IT/OT convergence and identity governance: where are the gaps?

TL;DR: Industrial IT/OT convergence is creating a single identity problem across air-gapped environments, siloed data structures, and toxic role combinations that can leave critical systems overexposed, according to Gathid. Identity governance now has to reconcile operational safety, compliance, and access visibility across both physical and digital systems.

NHIMG editorial — based on content published by Gathid: A Gathid Labs Series, Episode 1 on IT/OT convergence and identity governance

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should industrial firms govern access across IT and OT systems?

A: They should govern effective access across both environments as one model, even if the systems stay separate operationally.

Q: Why do toxic role combinations matter in converged environments?

A: They matter because access that is safe in one domain can become dangerous when combined with another domain’s privileges.

Q: How can teams tell whether identity visibility is actually working?

A: They can tell by checking whether they can explain effective access end to end, including inherited rights, service accounts, and cross-system dependencies.

Practitioner guidance

• Map effective access across OT and IT Build a single view of effective access that correlates roles, permissions, and inherited privileges across operational and enterprise systems.
• Identify toxic role combinations before recertification Run entitlement analysis for cross-domain combinations that become dangerous only when OT and IT access are combined.
• Include non-human identities in industrial governance Inventory service accounts, API credentials, and system integrations alongside human users so governance does not stop at the employee directory.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• A fuller explanation of how digital twins can model access relationships across plant and enterprise systems
• More detail on knowledge graphs as a way to link roles, permissions, and system dependencies
• The article’s own framing of why converged identity governance is becoming harder in industrial settings
• Background on the series structure and the next topics Gathid plans to cover

👉 Read Gathid's analysis of IT/OT convergence and identity governance →

IT/OT convergence and identity governance: where are the gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →