TL;DR: CISA’s 2025 guidance frames OT asset inventory as a prerequisite for modern defensible architecture, arguing that organisations cannot protect what they cannot see and must pair discovery with taxonomy, lifecycle management, and segmentation. Elisity’s analysis shows the governance gap is now operational, not theoretical.
At a glance
What this is: CISA’s OT asset inventory guidance says effective protection starts with knowing what exists, then using taxonomy and segmentation to turn visibility into control.
Why it matters: For IAM and NHI practitioners, the lesson is that identity-based policy only works when asset identity, lifecycle state, and communication paths are continuously understood across operational environments.
👉 Read Elisity's analysis of CISA's OT asset inventory guidance and defensible architecture
Context
OT asset inventory is the starting point for defensible architecture because security teams cannot segment, monitor, or govern assets they have not reliably discovered. In operational technology environments, that problem is amplified by legacy devices, proprietary protocols, and uneven support for security agents. The article’s primary keyword, OT asset inventory, sits at the centre of that visibility gap.
The identity connection is practical rather than abstract. In OT, device identity, communication pathways, and lifecycle state determine whether microsegmentation and least-privilege policy can actually be enforced. That makes OT inventory adjacent to IAM and NHI governance, especially where unmanaged devices, remote access paths, and service credentials shape the trust boundary.
CISA’s framing is typical of modern critical infrastructure guidance, but the article argues that many organisations still treat inventory as a record-keeping exercise instead of a control layer. That starting point is now atypical for environments pursuing Zero Trust or IEC 62443-aligned segmentation.
Key questions
Q: What breaks when OT asset inventory is incomplete?
A: Incomplete OT asset inventory breaks segmentation, vulnerability prioritisation, and incident response because security teams cannot reliably tell which devices exist, where they are, or what they connect to. In practice, that means legacy systems, vendor access paths, and unmanaged devices can remain outside policy boundaries and become lateral movement routes.
Q: Why do OT environments need identity-based microsegmentation?
A: OT environments need identity-based microsegmentation because IP addresses and network positions change, but the policy need remains tied to the device or workload. Identity-aware controls preserve enforcement when assets move, while reducing dependence on brittle VLANs and static firewall rules.
Q: How do security teams know if OT inventory is actually working?
A: OT inventory is working when it feeds enforcement decisions, updates segment membership, and shortens response time during incidents. If the inventory only supports documentation or periodic audits, it is a record-keeping exercise rather than an operational control.
Q: Who is accountable when OT segmentation fails?
A: Accountability usually sits with the teams that own operational risk, asset data quality, and network enforcement together. In practice, that includes OT engineering, security architecture, and governance leaders, because segmentation fails when any one of those functions treats the inventory as someone else’s problem.
Technical breakdown
OT asset inventory as a control layer, not a spreadsheet
In OT environments, inventory is not simply a list of devices. It is the control substrate that lets teams classify assets by criticality, map dependencies, and decide which communications are allowed. CISA’s guidance reflects a basic truth of operational security: if asset identity and location are unknown, policy becomes guesswork. Unlike IT endpoints, OT devices may be legacy, unmanaged, or unable to host agents, so discovery must combine physical inspection, logical surveys, and protocol-aware data collection. The inventory then becomes useful only when it supports segmentation, incident response, and lifecycle governance.
Practical implication: build inventory data so it can drive enforcement decisions, not just audit reporting.
How taxonomy supports OT microsegmentation and IEC 62443
OT taxonomy is a structured way to group assets by function or criticality so that security policies can follow operational risk. That matters because IEC 62443 uses Zones and Conduits to define how systems should be separated and how traffic should move between them. Zones represent assets with similar protection requirements, while conduits govern approved communication paths. When taxonomy is weak, segmentation becomes overly broad or inconsistent, and teams fall back to flat networks with brittle firewall rules. A strong taxonomy gives microsegmentation a policy model that matches real operational dependencies.
Practical implication: define zones from asset criticality and process dependency before writing segmentation rules.
Why identity-based microsegmentation outperforms IP-based controls in OT
Traditional segmentation depends on network position, IP ranges, or VLAN boundaries, but OT devices often move, change interfaces, or connect through shared infrastructure. Identity-based microsegmentation shifts the policy anchor from network location to device identity and context. That makes policy more durable when assets roam or when temporary connectivity is needed for maintenance and vendor access. It also helps reduce lateral movement by constraining which devices can speak to each other, regardless of where they sit on the network. For critical infrastructure, the technical value is not just isolation. It is policy continuity across changing operational conditions.
Practical implication: prefer identity-aware segmentation controls that survive IP changes, maintenance windows, and asset relocation.
Threat narrative
Attacker objective: The attacker seeks to move from an exposed OT foothold to disruption of operations, unsafe process manipulation, or wider access across critical infrastructure systems.
- Entry occurs when attackers exploit insecure OT protocols, weak authentication, or exposed remote access points in environments without complete asset visibility.
- Escalation follows when incomplete inventory leaves vulnerable firmware, unmanaged devices, and permissive conduits outside the segmentation model.
- Impact emerges as attackers move laterally across operational assets, disrupt processes, or reach systems that should have been isolated by zone-based controls.
NHI Mgmt Group analysis
OT asset inventory is now an enforcement prerequisite, not a hygiene exercise. The article correctly frames inventory as the foundation for defensible architecture because segmentation, monitoring, and incident response all depend on knowing what is present. In practice, that means asset identity and operational context must be treated as security inputs, not administrative outputs. For critical infrastructure teams, the governance question is whether inventory data changes enforcement or merely decorates reports.
