TL;DR: CISA’s OT Zero Trust guidance argues that air gaps are no longer a reliable security assumption because remote access, cloud-connected interfaces and IT/OT integration create unavoidable paths into critical systems, according to Appgate’s analysis of the guide. Logical segmentation, identity-centric access and continuous validation now define practical OT defence, not perimeter myths.
At a glance
What this is: This is an analysis of CISA’s OT Zero Trust guidance, which says air gaps are no longer enough and that segmentation, secure remote access and identity-aware controls must now protect operational technology.
Why it matters: It matters because IAM and PAM teams increasingly shape OT exposure through who can connect, how access is verified and whether privileged routes are continuously constrained across converged IT/OT environments.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read Appgate’s analysis of Zero Trust access for OT environments
Context
Operational technology once relied on physical separation to reduce attack exposure, but that model breaks down when remote vendors, cloud services and corporate integrations become part of day-to-day operations. For OT security, the question is no longer whether paths into the environment exist, but whether those paths are tightly governed, continuously verified and constrained to the minimum required access.
This also creates an identity problem, not just a network problem. If access to OT is mediated by service accounts, remote-user credentials, certificates or third-party connections, then IAM, PAM and NHI governance become part of the OT control plane. The starting assumption in this article is increasingly typical, not exceptional, for modern critical infrastructure.
Key questions
Q: What fails when organisations treat OT as air-gapped in practice?
A: The failure mode is assuming that physical or logical separation still exists after remote support, cloud integration and vendor connectivity are added. Once those paths are present, the real control problem is access governance. Organisations lose visibility into who can reach which assets, and they often discover that old network boundaries no longer match operational reality.
Q: Why do OT environments need identity-aware access controls?
A: OT systems need identity-aware controls because network location alone no longer tells you whether access is legitimate, necessary or safe. Identity, device posture and policy are now the factors that determine whether a session should exist at all. That is especially important where privileged access can affect safety, uptime and recovery.
Q: How do security teams know whether OT segmentation is actually working?
A: Look for whether access is limited to the exact assets, protocols and sessions required, and whether unused routes remain invisible when not in use. If broad subnets are still reachable, or if policy depends on manual exceptions, segmentation is only cosmetic. Effective OT segmentation is measurable through reduced reachable surface and enforced session scope.
Q: Who is accountable when remote access into OT is mismanaged?
A: Accountability should sit with the owners of privileged access, OT operations and security governance together, because OT connectivity now blends network, identity and operational risk. The relevant frameworks are those that require least privilege, strong access control and continuous monitoring. In practice, accountability must include both the team approving access and the team operating the boundary.
Technical breakdown
Why air gaps fail as an OT security model
An air gap is a physical or logical separation meant to prevent direct connectivity between trusted and untrusted environments. In modern OT, that separation is routinely weakened by remote administration, shared corporate connectivity, managed service providers and cloud-linked monitoring tools. The result is not a clean boundary but a collection of hidden routes that can be misconfigured, over-permitted or left unmonitored. Zero Trust for OT does not assume the absence of routes. It assumes every route must be explicitly authorised, continuously validated and limited to the exact asset, protocol and user context required.
Practical implication: map every path into OT, including third-party and indirect access, before treating segmentation as effective.
Identity-centric access and segmentation in converged IT/OT networks
Identity-centric access shifts the control point from network location to authenticated subject, device posture and policy. In OT, that matters because broad subnet reach creates unnecessary blast radius when a vendor, engineer or operator only needs access to one controller, historian or remote terminal. Strong segmentation narrows that radius, while identity-aware policy determines whether the connection is allowed at all. This is where IAM and PAM intersect with OT: privileged access must be task-scoped, auditable and revocable, not just permitted by network position. The control objective is to create narrow, disposable access paths that do not expose the wider operational fabric.
Practical implication: enforce per-session, per-resource access for OT administrators and vendors instead of subnet-level reach.
DDIL conditions change how OT controls must behave
DDIL means disconnected, degraded, intermittent and limited-bandwidth conditions. In OT, those conditions are common, not edge cases, because remote sites, safety systems and critical services cannot depend on always-on connectivity to central control planes. Security controls that require constant cloud reachability or heavyweight backhaul often fail when operations need them most. A resilient OT access model must continue enforcing policy locally, preserve low-latency control paths and support staged isolation during incidents. This is a governance and architecture issue at the same time: the access model has to keep working when the network is under stress.
Practical implication: validate that OT access enforcement still works when links degrade or central connectivity is lost.
NHI Mgmt Group analysis
Air-gap thinking is now a liability when OT connectivity is operationally unavoidable. Once vendors, cloud services and remote engineers require access, the question becomes how to govern the route, not whether to pretend it does not exist. That shifts OT from a perimeter conversation into a privilege and verification conversation. For identity teams, this means OT access is part of the enterprise access model, not a separate exception.
