SOCI Act IAM obligations are reshaping critical infrastructure controls

At a glance

What this is: This is RSA Security’s analysis of how Australia’s SOCI Act 2018 and ERP 2024 amendments tighten IAM and IGA obligations for critical infrastructure operators.

Why it matters: It matters because critical infrastructure teams need identity controls that support compliance, incident reporting, and resilience across human, machine, and privileged access.

By the numbers:

• Mandatory incident reporting requires critical infrastructure operators to notify within 12 hours for incidents with a significant impact on availability and 72 hours when the impact is not immediately disruptive.

👉 Read RSA Security’s analysis of SOCI Act IAM obligations for critical infrastructure

Context

SOCI Act compliance is an identity governance problem as much as it is a regulatory one. For critical infrastructure operators, the practical question is whether IAM and IGA can prove who has access, why they have it, and how quickly it can be removed or audited when risk changes.

The ERP 2024 amendments raise the bar across cybersecurity, supply chain, and personnel obligations. That pushes access control, privileged access, lifecycle management, and logging out of the realm of good practice and into operational evidence that regulators and incident responders can test.

Key questions

Q: How should critical infrastructure teams align IAM with SOCI obligations?

A: They should map each regulated asset to explicit identity controls, then verify that authentication, authorisation, logging, and lifecycle management produce evidence for audits and incident reporting. The practical test is whether the organisation can show who had access, why they had it, and when it was removed.

Q: Why do critical infrastructure operators need stronger identity governance under SOCI?

A: Because SOCI treats identity as part of operational resilience. Weak access control can turn a security incident into a reporting failure, a privilege problem into an availability event, and a staffing change into lingering risk. Governance must therefore cover access design, logging, and offboarding together.

Q: What breaks when separation of duties is not enforced in regulated environments?

A: High-risk actions become easier to execute without challenge, and the organisation loses a major control against both misuse and insider risk. In critical infrastructure, that also weakens confidence in incident investigations because approval and execution can no longer be independently verified.

Q: Who is accountable when identity controls fail a SOCI reporting obligation?

A: Accountability normally sits with the operator of the critical infrastructure asset, but operational ownership is shared across IAM, security operations, and governance teams. Each function must know which logs, approvals, and lifecycle controls it owns before an incident occurs.

Technical breakdown

How SOCI obligations turn IAM into evidence

The SOCI Act and ERP 2024 amendments do not treat identity as a standalone control. They tie access governance to risk management, incident reporting, and enhanced cybersecurity obligations, which means operators need evidence that access decisions are documented, monitored, and revocable. RBAC reduces exposure by linking permissions to job functions, but it only works if role design is current and access reviews are real. MFA, passwordless authentication, and audit logging matter because the regulator cares about demonstrable control, not policy language alone.

Practical implication: map every critical access path to an auditable control owner and test whether the evidence exists before an incident does.

Why identity lifecycle management matters for critical infrastructure

Lifecycle management becomes a compliance control when onboarding, role changes, and offboarding affect regulated assets. In critical infrastructure settings, stale access can create both security exposure and reporting failure, especially where privileged or separated duties are involved. Automated lifecycle workflows help reduce delay between employment change and access change, while SoD prevents one identity from both approving and executing high-risk actions. The core issue is not volume of requests but whether access can be kept aligned with current duty and risk.

Practical implication: remove manual dependency from joiner, mover, and leaver processes for regulated identities and privileged roles.

What real-time monitoring must show under SOCI

Real-time behavioural analysis is useful only if it produces defensible signals tied to identities, not just noisy anomaly alerts. SOCI reporting obligations require operators to correlate incidents to root causes, and that makes identity telemetry central to the response chain. Access logs, privileged activity records, and SIEM integration help establish what happened, who acted, and whether the action was authorised. Without that linkage, an organisation can detect suspicious activity but still fail to explain or prove it under audit or incident review.

Practical implication: ensure identity logs, privileged access records, and response workflows can be correlated without manual reconstruction.

Threat narrative

Attacker objective: The objective is to gain unauthorised control of critical infrastructure identities and systems in ways that weaken availability, reporting, and accountability.