Identity-based microsegmentation is the right response to a topology problem. OT environments break IP-based trust assumptions because devices shift, legacy systems lack agents, and vendor access patterns change over time. The useful concept here is operational identity drift, where the device that is trusted today may reappear in a different network position tomorrow. Practitioners should read that as a sign that policy must follow the asset, not the subnet.
IEC 62443 zoning only works when asset taxonomy is real and maintained. Zones and conduits fail when the underlying categorisation is stale, too broad, or disconnected from actual process dependency. That is a governance failure, not a tooling failure. The article’s value is that it ties taxonomy to least privilege, which is where OT segmentation becomes defensible rather than symbolic.
OT visibility gaps intersect with identity governance whenever access is remote or shared. Remote maintenance accounts, vendor credentials, and service access paths turn inventory omissions into privilege problems. That is the bridge to IAM and NHI governance: unmanaged systems often come with unmanaged credentials. Security teams should therefore align OT inventory with access lifecycle controls, not treat them as separate programmes.
Modern defensible architecture in OT is really a control-mapping exercise. Discovery, classification, segmentation, and lifecycle management need to line up with one another or the architecture stays brittle. For practitioners, the field-level takeaway is clear: if a device cannot be classified, it cannot be trusted; if it cannot be trusted, it should not sit in an open conduit.
What this signals
Operational visibility is becoming an access-control problem, not just an inventory problem. As OT architectures adopt identity-based segmentation, asset records start to influence who and what can communicate, which means stale data can create security exposure as quickly as a bad ACL. Teams should treat inventory quality as part of their control assurance model, not as a separate documentation stream.
Operational identity drift is the pattern to watch in complex OT estates. Devices are rarely static, and when their network location, support status, or remote access path changes faster than governance can track, segmentation rules and maintenance workflows diverge. That gap will matter more as critical infrastructure operators connect OT inventory to Zero Trust and resilience programmes.
For identity and access programmes, the practical signal is clear: OT access governance must extend beyond human administrators to vendor accounts, service access, and unmanaged device pathways. Where remote support exists, the same lifecycle discipline used for NHI and privileged access should govern the trust bridge into plant environments.
For practitioners
- Define OT asset scope by process and criticality Map production systems, safety systems, control systems, and support assets before assigning security ownership. Use that scope to decide what qualifies as an asset for inventory and which groups need separate enforcement paths.
- Collect identity-relevant OT attributes continuously Capture communication protocols, physical location, criticality, and dependency data so inventory can support segmentation and incident response. Keep the dataset current as assets move, get replaced, or change connectivity.
- Build segmentation from zones and conduits Translate inventory into IEC 62443-style zones and conduits, then limit traffic between them to approved paths only. Use identity-based policy where subnet-based rules are too brittle for dynamic OT operations.
- Align OT inventory with remote access governance Tie vendor access, shared maintenance credentials, and temporary support pathways to the same inventory records used for segmentation. That reduces the chance that remote access becomes an untracked trust bridge into critical systems.
Key takeaways
- OT asset inventory is the control foundation for defensible architecture because segmentation and incident response fail when asset visibility is incomplete.
- Identity-based microsegmentation works better than IP-based controls in OT because policy can follow the asset even as network topology changes.
- The real governance challenge is aligning inventory, taxonomy, and lifecycle management so that critical infrastructure controls stay current and enforceable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Asset inventory and categorisation are central to the article's OT governance model. |
| NIST SP 800-53 Rev 5 | CM-8 | CM-8 directly governs system component inventory and tracking. |
| CIS Controls v8 | CIS-1 , Inventory and Control of Enterprise Assets | The article is fundamentally about discovering and governing OT assets. |
| ISO/IEC 27001:2022 | A.8.1 | Asset management controls support the article's inventory and lifecycle themes. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article describes how weak segmentation enables movement and disruption. |
Map OT assets to ID.AM-1 and keep discovery current enough to drive segmentation decisions.
Key terms
- OT Asset Inventory: A structured record of operational technology devices, systems, and supporting components that exist in an environment. In practice, it includes attributes such as criticality, location, protocol, ownership, and lifecycle state so security and operations teams can make enforceable decisions.
- OT Taxonomy: A classification model used to organise OT assets by function, criticality, or operational role. It helps teams group similar systems, communicate consistently across operations and security, and build controls that reflect real process dependencies rather than ad hoc labels.
- Zones and Conduits: An IEC 62443 model for separating OT assets into security groupings and controlled communication paths. Zones collect systems with similar protection needs, while conduits define and restrict the traffic allowed between those zones to reduce exposure and limit lateral movement.
- Identity-Based Microsegmentation: A segmentation approach that applies access policy based on device or workload identity instead of only on network location. It is useful in dynamic environments because policies persist when assets move, change IP address, or connect through different infrastructure layers.
What's in the full article
Elisity's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step OT asset inventory workflow from scope definition through lifecycle management.
- Sector-specific taxonomy examples for oil and gas, electricity, and water and wastewater environments.
- Practical microsegmentation deployment observations from manufacturing and healthcare environments.
- Detailed discussion of how inventory data supports IEC 62443 zones and conduits.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners connect identity control principles to the broader security programmes they operate.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org