TL;DR: Australia’s SOCI Act now extends across 11 sectors and requires asset registration, risk management programs, incident notification, and resilience measures, according to Commvault. For IAM teams, the practical shift is that identity, access, supplier, and recovery controls now sit inside enforceable critical-infrastructure governance, not side programmes.
At a glance
What this is: This is an analysis of Australia’s SOCI Act and its expansion into enforceable critical-infrastructure governance across 11 sectors.
Why it matters: It matters because identity, access, supplier, and recovery controls now have regulatory weight for both legacy operators and newer entrants building governance from the ground up.
By the numbers:
- The act has expanded from 4 sectors to 11 sectors across the economy.
- If the impact is significant, notification must occur within 12 hours.
- For relevant but lower-severity incidents, notification is required within 72 hours.
👉 Read Commvault’s analysis of SOCI obligations for critical infrastructure teams
Context
SOCI is a critical-infrastructure law that turns security and resilience expectations into enforceable obligations for operators of essential assets. Its relevance to identity programmes is straightforward: once regulation demands asset visibility, incident reporting, and third-party accountability, IAM and lifecycle governance stop being supporting controls and become part of the operating model.
The article’s central point is that critical-infrastructure maturity is no longer confined to traditional utilities. Newer entrants in healthcare, education, transport, communications, and data services must build asset registers, risk programs, and response processes while also proving who can access what, under which conditions, and how that access is governed across suppliers and internal teams.
Key questions
Q: How should organisations prepare identity governance for SOCI compliance?
A: Start by linking asset registers to the identities that can access or change those assets, including vendors and service accounts. Then define ownership for privileged access, incident evidence, and offboarding so compliance reporting can be supported quickly. SOCI is easier to meet when IAM, PAM, and recovery evidence are managed as one operating process.
Q: Why do critical infrastructure regulations force stronger access governance?
A: Because regulations such as SOCI make resilience, reporting, and accountability auditable obligations rather than informal expectations. If an organisation cannot show who had access, what changed, and which supplier was involved, it will struggle to prove control under incident review. Access governance becomes part of regulatory defensibility, not just security hygiene.
Q: What breaks when OT access is managed like standard enterprise access?
A: Operational systems often depend on availability, legacy protocols, and vendor support paths that do not fit normal enterprise assumptions. If teams apply broad shared access or delay segmentation, an IT compromise can reach operational systems more easily and response options become limited. The result is a larger blast radius and weaker recovery options.
Q: Who is accountable for incident notification under critical infrastructure law?
A: The regulated asset owner or responsible entity remains accountable even when third parties store data, support systems, or deliver managed services. That means provider contracts, access records, and escalation paths must be clear before an incident occurs. Accountability cannot be delegated away if the service is in scope.
Technical breakdown
How SOCI converts resilience into mandatory governance
SOCI does not simply ask organisations to be secure. It requires operators of critical assets to register assets, maintain a Critical Infrastructure Risk Management Program, notify incidents, and in some cases support government assistance measures. That shifts resilience from a policy aspiration into an auditable governance pattern. For identity teams, the practical consequence is that access control, asset ownership, and incident readiness must be traceable across business units and external providers, because those dependencies now sit inside the regulatory scope.
Practical implication: map identity, supplier, and recovery ownership to the same asset inventory used for SOCI reporting.
Why OT and IT convergence changes access risk
Operational technology environments often rely on legacy devices, older firmware, and proprietary protocols that were not designed with strong authentication or encryption. When OT is connected to enterprise IT and internet-facing systems, the identity boundary widens and lateral movement becomes a realistic failure mode. Least privilege, segmentation, and monitoring matter more in this context because availability constraints make downtime expensive, which often leads teams to tolerate broader access than they would in standard enterprise systems.
Practical implication: segment OT-adjacent access paths and review every standing credential that can reach operational systems.
How incident notification ties identity evidence to compliance
SOCI requires rapid reporting when cyber incidents materially affect essential services, which means organisations need evidence quickly enough to explain what happened and who or what had access. In practice, that pulls IAM logs, privileged activity records, third-party access paths, and recovery actions into the notification workflow. If teams cannot reconstruct access lineage or service-provider involvement quickly, they will struggle to satisfy both the operational and the legal parts of the response requirement.
Practical implication: align IAM logging, PAM records, and supplier access evidence to the incident response process before an event occurs.
NHI Mgmt Group analysis
SOCI shows that critical-infrastructure identity governance is now a compliance control, not just a security control. The article makes clear that asset registration, incident reporting, and risk management are now enforceable obligations rather than voluntary maturity markers. That matters because identity evidence, access ownership, and supplier accountability are part of proving resilience. Practitioners should treat access governance as a regulated control surface, not a back-office administration task.
