Identity governance for smart factories needs operational authority

At a glance

What this is: This is an analysis of why identity governance fails in smart-factory environments when OT, IT, and vendor access collide with machine-speed automation.

Why it matters: It matters because IAM teams must treat machine identities and production access as operational risk, not just account administration.

By the numbers:

• Machine identities outnumber humans by 82:1 in modern manufacturing environments.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read CyberArk's analysis of identity governance on the factory floor

Context

Smart-factory identity governance breaks when production systems, remote vendors, automation, and AI all make access decisions faster than the humans responsible for them can coordinate. In that environment, IAM is no longer just about authentication and approval workflows. It becomes part of operational continuity, because unclear ownership can stop production or create unsafe conditions.

The article argues that traditional compliance frameworks can verify controls, but they do not prove decision readiness during live incidents. That distinction matters for NHI governance because machine identities, service accounts, and vendor connections increasingly act like privileged operators on the factory floor. For readers who need a deeper baseline on governance and lifecycle control, the Ultimate Guide to NHIs remains the most relevant starting point.

Key questions

Q: How should security teams govern machine identities in manufacturing environments?

A: Security teams should govern machine identities like operational actors, not passive accounts. That means assigning ownership, limiting scope, setting expiry conditions, and defining who can intervene when behaviour changes unexpectedly. In manufacturing, the control objective is not only preventing misuse, but preserving safe and timely response options when automation affects production.

Q: Why do traditional IAM controls struggle in smart factories?

A: Traditional IAM controls are built for human-paced approvals and office-style access patterns. Smart factories add continuous automation, vendor connectivity, and OT dependencies, so identity decisions happen under time pressure and with safety consequences. The result is a governance gap where teams may have logs and policies but still lack clear action authority.

Q: What is the difference between compliance and operational identity governance?

A: Compliance proves that controls exist and were followed. Operational identity governance proves that teams can use those controls quickly and correctly during a live incident. In manufacturing, that difference matters because a policy that looks sound on paper may still fail when production is running and access must be changed immediately.

Q: When does just-in-time access help more than static access in industrial environments?

A: Just-in-time access helps when vendor or maintenance activity is temporary, high-risk, and tightly scoped. It reduces standing privilege and makes review easier after the task ends. It helps less when teams have not defined emergency authority, because short-lived access still needs clear rules for intervention, override, and recovery.

Technical breakdown

Why machine identities create an operational governance gap

Machine identities in manufacturing include service accounts, automation credentials, integration tokens, and remote vendor access paths that can initiate actions without direct human intervention. Unlike human users, these identities may operate continuously, across OT and IT boundaries, with privileges that are inherited from process design rather than revalidated by an operator. The failure mode is not only excessive access, but also unclear ownership when something behaves unexpectedly. If no one knows who can pause, revoke, or override the identity, the environment becomes hard to govern under pressure.

Practical implication: Practitioners need ownership, purpose, and override paths for every high-impact machine identity.

Why compliance frameworks miss live decision readiness

Frameworks such as ISO 27001, NIS2, and NIST can define accountability and control expectations, but they rarely test whether teams can make a fast identity decision during an active production event. That gap matters because a logged access session is not the same as a safe or timely response option. In operational environments, the decisive question is whether a team can disconnect, suspend, or constrain access without breaking the plant. Governance must therefore include decision authority, escalation paths, and runbooks tied to production states, not just audit evidence.

Practical implication: Map identity controls to incident response decisions and test them against live production constraints.

How OT and IT split authority complicates identity control

OT owns process uptime, IT manages identity systems, security defines policy, and vendors often control embedded access mechanisms. That division creates a fragmented decision model where each team controls part of the problem but none owns the full identity outcome. In practice, this slows containment and encourages debate when speed matters most. The architectural answer is not centralising everything in one team, but defining clear decision rights across the full operational path, including who can approve, who can revoke, and who can override when safety or availability is at stake.

Practical implication: Create a shared authority model for vendor access and machine identities before the next incident.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Operational identity governance is now a production control problem, not an administrative one. When machine identities can modify systems, trigger actions, and interact across platforms, access control becomes part of plant safety and continuity. Traditional IAM thinking that stops at entitlement review is too narrow for this environment. Practitioners should treat every privileged machine identity as an operational actor with explicit ownership and bounded authority.

