TL;DR: OT security can no longer rely on air gaps as IT and OT converge, and the article argues that zero trust must be implemented through a phased assessment, strategy, roadmap, and execution model rather than a wholesale technology swap. The operational challenge is less the why than the how, especially when legacy identities, latency, and uptime requirements constrain standard IT ZTNA patterns.
At a glance
What this is: This is an OT zero trust blueprint that argues traditional air-gapped assumptions no longer hold and that zero trust must be operationalised in phases.
Why it matters: It matters to IAM and security practitioners because OT environments still depend on identity, access, and availability decisions that can fail when enterprise controls are forced onto critical systems without adaptation.
👉 Read Appgate's blueprint for zero trust in OT system security
Context
Operational technology once depended on physical isolation, but IT and OT convergence has eroded that model and expanded the attack surface for critical infrastructure. The first problem is not a missing product, it is a governance gap: most organisations need a way to introduce verification, segmentation, and access control without breaking uptime or safety.
The identity angle is real even in OT. Legacy operators, service access, and administrative pathways still need control, but they often sit outside modern IAM patterns and are frequently managed as exceptions. That makes OT zero trust a programme design problem as much as a network design problem.
Key questions
Q: How should organisations apply zero trust in operational technology without disrupting production?
A: Start with a protect surface assessment, then phase controls around the most critical assets and access paths. In OT, zero trust works only when the organisation respects uptime, safety, and legacy system constraints. Treat access policy as a controlled transition, not a blanket enforcement exercise, and validate each step against operator workflows and recovery requirements.
Q: Why do standard IT access controls often fail in OT environments?
A: Standard IT access controls often assume modern identity systems, flexible routing, and maintenance windows that OT does not have. OT frequently depends on proprietary identities, deterministic traffic, and continuous availability. When those constraints are ignored, access controls can create latency, downtime, or exceptions that undermine both security and operations.
Q: What breaks when legacy identity systems are ignored in OT zero trust programmes?
A: If legacy identity sources are bypassed, organisations often create shadow processes, manual exceptions, or brittle migrations that weaken governance. OT access paths rarely disappear just because a modern identity platform is introduced. The result is usually fragmented control, unclear accountability, and more operational risk than the original model had.
Q: Who is accountable when zero trust changes affect OT uptime or safety?
A: Accountability should sit with the cross-functional governance group that includes OT operations, security, and engineering leadership. Zero trust in OT is not just a technical project, because access decisions can affect production stability and safety. Teams need clear owners for policy approval, exception handling, rollback, and operational risk acceptance.
Technical breakdown
Assessment and readiness baselines for OT zero trust
A workable OT zero trust programme starts with an objective view of current maturity, asset criticality, and operational constraints. Assessment is not just inventory. It is a read on where identity dependencies, network paths, and exception handling already exist, and where change would create unacceptable risk. In OT, the point is to identify what can be segmented, verified, or mediated without disrupting process control or recovery expectations. The output should be a defensible baseline for sequencing control changes, not a compliance snapshot.
Practical implication: build the first phase around protect surface mapping, identity dependency discovery, and downtime constraints before choosing controls.
Direct-routed ZTNA, legacy identity integration, and uptime
Standard IT ZTNA often fails in OT because cloud routing can introduce latency and protocol mismatches that critical systems cannot tolerate. A direct-routed model keeps sensitive operational traffic on the local network, which preserves determinism and reduces the risk of control-path disruption. The other hard constraint is identity fragmentation. Many OT estates rely on proprietary or siloed identity systems that cannot be replaced quickly, so the access model must integrate with them rather than force immediate migration. Availability also matters because patching and upgrades cannot assume maintenance windows in 24/7 environments.
Practical implication: insist on architecture that supports local routing, existing identity sources, and non-disruptive upgrades before extending zero trust into production OT.
Dual roadmaps for policy enforcement and enablement
The article's four-phase model is important because it separates policy intent from the technology and process work needed to enforce it. That distinction matters in OT, where new restrictions can fail if telemetry, exception handling, change control, or operator workflows are not ready. A dual roadmap allows teams to phase access policy enforcement while also building the supporting controls, communications, and operational guardrails. This is closer to programme governance than one-off tooling deployment, and it reflects the reality that OT risk is managed through controlled transition, not abrupt replacement.
Practical implication: run policy enforcement and enablement in parallel so access changes land only when monitoring, exception paths, and operator workflows are ready.
NHI Mgmt Group analysis
Air-gap thinking has become a governance liability in converged OT environments. Physical separation once reduced exposure, but IT and OT convergence has turned isolation into an incomplete control rather than a sufficient one. Once remote monitoring and enterprise integration enter the picture, identity and access boundaries matter more than the old network myth. The practitioner conclusion is straightforward: treat OT access as governed trust, not assumed safety.
OT zero trust fails when teams confuse policy intent with deployable control design. The article correctly frames execution as the real problem, because the right access policy can still be operationally unsafe if routing, legacy identity, or uptime constraints are ignored. This is where NIST CSF and NIST SP 800-207-style principles become practical, not theoretical. The practitioner conclusion is to sequence controls around operational survivability first.