1. Entry occurs when attackers exploit weak identity controls, such as compromised credentials or unauthorised login attempts against critical infrastructure systems.
2. Escalation follows when over-privileged accounts, weak role design, or missing separation of duties let the actor move from access to control over sensitive functions.
3. Impact is regulatory and operational, including disrupted availability, delayed incident reporting, and incomplete evidence for audit or government review.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity evidence has become a regulatory control, not just a security control: SOCI turns identity logs, access reviews, and privileged activity into compliance artefacts that regulators can ask to see. That changes the burden on IAM and IGA teams because the programme must prove control effectiveness, not merely state policy. Critical infrastructure operators should treat identity telemetry as part of their resilience evidence set.

Least privilege only works when role design keeps pace with operational change: SOCI’s risk-management logic assumes access matches job function, but critical infrastructure often accumulates exceptions, shared duties, and inherited permissions. That creates governance drift that RBAC alone cannot hide. Practitioners need to recognise that stale roles and delayed offboarding are the control failures most likely to matter under audit.

Separation of duties is a resilience requirement when access can affect availability: The ERP amendments make it clear that one identity should not be able to both approve and execute high-risk actions in regulated environments. That is not merely a fraud prevention issue; it is a resilience issue because concentrated authority increases blast radius. Critical infrastructure security programmes should treat SoD violations as operational risk, not only compliance drift.

Real-time detection must be identity-correlated to be useful under incident reporting rules: SOCI obligations elevate the importance of linking alerts, identities, and response records into a single investigatory chain. Alerts without identity context cannot support 12-hour or 72-hour reporting decisions with confidence. The implication is that monitoring stacks and IAM programmes must be governed together, not separately.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, reinforcing how governance gaps become attack paths.
• For a broader identity governance lens, see Top 10 NHI Issues for the control failures that most often surface in NHI programmes.

What this signals

Identity governance is becoming part of resilience engineering: critical infrastructure teams should expect regulators to test whether access controls, review cycles, and audit trails are operationally usable during an incident, not just documented on paper. For programmes that still treat IAM as an administrative layer, SOCI is a clear sign that access evidence now carries operational weight. See also the Ultimate Guide to NHIs , Regulatory and Audit Perspectives.

Role design and offboarding are the fastest path to reducing compliance risk: if an organisation cannot prove that leavers, movers, and privileged users are handled promptly, it will struggle to satisfy both security and reporting obligations. The strongest indicator of maturity is not how many controls exist, but whether access changes happen before risk compounds.

Zero Trust in regulated sectors only works when identity telemetry is usable: continuous verification means little if operators cannot join authentication events, privilege use, and incident evidence into one traceable chain. That is why SOCI-style requirements push IAM, SIEM, and governance teams into the same operating model. Refer to NIST SP 800-207 Zero Trust Architecture for the architectural baseline.

For practitioners

• Rebuild access evidence chains Tie each critical system to an owner, a role model, an authentication control, and a log source so incident reporting can be supported without manual reconstruction.
• Automate lifecycle changes for regulated identities Remove manual delay from onboarding, role changes, and offboarding for staff, contractors, and privileged accounts that touch SOCI-covered assets.
• Enforce separation of duties in high-risk workflows Block any access path where one identity can approve and execute the same sensitive action, especially where availability or incident response could be affected.
• Correlate identity logs with SIEM detections Ensure privileged activity, login attempts, and identity changes are searchable together so root cause analysis can be performed quickly during reporting windows.

Key takeaways

• SOCI and the ERP 2024 amendments make identity governance a regulatory requirement for critical infrastructure, not just a security preference.
• The practical burden is evidence: operators need auditable access control, lifecycle management, and identity-correlated logging that can stand up in reporting and review.
• The controls most likely to reduce both compliance and operational risk are role discipline, separation of duties, and fast removal of stale access.

Key terms

• Critical Infrastructure Identity Governance: The set of identity controls that protect regulated services by linking access, authentication, privilege, logging, and lifecycle management to compliance obligations. In practice, it turns IAM evidence into an operational control that can be tested during audits, incident reporting, and resilience reviews.
• Separation of Duties: A control that prevents one identity from both approving and executing the same high-risk action. In critical infrastructure, it reduces fraud and misuse, but it also limits operational blast radius by preventing concentrated authority from becoming a single point of failure.
• Identity Lifecycle Management: The process of managing access from onboarding through role change to offboarding so permissions stay aligned with current duty and risk. For regulated environments, lifecycle management is only effective when changes happen quickly enough to prevent stale access from becoming reportable exposure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Zero Trust SOCI Act 2018 IAM Obligations for Critical Infrastructure. Read the original.