OT and IT convergence exposes a new identity governance gap

At a glance

What this is: This article argues that OT and IT convergence creates a fragmented identity landscape where legacy OT constraints make standard IAM coverage incomplete and governance unreliable.

Why it matters: It matters because IAM, PAM, and lifecycle controls must now span human, machine, and vendor identities across environments that do not share the same connectivity, evidence, or review assumptions.

👉 Read Gathid's analysis of OT and IT identity governance gaps

Context

OT and IT convergence turns identity into the main governance problem because access is now spread across legacy controllers, cloud platforms, vendor-managed software, and local admin paths. In plain terms, the old assumption that one IAM stack can see everything no longer holds in operational environments.

For security leaders, the challenge is less about adding another access tool and more about proving who and what has access in systems that were never designed for centralized governance. That makes identity visibility, ownership, and audit evidence the core issues in OT and IT programmes.

Key questions

Q: How should security teams govern identity across OT and IT environments?

A: Start by mapping every identity, every access path, and every ownership relationship before trying to enforce policy centrally. In OT, governance fails when teams assume modern IAM tools can be extended uniformly into systems that were never built for continuous connectivity or shared protocols. The practical answer is a model-first approach that separates discovery, ownership, and enforcement.

Q: Why do legacy OT systems create more identity risk than standard IT environments?

A: Legacy OT environments often rely on local admin accounts, vendor-owned software, and disconnected networks, which makes normal IAM visibility incomplete. That increases the odds of dormant accounts, excessive privileges, and unreviewed exceptions surviving for long periods. The risk is not just harder administration, but ungoverned access paths that can affect operations.

Q: What breaks when manual access reviews are used for OT identities?

A: Manual reviews are usually stale by the time they finish, and OT environments change in ways that spreadsheets and periodic sign-off cannot capture. That means toxic combinations, ownerless service accounts, and inherited permissions can remain active long after they should have been challenged. Reviews need continuous evidence, not a one-time certification snapshot.

Q: Who should own access accountability when vendor-managed OT software is involved?

A: The operating organisation must own the governance outcome even when the software is vendor-managed. That means every exception needs a named business owner, a documented purpose, and a lifecycle trigger for review or removal. Without that, vendor access becomes persistent by default and auditability collapses.

Technical breakdown

Why traditional IAM breaks in OT environments

Traditional IAM assumes modern protocols, continuous connectivity, and a central source of truth. OT often has none of those properties. Legacy controllers, air-gapped segments, vendor-owned software, and local admin accounts mean access is distributed across systems that cannot always be integrated safely or consistently. When IAM tools depend on full bidirectional integration, the governance model itself becomes the risk because the act of connecting can disrupt operations or expose systems that were previously isolated.

Practical implication: map which OT assets cannot tolerate direct IAM integration before attempting centralisation.

Digital twins for access visibility

A digital twin is a virtual model of the identity ecosystem that represents accounts, roles, permissions, and access paths without needing to touch every source system in the same way a live integration would. In OT and IT convergence, that matters because it provides a continuously updated view across disconnected assets. The value is not simulation for its own sake, but governance visibility: teams can reason about access, change impact, and ownership even when the operational environment is fragmented.

Practical implication: use a digital twin to establish a governed inventory of identities before changing enforcement patterns.

Knowledge graphs expose relationships that IAM tools miss

Knowledge graphs model the relationships between identities, systems, roles, and policies, which is where hidden risk often lives. In converged environments, the issue is rarely one account in isolation. It is the combination of role conflicts, cross-system privilege creep, and orphaned access that creates exposure. A graph-based model helps show why an entitlement exists, who owns it, and what downstream systems would be affected if it changed, which is essential when OT access cannot be reviewed like ordinary IT access.

Practical implication: use relationship mapping to identify toxic combinations and ownerless service accounts.

Threat narrative

Attacker objective: The objective is to gain or abuse access that can affect production, control systems, or sensitive operational data while remaining difficult to detect in fragmented identity estates.

1. Entry occurs through identity sprawl in converged OT and IT environments, where human, machine, vendor, and local admin identities coexist without a single authoritative control plane.
2. Escalation follows when dormant accounts, excessive privileges, or toxic role combinations remain active long enough for misuse or attacker reuse.
3. Impact lands in operational disruption, regulatory exposure, or safety consequences because identity is the path to critical systems, not just data.

Breaches seen in the wild

• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance in OT is really a visibility problem disguised as an integration problem. The article is right to frame fragmentation as the central issue, because governance cannot work when teams do not have a trustworthy inventory of identities, roles, and ownership across operational systems. In OT, the constraint is not only technical incompatibility but also the operational cost of forcing centralised controls into environments that were built for resilience, isolation, and vendor specificity. Practitioners should treat visibility as the first control boundary, not the last reporting step.