Legacy identity integration is the named concept that OT programmes keep underestimating. Many OT environments cannot be secured by swapping in a modern identity provider because they contain proprietary access paths, long-lived operator workflows, and exception-heavy administration. That creates a boundary problem between access governance and operational continuity. The practitioner conclusion is to design for federation, mediation, and phased migration rather than wholesale identity replacement.
Zero trust in OT is a resilience programme, not a pure security programme. The success criteria the article highlights are uptime, safety, and operational continuity, which means the control set must be judged against failure tolerance rather than IT convenience. That makes cross-functional governance essential, with OT stakeholders driving what can actually be enforced. The practitioner conclusion is to measure security changes through operational impact as well as access reduction.
Standard IT ZTNA is the wrong abstraction for critical infrastructure. Cloud-routed access, upgrade downtime, and protocol incompatibility can all create more operational risk than they remove. This does not mean OT should avoid zero trust, only that the implementation model must be purpose-built for process control realities. The practitioner conclusion is to evaluate access architecture against OT-specific constraints before making any deployment decision.
What this signals
OT zero trust will be judged by operational continuity, not policy elegance. As IT and OT converge, security teams will need to prove that tighter access does not destabilise engineering workflows, recovery paths, or safety controls. That shifts the programme conversation from implementation speed to controlled change, exception discipline, and measurable resilience.
Identity governance is re-entering infrastructure conversations through the back door. Even where the article is focused on OT networks, the real control question is who and what is allowed to act on critical systems. That makes the boundary between machine access, administrative privilege, and operator workflow increasingly important for infrastructure leaders.
Legacy identity integration is the constraint that will shape the next phase of OT modernisation. Teams that cannot federate, mediate, or phase out old access paths will keep accumulating governance debt. The practical signal is that OT security programmes now need identity-aware architecture decisions as much as segmentation or monitoring investments.
For practitioners
- Map the OT protect surface Identify the assets, operator pathways, and privileged access routes that actually need protection before you write policy. Separate critical control systems from monitoring, engineering, and administrative access so segmentation decisions reflect operational reality, not just network topology.
- Build a cross-functional steering committee Include OT operations, engineering, security, and availability owners in the governance group so access changes are approved against safety and uptime constraints. Use the committee to settle exception handling, maintenance windows, and rollback expectations early.
- Prefer direct-routed access architectures Reject cloud-routed access paths where latency or protocol translation could affect control systems. Validate that any ZTNA or access mediation layer keeps operational traffic local and preserves deterministic behaviour across critical workflows.
- Phase policy enforcement and enablement together Run a dual roadmap that pairs new access restrictions with the telemetry, change control, and operator workflow updates needed to support them. Do not enforce tighter access until the organisation can observe, explain, and recover from the new control state.
- Measure OT outcomes, not just IT KPIs Track uptime, safety, recovery, and operational exception rates alongside access reduction. If access policy changes create new manual workarounds or destabilise critical operations, treat that as a control failure rather than a security win.
Key takeaways
- Air-gap assumptions no longer provide sufficient protection once OT connects to enterprise networks and remote access paths.
- The real challenge in OT zero trust is executing controls without breaking uptime, safety, or legacy identity dependencies.
- A phased roadmap, direct-routed access design, and OT-specific success metrics are the controls most likely to make the transition viable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | OT zero trust depends on managing access permissions around critical assets and operations. |
| NIST Zero Trust (SP 800-207) | The article is explicitly about zero trust architecture applied to OT environments. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to limiting privileged access across OT administrative pathways. |
| CIS Controls v8 | CIS-5 , Account Management | OT modernisation must account for legacy identities and administrative account governance. |
| ISO/IEC 27001:2022 | A.8.2 | OT access governance depends on protecting information and systems according to asset criticality. |
Apply zero trust principles with local routing, continuous verification, and explicit policy enforcement.
Key terms
- Protect Surface: The protect surface is the small set of assets, data, users, and transaction paths that must be secured first in a zero trust programme. In OT, it should reflect operational criticality, safety impact, and privileged control paths rather than the entire environment.
- Direct-Routed Architecture: Direct-routed architecture keeps operational traffic on the local network instead of sending it through cloud mediation. In OT, that matters because latency, protocol handling, and availability constraints can make standard routed access unsuitable for critical systems.
- Legacy Identity Integration: Legacy identity integration is the ability to connect old or proprietary access systems to modern governance without forcing an immediate replacement. In OT, it is often the difference between workable security and a migration plan that creates more exceptions than controls.
- Operational Resilience: Operational resilience is the ability to maintain critical services while changing or recovering from disruption. For OT security, it means access controls, segmentation, and verification must be judged against uptime, safety, and recovery, not just administrative convenience.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- A phased blueprint for moving from assessment to execution in OT zero trust programmes.
- A vendor evaluation framework for direct-routed ZTNA and legacy identity integration in critical environments.
- The operational criteria used to judge whether an OT access architecture can support 24/7 uptime.
- Practical planning guidance for translating zero trust principles into OT policy enforcement without disrupting production.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and machine identity security. It is designed for practitioners who need to govern access in complex environments where identity and operational risk intersect.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org