TL;DR: The NERC 2025 ERO Reliability Risk Priorities Report says cyber and physical security complexity is now one of the most urgent threats to the North American bulk power system as interconnected digital systems, AI-driven loads, and siloed controls expand the attack surface, according to AlertEnterprise. Unified identity, access, and resilience controls are becoming a reliability requirement, not just a security preference.
At a glance
What this is: NERC’s 2025 reliability priorities frame cyber and physical security convergence as an urgent threat to bulk power reliability as digital dependencies expand.
Why it matters: Utilities and critical infrastructure teams need unified identity and access governance because siloed cyber and physical controls can miss credential misuse, contractor access gaps, and operational risk.
By the numbers:
- The same survey found that only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, making organisations failing to scope AI access properly 4.5x more likely to experience a security incident.
👉 Read AlertEnterprise's analysis of NERC 2025 reliability risk priorities
Context
Cyber and physical security convergence is no longer a niche utility issue. In critical infrastructure, identity, access, and operational resilience are now coupled to the same reliability outcomes, because attackers, contractors, automated systems, and operational technology all share the same business impact surface.
For utilities, the governance gap is not simply a lack of tools. It is the persistence of siloed security operating models that separate workforce identity, contractor access, cyber controls, and physical access when the environment now behaves as one system.
Key questions
Q: What breaks when cyber and physical access are governed separately in critical infrastructure?
A: Separate governance usually breaks at the handoff points. A user, contractor, or system may still hold one form of access after another has been revoked, leaving gaps that audit evidence will not catch quickly. In critical infrastructure, that mismatch can create reliability exposure before anyone notices the control failure. One entitlement view across domains is the safer operating model.
Q: Why do AI-driven loads increase access governance risk for utilities?
A: AI-driven loads increase risk because they introduce more dynamic integrations, more credentialed automation, and more decision paths that depend on delegated access. If those paths are over-privileged or poorly inventoried, they expand the attack surface in ways conventional periodic reviews miss. The issue is not AI itself, but the identity controls attached to it.
Q: How can utilities know whether converged identity governance is actually working?
A: Teams should measure whether one access record covers workforce, contractor, physical, and operational entitlements without manual reconciliation. If review teams still need to join data from multiple systems to answer basic questions, the governance model is fragmented. Evidence quality, offboarding speed, and exception closure rates are the clearest signals.
Q: Who is accountable when a missing access review affects grid reliability?
A: Accountability usually sits with the organisation’s control owners, not the technology stack. For critical infrastructure, that means IAM, physical security, OT operations, and compliance teams must share clear ownership for review, approval, and revocation outcomes. If no one owns the full path, the gap becomes a recurring reliability risk.
Technical breakdown
Why unified identity governance matters for NERC CIP readiness
NERC CIP readiness depends on proving that access is controlled, reviewed, and appropriate for the environment in question. Converged identity governance helps because it gives one view of who or what has access, where that access applies, and whether the entitlement still makes sense. Without that unified control plane, teams end up reconciling fragmented evidence across cyber, physical, and operational systems during audit or incident response.
Practical implication: map access review, authentication, and risk validation evidence to a single governance workflow.
NHI Mgmt Group analysis
Cyber and physical security convergence is now an identity governance problem, not only a resilience problem. The article’s core finding is that utilities can no longer rely on separate cyber and physical control models when digital systems, contractor access, and operational workflows are intertwined. That means the governance question shifts from whether a control exists to whether it spans every identity that can affect reliability. Practitioners should treat convergence as an access governance redesign, not a reporting exercise.
Fragmented identity evidence creates reliability blind spots. When workforce, contractor, mobile credential, and operational access are tracked in different systems, risk reviews become incomplete even if each system is individually compliant. That gap is especially relevant for critical infrastructure because the consequence is operational interruption, not just data exposure. The practical conclusion is that one entitlement view is now a reliability requirement.
Operational identities deserve the same governance discipline as human users. Utility environments increasingly depend on non-human access paths, automated monitoring, and cross-system integrations that can move faster than manual review cycles. If those identities are not included in access governance, the organisation will misread its own risk posture. Practitioners should extend identity governance to machine and service identities wherever they can influence physical or cyber operations.
