Zero trust for operational technology shifts machine identity priorities

At a glance

What this is: The DoW Zero Trust for Operational Technology framework adapts Zero Trust principles for mission-critical OT and formalises a two-phase model with 105 total activities.

Why it matters: For IAM and NHI practitioners, it shows that OT identity governance now needs continuous verification, device inventory, and segmentation without disrupting safety or uptime.

By the numbers:

• The framework defines 84 Target activities and 21 Advanced activities, for 105 total activities across OT environments.
• Only 5.7% of organisations have full visibility into their service accounts, underscoring how weak identity inventory remains across environments.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Corsha's analysis of the DoW Zero Trust for OT framework

Context

Zero Trust for operational technology is the application of continuous verification, least privilege, and segmented access to systems that control physical processes. In OT, the challenge is not just who can log in, but which machines, service accounts, and control pathways can interact safely without interrupting mission operations. That is a classic NHI governance problem because device identities and machine credentials often carry the access that keeps industrial systems running.

The DoW framework reflects a broader reality that many IAM programmes still understate: OT cannot be governed as if it were standard enterprise IT. Predictable communications, safety constraints, and high availability narrow the room for aggressive policy changes, so identity controls must be implemented with more care and more telemetry. The starting position described here is increasingly typical for defence and industrial operators, not exceptional.

Key questions

Q: How should security teams apply zero trust to OT without disrupting operations?

A: Start with identity inventory, least privilege, and segmentation that respects safety and uptime. Then move to stronger verification and policy enforcement only after you can observe normal machine behaviour, log decisions, and define safe rollback paths. In OT, the control objective is to reduce implicit trust without creating operational instability.

Q: Why does machine identity matter more in OT than in standard enterprise networks?

A: Because OT traffic is often machine-driven, location-based trust is too weak to distinguish authorised automation from unsafe lateral movement. Machine identity lets defenders enforce policy on the actual actor, not just the subnet. That matters when one unmanaged connection can affect a physical process.

Q: What is the difference between OT network segmentation and identity-based access control?

A: Segmentation limits where traffic can flow, while identity-based control decides whether a specific device, workload, or account should be allowed to act. In OT, both are needed. Segmentation reduces blast radius, but identity control is what stops legitimate-looking traffic from becoming an unsafe command path.

Q: When should teams move from target-phase controls to advanced OT Zero Trust controls?

A: Only after foundational controls are working reliably, including inventory, authentication, monitoring, and zone boundaries. Advanced controls make sense when the organisation can verify expected behaviour, tolerate policy enforcement, and prove that automation will not interfere with safety or high availability.

Technical breakdown

How Zero Trust changes OT identity and access control

Zero Trust in OT is not just a policy label. It requires explicit identity for users, devices, applications, workloads, and automated paths between them. In operational environments, trust cannot be inferred from network location because segmented zones still contain legacy controllers, shared admin paths, and machine-to-machine flows that were never designed for dynamic authentication. The framework therefore emphasizes inventory, strong authentication, least privilege, deny-by-default enforcement, and continuous verification. That combination matters because OT risk often emerges from invisible dependencies rather than obvious perimeter failures.

Practical implication: Practitioners should map every OT identity type and control path before they try to enforce policy.

Why OT segmentation depends on machine identity

Traditional network segmentation limits where traffic can go, but it does not prove that the connecting system is authorised to do what it is asking. OT environments need machine identity because the same protocol may be used by safe, expected automation and by unsafe lateral movement. Identity-bound enforcement can distinguish a maintenance workstation, an HMI, and a monitoring agent even when they share the same network segment. That makes identity the decision point for access, not just the subnet. In OT, this is especially important because broad network rules can be too blunt to protect control systems without harming operations.

Practical implication: Teams should tie segmentation policy to machine identity, not only IP ranges or VLANs.

Target and advanced phases as an operational maturity model

The framework separates foundational controls from adaptive controls because OT programmes rarely jump straight to real-time policy automation. Target phase controls establish inventory, monitoring, and least privilege. Advanced phase controls add continuous verification, context-aware policy adjustment, and response automation, but only where safety and reliability can be preserved. That structure is useful because it turns Zero Trust from a one-time architecture decision into an operational maturity path. For practitioners, the technical question is not whether to automate, but where automation can safely replace manual approvals and where it must remain supervised.

Practical implication: Use the target phase to stabilise identity basics before introducing adaptive enforcement.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Zero Trust for OT is an identity problem before it is a network problem. The framework is strongest where it treats users, devices, workloads, and automation as distinct control subjects. That matches NHI reality in industrial environments, where service accounts and machine credentials often mediate the most sensitive actions. Practitioners should treat OT Zero Trust as identity architecture work, not a firewall tuning exercise.

