OT identity governance is still stuck in local access silos

At a glance

What this is: This article argues that OT identity governance remains fragmented because local access domains outlive corporate identity changes and are hard to reconcile safely.

Why it matters: It matters because IAM, PAM and lifecycle teams need a way to prove access state in OT without breaking safety boundaries or assuming IT-style integration will work.

👉 Read Gathid's analysis of OT identity governance across air-gapped environments

Context

OT identity governance breaks when local access domains do not stay aligned with corporate joiner, mover and leaver processes. In plants and industrial sites, credentials are often created and maintained inside isolated directories, so identity state can drift from the source of truth even when the person has changed roles or left the company.

The core problem is not that OT teams ignore security. It is that standard IAM controls depend on live integration, continuous sync and central policy enforcement, which can conflict with OT safety constraints. That is why visibility without disruption becomes the real governance requirement for OT programmes.

Key questions

Q: How should organisations govern identity in OT environments without disrupting operations?

A: They should separate visibility from control. Build an authoritative model of local accounts, roles and sites first, then reconcile that model against corporate lifecycle records. Where live integration is unsafe, use snapshots, offline analysis and site-level ownership to prove who has access and why before changing production systems.

Q: Why do OT access reviews often miss the highest-risk identities?

A: Because reviews are usually anchored to corporate directories, while OT access may live in local systems maintained by engineers. If the review does not include plant-level accounts, it can certify access that no longer matches HR status, leaving stale privileges in place after transfers or departures.

Q: What do security teams get wrong about bridging IT and OT identity?

A: They often assume the answer is direct integration. In many OT environments, that approach is unsafe or impractical. The better first step is to understand the identity boundary, map what is locally administered, and treat the site directory as a governed system rather than an afterthought.

Q: What should auditors look for in OT identity governance?

A: They should look for evidence that local OT accounts are reconciled to a current owner, a current purpose and a current lifecycle state. If the organisation cannot show how role changes and leavers are reflected in plant access, the control environment is not fully provable.

Technical breakdown

Local identity domains and stale access in OT

Operational technology environments often run separate directories, local accounts and site-specific policies. That means access is resolved inside the plant rather than against the corporate identity system, so joiner, mover and leaver events can miss the local environment entirely. The result is stale access that persists after job changes, transfers or termination. In OT, the technical issue is not just incomplete provisioning. It is the absence of a synchronised identity control plane across disconnected sites.

Practical implication: map which OT directories operate outside corporate lifecycle workflows and treat them as separate governance domains.

Digital twins for identity visibility without touching live OT

A digital twin in this context is a shadow model of identity and access relationships built from snapshots, not live control changes. It lets security teams analyse accounts, roles and permissions in an isolated environment, which avoids interfering with production systems. This matters because many OT sites cannot tolerate direct IAM integration or frequent policy pushes. The twin becomes a safe analysis layer, while the live environment remains untouched.

Practical implication: build offline identity models for OT sites before attempting remediation so you can assess exposure without operational interference.

Knowledge graphs expose hidden access relationships

Knowledge graphs connect users, systems, roles and policies to show indirect or conflicting access paths that flat inventories miss. In OT, that includes orphaned accounts, duplicated privileges and mismatches between HR status and site access. The technical value is relationship analysis rather than simple account listing. It gives engineers and security teams a way to see where access persists, where ownership is unclear and where remediation can be sequenced safely.

Practical implication: use relationship mapping to identify orphaned accounts and mismatched access before changing any control-system configuration.

NHI Mgmt Group analysis

OT identity governance fails when local access outlives corporate accountability. The article shows a classic lifecycle failure: joiner, mover and leaver processes exist at the enterprise level, but plant-level identities are maintained separately and can remain active after the person has changed role or left. That is not just a visibility gap. It is a governance boundary problem where the authoritative identity record no longer matches the environment that still grants access. The practitioner conclusion is that OT access cannot be treated as a downstream exception to enterprise IAM.

Digital twins are becoming the right abstraction for OT identity, not a nice-to-have analytics layer. Traditional IAM assumes the environment can be centrally integrated, queried and updated. OT often cannot, because touching the live system can create operational risk. A twin lets teams model access without forcing convergence, which makes the control problem visible without violating safety constraints. The practitioner conclusion is that OT identity programmes need modelling first, integration second.

Knowledge graphs reveal the real failure mode: unmanaged relationships, not just unmanaged accounts. In OT, the risk is often hidden in the relationship between a person, a site, a directory and a role that no longer align. That maps cleanly to OWASP-NHI and NIST CSF thinking about visibility, inventory and access governance, even when the asset is a human account rather than a workload. The practitioner conclusion is that remediation should start with relationship truth, not directory cleanup alone.

Cross-domain identity governance is now a safety issue, not only an IAM issue. The article makes clear that physical, operational and digital access are coupled in ways enterprise teams often underestimate. A person can leave the company while a plant directory still authorises them, and the consequence is not merely policy non-compliance. The practitioner conclusion is that OT identity assurance belongs in the same governance conversation as safety, audit and operational resilience.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
• For a broader governance lens, Ultimate Guide to NHIs , Regulatory and Audit Perspectives shows how identity assurance changes when auditability and operational boundaries both matter.

What this signals

OT identity governance will increasingly be judged by provable visibility, not by declared integration strategy. The practical test is whether you can reconcile local access against enterprise lifecycle records without forcing unsafe changes into production. That makes offline modelling and site ownership more important than platform consolidation.

Identity sprawl in OT behaves like unmanaged machine identity risk in other environments. The same failure pattern appears when access exists outside a centrally governed lifecycle, which is why the Top 10 NHI Issues remains a useful lens for spotting hidden access domains.

If your programme already struggles with local access reconciliation, the next step is to align OT governance with the same lifecycle discipline used for service accounts and workload identities, but without assuming the control surface can be made identical.

For practitioners

• Inventory every standalone OT identity domain Document each plant, site or facility that maintains its own directory, local accounts or access policy so you can see where corporate lifecycle controls do not reach.
• Model OT access before changing production systems Use an offline twin or equivalent shadow model to review identities, roles and access paths before attempting any sync, policy change or remediation step.
• Reconcile HR events with local OT access Check whether terminations, transfers and role changes are reflected inside site directories, especially where engineers maintain access outside central IAM.
• Map orphaned and duplicated accounts to owners Use relationship analysis to find accounts with no current business owner, then assign remediation by site and system rather than by generic user list.

Key takeaways

• OT identity risk is driven by access domains that outlive corporate lifecycle events and remain hard to see from central IAM.
• The most useful control pattern is not direct integration, but offline identity modelling that respects OT safety boundaries while revealing stale access.
• Security teams need to govern OT access as a distinct lifecycle problem with local ownership, reconciled identities and provable accountability.

Key terms

• Operational Technology: Operational technology is the hardware, software and networked control environment that manages physical processes in industrial settings. Unlike typical IT, OT prioritises uptime, safety and deterministic behaviour, which is why identity changes, patching and integration often carry operational risk and must be governed differently.
• Digital Twin: A digital twin is a virtual model that mirrors real-world systems so teams can analyse behaviour without changing the live environment. In identity governance, it is used to map accounts, roles and relationships, especially where direct integration into production systems would be unsafe or impractical.
• Knowledge Graph: A knowledge graph is a relationship-based data model that connects entities such as users, systems, roles and policies. It helps identity teams detect hidden access paths, ownership gaps and inconsistent entitlements that are difficult to see in flat inventories or disconnected directories.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Gathid: OT identity governance in air-gapped operational technology environments. Read the original.