TL;DR: The NERC 2025 ERO Reliability Risk Priorities Report says cyber and physical security complexity is now one of the most urgent threats to the North American bulk power system as interconnected digital systems, AI-driven loads, and siloed controls expand the attack surface, according to AlertEnterprise. Unified identity, access, and resilience controls are becoming a reliability requirement, not just a security preference.
NHIMG editorial — based on content published by AlertEnterprise: NERC 2025 ERO Reliability Risk Priorities Report analysis
By the numbers:
- The same survey found that only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, making organisations failing to scope AI access properly 4.5x more likely to experience a security incident.
Questions worth separating out
Q: What breaks when cyber and physical access are governed separately in critical infrastructure?
A: Separate governance usually breaks at the handoff points.
Q: Why do AI-driven loads increase access governance risk for utilities?
A: AI-driven loads increase risk because they introduce more dynamic integrations, more credentialed automation, and more decision paths that depend on delegated access.
Q: How can utilities know whether converged identity governance is actually working?
A: Teams should measure whether one access record covers workforce, contractor, physical, and operational entitlements without manual reconciliation.
Practitioner guidance
- Unify identity inventories across cyber and physical systems Create a single inventory for workforce, contractor, mobile credential, and operational identities so access reviews can identify duplicated, orphaned, or conflicting entitlements across domains.
- Map NERC CIP evidence to one access governance workflow Tie authentication, approval, review, and exception evidence into a common workflow so audit readiness does not depend on reconciling separate cyber and physical records.
- Review AI-connected and automated access paths as privileged identities Treat AI-enabled integrations, automated loaders, and system-to-system credentials as governed identities with scoped permissions, monitoring, and lifecycle ownership.
What's in the full article
AlertEnterprise's full article covers the operational detail this post intentionally leaves for the source:
- How the report frames converged identity governance for cyber, physical, and operational identities in utility environments.
- The specific NERC CIP readiness themes behind automated identity, access, and risk validation.
- The vendor's view of mobile credentials and digital identity as a replacement for legacy cards in workforce and contractor access.
- Why AI-powered threat intelligence is positioned as part of anomaly detection and credential misuse prevention.
👉 Read AlertEnterprise's analysis of NERC 2025 reliability risk priorities →
Cyber and physical security convergence: what utility teams need to do?
Explore further
Cyber and physical security convergence is now an identity governance problem, not only a resilience problem. The article’s core finding is that utilities can no longer rely on separate cyber and physical control models when digital systems, contractor access, and operational workflows are intertwined. That means the governance question shifts from whether a control exists to whether it spans every identity that can affect reliability. Practitioners should treat convergence as an access governance redesign, not a reporting exercise.
A question worth separating out:
Q: Who is accountable when a missing access review affects grid reliability?
A: Accountability usually sits with the organisation’s control owners, not the technology stack. For critical infrastructure, that means IAM, physical security, OT operations, and compliance teams must share clear ownership for review, approval, and revocation outcomes. If no one owns the full path, the gap becomes a recurring reliability risk.
👉 Read our full editorial: Cyber and physical security convergence is now a grid reliability issue