Machine identity becomes the practical control plane for safe OT segmentation. In OT, network boundaries alone cannot tell safe automation from unsafe movement. Identity-aware policy gives defenders a way to preserve availability while still stopping unauthorised command paths. The field should expect more emphasis on verifiable machine identity, not just network zoning, in OT governance programmes.

OT modernisation will force IAM teams to own the safety trade-off. The moment policy becomes adaptive, identity teams inherit decisions about latency, fail-safe behaviour, and operational exceptions. That is not a reason to avoid Zero Trust. It is a reason to formalise policy boundaries, approval paths, and rollback conditions before automation reaches production.

Ephemeral control is the right model for OT only when it is observable. A dynamic access model without reliable logs, telemetry, and accountability creates blind spots that are especially risky in operational systems. The likely direction of the market is toward identity enforcement that can prove why access was granted, not just whether it was blocked. Practitioners should require evidence, not assumptions, when they modernise OT access.

Zero Trust for OT will accelerate convergence between IAM, PAM, and machine identity governance. The framework implicitly shows that OT access is no longer separable into human and non-human lanes. The real governance task is to manage privilege, continuity, and accountability across all three. Teams should align their operating model before they expand deployment scope.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly identity remediation can trail exposure.
• Top 10 NHI Issues explains why inventory, privilege, and rotation failures often cluster into the same governance gap.

What this signals

Identity blast radius: OT programmes now need a practical way to measure how far a compromised machine credential can move before it touches a safety-critical system. That metric is more useful than abstract trust scores because it links identity governance to operational impact. The better the map of machine-to-machine privilege, the easier it becomes to justify segmentation and enforcement changes.

With the Ultimate Guide to NHIs , Why NHI Security Matters Now showing that NHIs outnumber human identities by 25x to 50x in modern enterprises, the governance burden is already larger than most teams plan for. OT adds a second constraint set, so IAM leaders should expect more exceptions, more telemetry, and more policy drift unless they define ownership early.

The next programme-level question is not whether Zero Trust applies to OT. It is whether identity, PAM, and OT operations can share a policy model that preserves safety while proving access decisions. Teams that cannot answer that question will struggle to scale beyond pilot environments.

For practitioners

• Inventory every OT identity type Build a complete register of users, devices, applications, workloads, and machine-to-machine paths. Include shared accounts, maintenance laptops, HMIs, service accounts, and non-person entities that can trigger or alter operational processes.
• Apply deny-by-default at control-zone boundaries Use policy enforcement that blocks unmanaged systems and restricts lateral movement between OT zones unless the machine identity, context, and purpose are explicitly authorised.
• Separate target-phase from advanced-phase controls Stabilise inventory, authentication, and segmentation first. Only then introduce adaptive verification, automated response, and contextual policy adjustments in areas where outages or latency will not create safety risk.
• Instrument identity-led telemetry for auditability Log authentication events, policy decisions, and denied connections in a way that can be correlated with OT monitoring systems and incident response workflows.
• Align OT exceptions with formal approval paths Document where human approval is still required, especially for writes to control systems, emergency operations, and maintenance access that crosses segmentation boundaries.

Key takeaways

• Zero Trust for OT shifts the security problem from perimeter control to identity-aware enforcement across machines, workloads, and control paths.
• The framework’s two-phase model reflects OT reality: foundational inventory and least privilege must come before adaptive automation.
• IAM and NHI teams need shared ownership of OT access decisions because segmentation alone cannot prove which machine is safe to act.

Key terms

• Operational Technology Zero Trust: A security model that applies continuous verification and least privilege to industrial systems that control physical processes. It differs from enterprise Zero Trust because availability, deterministic communications, and safety constraints shape where enforcement can be introduced and how aggressively policy can change.
• Machine Identity: A unique, verifiable identity assigned to a non-human system such as a device, workload, service account, or automation path. In OT, machine identity is the mechanism that lets policy distinguish trusted operational actions from unsafe or unauthorised traffic.
• Identity-based Microsegmentation: A segmentation approach that uses identity, context, and policy to decide whether a connection should be allowed inside a network zone. In OT, it helps reduce lateral movement without relying only on IP addresses or broad subnet rules.
• Target and Advanced Activities: A two-stage maturity model that separates foundational controls from adaptive, real-time enforcement. The target stage focuses on inventory, authentication, and monitoring, while the advanced stage adds contextual policy and automated response where safety can tolerate it.

Deepen your knowledge

Zero Trust for OT, machine identity, and segmented access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an OT governance model from a similar starting point, it is worth exploring.

This post draws on content published by Corsha: the DoW Zero Trust for Operational Technology framework and machine identity implications. Read the original.