AI adoption in infrastructure amplifies the need for least privilege across domains. The report’s concern about AI-driven loads points to a broader pattern: new automation increases dependency on access paths that were already hard to govern. In practice, over-privilege is the failure mode that turns automation into exposure. The practitioner takeaway is to scope AI-related access as tightly as any privileged operational role.
Converged access threshold: the point at which cyber, physical, and operational access controls must be governed together because a single entitlement can affect reliability across domains. Once organisations cross that threshold, separate review processes become structurally insufficient. Practitioners should redesign controls around shared identity risk rather than system-by-system ownership.
What this signals
Converged identity governance will become a reliability control for critical infrastructure. As utilities and energy operators connect more systems, they will need access models that can prove who or what is authorised across cyber, physical, and operational domains. The practical signal is clear: programmes that still separate these views will struggle to keep pace with audit, incident response, and resilience demands.
AI-related access should be measured as a privileged identity problem. Even where AI is not the primary subject, the presence of AI-driven loads and automation means access paths are becoming more dynamic and harder to govern manually. That makes scoped access, ownership, and lifecycle controls the real programme signals, not the number of tools deployed.
Teams that already manage non-human identity governance can reuse those patterns here, especially around credential scope, review cadence, and ownership. The difference is that in critical infrastructure the consequence is operational continuity, so access drift becomes a resilience issue as much as an IAM issue.
For practitioners
- Unify identity inventories across cyber and physical systems Create a single inventory for workforce, contractor, mobile credential, and operational identities so access reviews can identify duplicated, orphaned, or conflicting entitlements across domains.
- Map NERC CIP evidence to one access governance workflow Tie authentication, approval, review, and exception evidence into a common workflow so audit readiness does not depend on reconciling separate cyber and physical records.
- Review AI-connected and automated access paths as privileged identities Treat AI-enabled integrations, automated loaders, and system-to-system credentials as governed identities with scoped permissions, monitoring, and lifecycle ownership.
- Align contractor offboarding with operational access removal Ensure contractor and vendor termination processes revoke physical badges, logical access, and any shared operational credentials in the same offboarding sequence.
Key takeaways
- The report reframes cyber and physical security as one reliability challenge, which pushes identity governance into the centre of critical infrastructure risk management.
- The core weakness is fragmentation, because separate access models make it harder to prove control across workforce, contractor, AI-connected, and operational identities.
- Utilities should respond by unifying identity inventory, access evidence, and offboarding so reliability risk is governed end to end.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity and access governance is central to the cyber-physical convergence issue. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management is required for workforce, contractor, and machine identities. |
| NIST Zero Trust (SP 800-207) | Zero trust fits environments where access must be verified across domains and contexts. | |
| NIST AI RMF | GOVERN | AI-driven loads and automation require governance for accountability and oversight. |
Apply zero trust principles to every access decision that can affect operational continuity.
Key terms
- Converged Identity Governance: Converged identity governance is the practice of managing access across cyber, physical, and operational systems through one control model. It reduces blind spots by treating workforce, contractor, device, and machine access as a single risk surface with shared lifecycle and review requirements.
- Operational Identity: An operational identity is any account, credential, badge, token, or system identity that can affect physical processes or infrastructure outcomes. In critical infrastructure, these identities can be as sensitive as human administrator accounts because their misuse can alter reliability, safety, or continuity.
- AI-Connected Access Path: An AI-connected access path is any credentialed integration, workflow, or delegated permission that lets AI-enabled systems influence infrastructure or operational decisions. The risk is not limited to the model itself. It lies in the permissions, scope, and monitoring attached to the path.
What's in the full article
AlertEnterprise's full article covers the operational detail this post intentionally leaves for the source:
- How the report frames converged identity governance for cyber, physical, and operational identities in utility environments.
- The specific NERC CIP readiness themes behind automated identity, access, and risk validation.
- The vendor's view of mobile credentials and digital identity as a replacement for legacy cards in workforce and contractor access.
- Why AI-powered threat intelligence is positioned as part of anomaly detection and credential misuse prevention.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It gives practitioners a practical foundation for extending identity control into complex operational environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org