Logical OT isolation: the useful security concept here is not a perfect air gap but a continuously enforced isolation boundary. The article shows that segmentation, cloaking and identity-aware access are now the practical substitutes for physical separation. That has direct implications for IAM, PAM and NHI governance because every OT access path becomes a privileged identity path that must be lifecycle-managed, monitored and revoked.
OT access governance will increasingly look like zero standing privilege for machines and operators alike. Long-lived network trust does not fit systems that must stay online during disruption, maintenance and incident response. The governance pattern that survives is narrow, time-bounded access with strong authentication and local enforcement. Practitioners should expect OT access reviews to converge with privileged access reviews rather than sit in separate silos.
The identity of the access path matters as much as the identity of the user. In converged environments, certificates, service accounts and remote vendor credentials can become the real entry point into critical systems. That makes non-human identity governance a first-class OT control, especially where third-party support and remote operations are routine. Teams that ignore machine and vendor identities will miss the actual enforcement boundary.
This guidance validates a broader market shift toward policy-enforced connectivity for critical infrastructure. The market is moving away from implicit trust in flat remote access and toward identity-gated, continuously evaluated pathways that can survive degraded conditions. For practitioners, the message is clear: redesign access governance around operational reality, not legacy network diagrams.
What this signals
Logical OT isolation is becoming the operative control pattern for critical infrastructure. As connectivity becomes unavoidable, security teams will need to prove that every route into OT is identity-gated, continuously verified and locally enforceable, even when central services are unavailable.
This is where non-human identity governance becomes operationally relevant to OT rather than merely adjacent to it. Remote support accounts, certificates and service credentials create privileged paths that should be reviewed alongside human admin access, not managed as separate exceptions.
Programmes that can enforce narrow access under degraded conditions will have a material advantage in resilience planning, especially where safety, uptime and vendor access intersect.
For practitioners
- Map all OT entry paths Inventory every remote vendor, administrator, service account and integration that can reach OT, then classify each path by asset, protocol and business purpose. Treat undocumented connectivity as a control failure, not an exception.
- Enforce identity-gated OT access Require strong authentication, device verification and least-privilege policy before any OT session is established. Avoid subnet-level access that exposes more controllers, historians or engineering workstations than the task requires.
- Move segmentation into policy enforcement Treat segmentation as a dynamic control with change review, monitoring and revocation, rather than a one-time network design choice. Use the same access governance workflow for OT routes that you use for privileged IT access.
- Test access under degraded conditions Validate that OT policy enforcement continues to work when links are intermittent, bandwidth is limited or the central control plane is unreachable. If controls fail under DDIL conditions, the architecture is not resilient enough for critical infrastructure.
- Include third-party and NHI paths in privileged reviews Bring vendor accounts, certificates, API-based connections and service credentials into the same review process as human privileged access. OT compromise often begins with the credential that was least visible, not the account that was most obvious.
Key takeaways
- OT security can no longer rely on the assumption that air gaps remain intact once remote access, cloud links and vendor connections are introduced.
- Identity, segmentation and continuous verification now form the practical control set for converged IT/OT environments, especially where privileged and non-human access is involved.
- The strongest OT programmes will be the ones that can preserve narrow, enforceable access even when connectivity degrades or central control is unavailable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | OT Zero Trust depends on access permissions and segmentation. |
| NIST Zero Trust (SP 800-207) | Section 2.1 | The article directly applies Zero Trust principles to OT networks. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to narrowing OT access exposure. |
| CIS Controls v8 | CIS-5 , Account Management | OT vendor and administrator access must be governed as accounts. |
Track and review OT accounts under CIS-5, including third-party and remote support identities.
Key terms
- Logical Air Gap: A logical air gap is an access model that preserves isolation through policy, segmentation and verification rather than physical separation alone. In OT environments, it limits who can connect, what they can reach and under what conditions, even when remote access is unavoidable.
- DDIL: DDIL stands for disconnected, degraded, intermittent and limited-bandwidth conditions. It describes operating environments where security controls must continue functioning despite poor connectivity, reduced central visibility or temporary loss of control-plane reachability, which is common in remote industrial and mission-critical settings.
- Identity-Centric Access: Identity-centric access uses authenticated user, device and policy context to decide whether a connection should exist. Instead of trusting a network location or VPN presence, it constrains each session to the minimum necessary scope and supports stronger oversight of privileged routes into sensitive systems.
- Converged IT/OT Environment: A converged IT/OT environment is one where business systems and operational control systems share connectivity, integrations or management processes. That convergence improves efficiency but also creates new attack paths, making access governance, segmentation and monitoring part of both enterprise and industrial security.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- How AppGate ZTNA is positioned to enforce per-session OT access without exposing broad subnet reach
- The direct-routed and infrastructure-cloaking design choices described for constrained industrial environments
- The DDIL resilience discussion and how the vendor maps its architecture to disconnected or degraded conditions
- The federal deployment context the article uses to support its operational claims
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security and secrets management for practitioners who need stronger control over privileged and non-human access. It is designed for teams aligning identity governance with broader security and operational resilience programmes.
Published by the NHIMG editorial team on 2026-05-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org