Digital twins create a governance layer, not a replacement control. Their value is in allowing security teams to model access across disconnected OT and IT domains without assuming every system can be wired into the same enforcement plane. That matters because the governance question is not just what access exists, but how to reason about it when the underlying estate is heterogeneous and partially disconnected. The implication is that identity programmes need a model of reality before they can enforce policy at scale.

Knowledge graphs expose identity debt that conventional IAM reports flatten. Excessive privilege, orphaned accounts, and toxic role combinations are not isolated findings in converged estates, they are relationship problems. A graph-based view makes ownership gaps and downstream blast radius visible in a way static access review spreadsheets do not. Practitioners should use that structure to separate inherited access from justified access and to surface where identity risk accumulates across systems.

OT and IT convergence changes the control objective from authentication to provable governance. Traditional IAM assumes access can be mediated at a few known chokepoints, but operational environments often require a different discipline: continuous understanding of who has access, why they have it, and what would break if it changed. NIST Cybersecurity Framework 2.0 is relevant here because identity visibility, protection, and response must work together across fragmented estates. The practical conclusion is that teams need evidence-driven governance, not just better login control.

Vendor-owned software and local admin accounts are a persistent governance exception unless lifecycle discipline catches them. The article points to the exact problem many programmes avoid naming: access that exists outside central process is still access, and in OT it often survives because nobody owns its retirement. That is a lifecycle failure as much as an access failure. Practitioners should treat offboarding, recertification, and ownership mapping as operational controls, not administrative clean-up.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why practitioners should pair OT identity discovery with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs when ownership and offboarding are unclear.

What this signals

Identity debt in converged OT and IT programmes will increasingly be measured by ownership quality, not just account counts. Teams that can show who owns each service account, vendor account, and local admin path will have a stronger governance story than teams that only report the size of the estate. That is where a model such as Ultimate Guide to NHIs becomes operationally useful: it gives programmes a lifecycle lens for identities that sit outside standard user administration.

Cross-domain identity visibility is becoming a board-level operational risk issue. When access spans isolated plants, cloud systems, and third-party software, the question shifts from whether a login exists to whether the organisation can prove its blast radius. The NIST Cybersecurity Framework 2.0 is relevant because this is a govern-identify-protect problem, not a single control issue.

Knowledge-graph driven governance will gain traction where periodic certification cannot keep pace. The practical signal for practitioners is that OT and IT access review processes need to move toward relationship-aware evidence, because static recertification misses inherited privilege and exception chains. The organisations that can continuously explain access will be better positioned than those that only periodically confirm it.

For practitioners

• Inventory every identity across OT and IT Build a complete register of employees, contractors, third parties, service accounts, and machine users, then map where each identity is governed and where it is effectively unmanaged.
• Classify systems that cannot tolerate direct integration Separate OT assets that require passive discovery or model-based governance from systems that can safely support direct IAM connections.
• Use relationship mapping to find toxic access paths Identify role conflicts, ownerless accounts, and privilege chains that connect otherwise isolated systems, then prioritise the highest blast-radius combinations first.
• Shift reviews from periodic to continuously validated Replace slow manual reviews with ongoing validation of access rights, ownership, and policy adherence so the evidence is current when auditors or operators need it.
• Document privilege exceptions in lifecycle terms Record why vendor-owned software, local admin access, and inherited permissions exist, who owns them, and what triggers removal or renewal.

Key takeaways

• OT and IT convergence turns identity into the main governance problem because fragmented estates break the assumptions behind standard IAM.
• Identity debt in these environments shows up as orphaned accounts, excessive privilege, and weak audit evidence rather than as a single control failure.
• Practitioners need model-based visibility, lifecycle ownership, and continuous review to govern access without disrupting mission-critical operations.

Key terms

• Identity debt: Identity debt is the accumulation of unmanaged access, unclear ownership, and outdated permissions that makes governance harder over time. In OT and IT convergence, it appears when local admin accounts, vendor exceptions, and stale reviews survive because no single process can see or retire them cleanly.
• Digital twin: A digital twin is a virtual model of an identity environment that represents accounts, permissions, roles, and relationships without requiring every system to be fully integrated. For OT governance, it provides a controllable view of access across disconnected environments so teams can reason about risk and change impact.
• Knowledge graph: A knowledge graph is a relationship model that connects identities, systems, policies, and permissions so the meaning of access can be analysed, not just listed. In identity governance, it helps reveal privilege chains, toxic combinations, and ownership gaps that static reports often hide.
• Toxic role combination: A toxic role combination is a set of permissions or roles that is individually plausible but becomes risky when combined across systems or functions. In converged OT and IT estates, the danger is that separate access grants can create a hidden path to sensitive operations or control systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Gathid: OT and IT identity governance in converged environments. Read the original.