Asset visibility is the starting point for both SOCI compliance and identity governance. Organisations cannot manage regulated infrastructure if they do not know which assets, accounts, and third parties are connected to the service. This is especially hard for newer entrants that are building governance from scratch. The implication is that identity inventories and asset inventories need to be aligned, or compliance will remain partial and brittle.
OT access pressure exposes the limits of broad standing privilege. The article’s OT discussion shows why availability constraints often produce access exceptions, shared credentials, and delayed segmentation. Those patterns are tolerable until they become the shortest path from IT compromise to operational disruption. Practitioners should read SOCI as a prompt to remove inherited access slack before it becomes a regulatory and operational liability.
Third-party notification duties extend identity accountability beyond the enterprise boundary. SOCI does not stop at internal access controls when a data service provider supports a regulated asset. That means supplier access, offboarding, and incident coordination all become part of the control story. The governance lesson is simple: if a provider can affect a regulated service, its identity lifecycle must be visible and contractually anchored.
Resilience under SOCI depends on recoverable identity evidence, not just recoverable systems. Offline backups and failover are necessary, but they are insufficient if teams cannot prove who accessed what before, during, and after an incident. SOCI therefore pushes identity, logging, and recovery into the same control conversation. Practitioners should design for traceable restoration as well as technical restoration.
From our research:
- From our research: 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- This makes the next step clear: use NHI Lifecycle Management Guide to align governance, provisioning, rotation, and offboarding before scale increases.
What this signals
Identity governance will be judged by whether it can evidence control across assets, suppliers, and recovery paths. SOCI-style regulation rewards organisations that can show a complete chain of accountability, not just a control checklist. The practical shift is toward operational identity evidence that can support reporting, audit, and incident reconstruction.
With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the same governance discipline that SOCI applies to infrastructure will soon be expected across machine and autonomous identities as well.
Identity blast radius: the shortest path from a regulated asset to an outage is often a standing account that was never re-scoped for the environment it can still reach. That is why OT segmentation, supplier offboarding, and privileged access review need to converge into one governance cadence.
For practitioners
- Build a SOCI-aligned asset and identity register Link regulated assets to the humans, service accounts, vendors, and admin paths that can influence them. Keep ownership current so incident response and reporting can trace access lineage quickly.
- Map third-party access to regulated services Identify every provider that stores, processes, or can reach business-critical data and verify that offboarding, notification, and review obligations are explicit in governance records.
- Reduce standing privilege in OT-adjacent paths Review shared accounts, persistent admin access, and remote support channels that can reach operational systems. Replace broad entitlements with tightly scoped access and logging where downtime constraints allow.
- Align incident evidence with reporting timelines Pre-stage the logs, access records, and escalation ownership needed to support 12-hour and 72-hour reporting duties. Make sure IAM, PAM, and response teams can assemble a defensible timeline without manual data hunting.
Key takeaways
- SOCI turns resilience into a legal requirement, which makes identity governance part of critical-infrastructure compliance rather than a background control.
- The article shows that OT convergence, third-party dependencies, and incident reporting all increase the importance of traceable access ownership.
- Teams that align asset registers, privileged access, and response evidence will be better positioned to prove control under SOCI.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance is central to regulated critical-infrastructure operations. |
| NIST Zero Trust (SP 800-207) | SOCI's OT and supplier context fits zero-trust segmentation and verification. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly addresses the standing access risk described in the article. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance supports regulatory evidence and auditability. |
| GDPR | SOCI-covered sectors such as healthcare and education may also process personal data. |
Map regulated asset access to PR.AC-4 and ensure least privilege is documented across internal and third-party users.
Key terms
- Critical Infrastructure Risk Management Program: A formal program for identifying, assessing, and managing risks to essential services and assets. Under SOCI, it turns resilience into an ongoing governance obligation that must be integrated with operations, incident response, and accountability across internal teams and external providers.
- Operational Technology: Industrial systems that monitor or control physical processes, such as utilities, manufacturing, and transport infrastructure. OT often prioritises availability over rapid change, which makes identity controls, segmentation, and monitoring harder to implement but more important when IT and OT networks converge.
- Standing Privilege: Persistent access that remains available beyond the immediate task or approval window. In regulated environments, standing privilege increases blast radius because it can be reused during incidents, especially when the account can reach critical systems, supplier paths, or operational technology.
- Identity Evidence: Logs, ownership records, approvals, and access histories that show who could act on a system and when. For regulated infrastructure, identity evidence is what allows teams to prove control, reconstruct incidents, and support mandatory reporting within strict timeframes.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- A sector-by-sector explanation of how SOCI obligations differ between legacy operators and newer entrants.
- Examples of how OT environments complicate segmentation, patching, and least-privilege access.
- The specific reporting timelines, incident duties, and governance obligations described in the Act.
- The article’s framing of resilience as a recovery capability rather than only a prevention model.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or NHI governance programme, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org