Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IoT device sprawl and access control gaps: what teams should fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: IoT expansion is widening the attack surface, with connected devices increasingly targeted through remote-execution flaws, ransomware, supply chain compromise, and shadow deployments, according to GlobalSign and Statista. The governance problem is no longer device count alone, but whether authentication, lifecycle control, and network trust boundaries can keep pace with unmanaged connected assets.

NHIMG editorial — based on content published by GlobalSign: Internet of Things security, AI, blockchain, and lifecycle controls

Questions worth separating out

Q: How should security teams govern IoT device access in large environments?

A: Security teams should govern IoT access with the same discipline used for other non-human identities: assign unique device identities, segment networks, log ownership, and require explicit approval before devices join production.

Q: Why do shadow IoT devices create more risk than known managed devices?

A: Shadow IoT creates more risk because unmanaged devices sit outside inventory, patching, and revocation processes.

Q: What breaks when IoT devices are not segmented from core systems?

A: When IoT devices are not segmented, compromise of one weak endpoint can become a bridge into business systems, identity services, or sensitive data stores.

Practitioner guidance

  • Inventory all connected devices continuously Build a single authoritative register for IoT assets, including owner, purpose, firmware state, network location, and retirement date.
  • Treat device authentication as a policy control Require unique device identities, enforce certificate-based authentication where possible, and remove shared credentials from embedded systems and administrative workflows.
  • Segment IoT traffic from core systems Place IoT devices into tightly scoped network zones with explicit allowlists, so compromise of one device does not automatically create lateral movement into business systems.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Specific examples of IoT device hardening measures and how they map to connected-device risk.
  • More detail on generative AI and blockchain use cases for anomaly detection and tamper-evident trust.
  • The article's discussion of DSPM and zero trust as part of broader IoT security design.
  • Additional context on lifecycle management, employee awareness, and device replacement practices.

👉 Read GlobalSign's analysis of IoT security risks and device identity controls →

IoT device sprawl and access control gaps: what teams should fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

IoT security is a machine identity problem as much as a device security problem. The article focuses on exposed devices, but the governance issue is that each device is effectively a non-human identity that authenticates, transacts, and persists. That places IoT squarely alongside workload identity, secrets management, and lifecycle control. Teams that only think in terms of endpoint patching miss the access governance layer entirely.

A question worth separating out:

Q: Who is accountable when IoT device data is accessed improperly?

A: Accountability should rest with the team that owns the device lifecycle and the permissions behind it, not with the hardware alone. If access is broad, unreviewed, or poorly monitored, the problem is governance as much as technology. Frameworks such as NIST Cybersecurity Framework support that accountability by tying asset management, access control, and recovery together.

👉 Read our full editorial: IoT security gaps are widening as devices outpace controls



   
ReplyQuote
Share: