that structure into enforceable governance. These controls tend to break down when legacy OT assets depend on shared credentials, flat network trust, or unmanaged vendor remote access because the accountable owner of the access path is no longer clear.
Common Variations and Edge Cases
Tighter accountability often increases coordination overhead, requiring organisations to balance operational speed against the need for clear control ownership. That tradeoff is especially visible in plants that rely on vendors, integrators, and shared support teams, where no single group owns the full access chain. In those environments, there is no universal standard for who must approve every exception, but current guidance suggests that the risk owner, the system owner, and the identity or platform owner should all be explicitly named.
One common edge case is a breach that begins in IT and later impacts OT. In that scenario, enterprise security may own the initial incident response, but OT leadership still owns safety and production decisions once plant systems are involved. Another edge case is a breach that starts with a service account or automation identity. Because those identities may not belong to a person, accountability should shift to the team that provisioned, reviewed, and protected the identity lifecycle. This is where modern guidance intersects with agentic and machine identity governance, even when the original question is not about AI.
For organisations handling critical infrastructure or regulated production, the accountability model should also include evidence retention and post-incident control validation. The goal is not to assign blame after the fact, but to prove which teams owned segmentation, privilege, logging, and recovery before the spread occurred. Where that evidence is missing, responsibility usually becomes contested after the incident rather than resolved during design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Governance and oversight define who is accountable across OT and enterprise boundaries. |
| NIST SP 800-53 Rev 5 | AC-2 | Accountability depends on managing accounts and approvals that enable lateral movement. |
| OWASP Non-Human Identity Top 10 | Machine and service identities often drive propagation across plant and enterprise systems. |
Assign named owners for cross-domain risk, review escalation paths, and document oversight for shared access paths.
Related resources from NHI Mgmt Group
- How should security teams govern access when sensitive data is spread across multiple systems?
- Who should be accountable for AI agent actions in enterprise systems?
- What breaks when audit evidence is spread across multiple systems?
- Who is accountable when vendor sessions on OT systems are not fully logged?