Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about cyber-physical convergence?

Teams often assume existing IAM controls can be reused without adjustment. In practice, utility environments require tighter separation of duties, more explicit approval paths, and stronger evidence of who accessed what, when, and for which task. If cyber and physical controls are managed separately, the organisation can miss the combined risk.

Why Security Teams Misread the Risk

Cyber-physical convergence is often treated as a network segmentation problem, but the real issue is control coupling: a cyber action can now trigger a physical consequence, and a physical event can create a cyber path. That means the usual assumptions behind shared admin access, broad emergency accounts, and generic approval workflows are too loose. Current guidance suggests treating these environments as high-consequence identity systems, not just connected OT and IT stacks.

That distinction matters because identity failures in one domain now propagate into the other. The Ultimate Guide to NHIs — Why NHI Security Matters Now shows how quickly over-privileged non-human identities expand attack surface, while CISA cyber threat advisories repeatedly show adversaries chaining weak access, poor logging, and delayed response across environments. Security teams get this wrong when they optimise for continuity alone and forget that unsafe convenience in one layer becomes unsafe control in the other. In practice, many teams discover the gap only after an operator session, vendor connection, or automation job has already crossed both cyber and physical boundaries.

How It Should Be Controlled in Practice

Effective convergence governance starts with mapping every identity that can influence physical assets, including operators, service accounts, API keys, automation tools, and remote vendor access. The critical question is not only who can log in, but what task they can perform, under what conditions, and with what evidence. NHI Management Group research in the Ultimate Guide to NHIs — Key Challenges and Risks shows how excessive privilege and weak rotation create persistent exposure, which is especially dangerous when the same identity can touch both a control plane and an operational environment.

Practitioners should separate standing access from task-based access and insist on explicit approvals for sensitive physical actions. That usually means:

  • Using least privilege for normal operations and separate break-glass access for emergencies.
  • Applying JIT elevation for time-bound tasks, with automatic expiry and revocation.
  • Requiring strong audit trails that capture who approved, who executed, what changed, and which asset was affected.
  • Segmenting vendor and contractor access so remote support cannot drift into general admin privilege.
  • Reviewing logs across cyber and physical systems together, not in separate tools and separate teams.

For control design, NIST SP 800-53 Rev 5 Security and Privacy Controls provides useful control families for access enforcement, auditability, and accountability, while the MITRE ATLAS adversarial AI threat matrix is relevant where automation or decision support is used to orchestrate actions across systems. These controls tend to break down when legacy OT assets cannot enforce short-lived credentials and shared maintenance accounts remain permanently enabled.

Where the Standard Answer Breaks Down

Tighter separation of duties often increases operational friction, requiring organisations to balance safety against restoration speed and field maintenance realities. That tradeoff is real in plants, utilities, and transport environments where downtime is expensive and remote support is sometimes essential. Best practice is evolving, but there is no universal standard for how much emergency access should be pre-authorised versus approved at runtime.

The main edge case is legacy infrastructure that cannot support modern identity controls. In those environments, teams may need compensating controls such as jump hosts, session recording, manual two-person approval, or network isolation to reduce risk until systems can be modernised. Another common failure mode is vendor access that is technically temporary but operationally habitual, which turns a supposed exception into standing privilege. The The 52 NHI breaches Report and Top 10 NHI Issues both reinforce the same pattern: access that is not explicitly time-bound and task-bound tends to survive long after the original need has passed. In the field, convergence problems usually surface when an emergency override, third-party connection, or stale privileged session is left in place because no one owned the combined cyber-physical review.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Stresses rotation and expiry for privileged non-human access used across cyber-physical systems.
CSA MAESTRO Applies to orchestrated agent and workflow access that can trigger physical actions.
NIST AI RMF Supports governance of autonomous or semi-autonomous decision flows affecting physical outcomes.
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when one identity spans IT and OT domains.
NIST Zero Trust (SP 800-207) SC-7 Zero trust segmentation and policy enforcement reduce cross-domain blast radius.

Replace standing access with short-lived, task-scoped NHI credentials and enforce rotation or revocation on completion.