Machine-speed autonomy creates an identity blast radius that human approval chains cannot contain. The article’s 82:1 machine-to-human imbalance shows why steady-state governance breaks under real-world load. When identities act continuously and decisions cascade across OT and IT, the risk is not just compromise but delayed intervention. Teams need boundaries, overrides, and pre-approved response options that can operate at production speed.

Clear decision authority is the missing control in most smart-factory identity programmes. Many organisations have logging, approvals, and policy documents, but those controls do not answer who can act when a vendor session threatens uptime or safety. That gap is especially visible in cross-functional environments where accountability is dispersed. The practical conclusion is that governance design must prioritise response authority as much as access policy.

Identity governance for manufacturing should be built around operational states, not departmental silos. The article is strongest when it shows that security, IT, OT, and vendors each own a piece of the access chain. A workable model aligns access rights with production context, so that decisions are pre-defined before disruption. Practitioners should use this as a reason to redesign governance around workflows, not org charts.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why ownership and discovery remain foundational controls.
• For lifecycle control, review the NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that reduce standing exposure.

What this signals

Identity blast radius: smart-factory teams should now measure how far a single machine or vendor credential can move across OT and IT. When access is allowed to influence production, the issue is not just authentication quality but how quickly a bad decision can propagate through the plant. That makes identity review a resilience exercise as much as a security exercise.

The next governance step is to align access policy with operational states, including maintenance windows, emergency mode, and vendor support sessions. Manufacturing organisations that cannot define those states will keep relying on informal judgement during incidents, which is exactly where identity risk becomes operational risk. Teams should plan for constrained access, explicit overrides, and pre-approved recovery paths.

The article signals a wider shift: IAM for industrial environments is moving from account management to decision engineering. Security leaders should expect pressure to prove not only who had access, but who could safely act when the plant was under stress. That is where lifecycle discipline, ownership clarity, and production-aware runbooks become material controls.

For practitioners

• Inventory machine and vendor identities across OT and IT Build a single view of service accounts, automation credentials, remote access paths, and third-party integrations that can influence production. Tag each identity by system criticality, owner, and allowed action scope so that responders can immediately see which identities can affect safety or uptime.
• Define explicit decision authority for live incidents Document who can pause, revoke, or constrain access during a production event, including escalation order and backup approvers. Test the process against scenarios where disconnecting a session could stop a process, so the authority model is operationally usable and not just approved on paper.
• Bound privileged machine identities by task and time Apply least privilege and just-in-time access where feasible for vendor sessions, automation tasks, and maintenance workflows. Use short-lived credentials, limited scopes, and clear expiry conditions so that machine identities do not retain broader access than the task requires.
• Exercise identity controls in production-like drills Run tabletop and technical exercises that force teams to decide whether to keep a vendor session active, revoke a token, or switch to manual operation. Use the drill to expose where access logging exists but decision rights, runbooks, or override mechanisms are missing.

Key takeaways

• Machine identities in manufacturing now function as privileged operational actors, so governance must extend beyond simple account administration.
• The central weakness is not only excess privilege, but unclear decision authority when a live production issue forces immediate action.
• Manufacturers need lifecycle control, emergency override paths, and production-aware runbooks before the next access dispute becomes an outage.

Key terms

• Machine Identity: A machine identity is a credentialed non-human identity used by software, automation, devices, or workloads to authenticate and act. In manufacturing, these identities often carry privileged operational authority and must be governed with ownership, scope, and lifecycle controls that match their real-world impact.
• Operational Identity Governance: Operational identity governance is the practice of managing access in a way that supports live business or production decisions, not just audit requirements. It adds decision authority, escalation paths, and response readiness to standard IAM controls so teams can act safely under pressure.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised identity can cause across systems, processes, or environments. It depends on privilege, connectivity, and the ability to move between domains, making it a practical way to assess how dangerous a machine or vendor credential really is.

Deepen your knowledge

Identity governance for manufacturing environments is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for OT, IT, and vendor access in a similar environment, it is worth exploring.

This post draws on content published by CyberArk: Bridging IT and OT identity decisions on the factory floor. Read the original.