Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IT/OT convergence and identity governance: where are the gaps?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9063
Topic starter  

TL;DR: Industrial IT/OT convergence is creating a single identity problem across air-gapped environments, siloed data structures, and toxic role combinations that can leave critical systems overexposed, according to Gathid. Identity governance now has to reconcile operational safety, compliance, and access visibility across both physical and digital systems.

NHIMG editorial — based on content published by Gathid: A Gathid Labs Series, Episode 1 on IT/OT convergence and identity governance

By the numbers:

Questions worth separating out

Q: How should industrial firms govern access across IT and OT systems?

A: They should govern effective access across both environments as one model, even if the systems stay separate operationally.

Q: Why do toxic role combinations matter in converged environments?

A: They matter because access that is safe in one domain can become dangerous when combined with another domain’s privileges.

Q: How can teams tell whether identity visibility is actually working?

A: They can tell by checking whether they can explain effective access end to end, including inherited rights, service accounts, and cross-system dependencies.

Practitioner guidance

  • Map effective access across OT and IT Build a single view of effective access that correlates roles, permissions, and inherited privileges across operational and enterprise systems.
  • Identify toxic role combinations before recertification Run entitlement analysis for cross-domain combinations that become dangerous only when OT and IT access are combined.
  • Include non-human identities in industrial governance Inventory service accounts, API credentials, and system integrations alongside human users so governance does not stop at the employee directory.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

  • A fuller explanation of how digital twins can model access relationships across plant and enterprise systems
  • More detail on knowledge graphs as a way to link roles, permissions, and system dependencies
  • The article’s own framing of why converged identity governance is becoming harder in industrial settings
  • Background on the series structure and the next topics Gathid plans to cover

👉 Read Gathid's analysis of IT/OT convergence and identity governance →

IT/OT convergence and identity governance: where are the gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8499
 

IT/OT convergence creates a governance problem before it creates a tooling problem. Industrial firms often assume that separate teams and separate systems can be reconciled later through reporting. That assumption fails because access relationships are already being formed across both environments, while governance remains split by operating model. The implication is that identity governance for converged industry must be designed around shared visibility, not after-the-fact reconciliation.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • That same research shows only 5.7% of organisations have full visibility into their service accounts, which explains why cross-domain access problems persist.

A question worth separating out:

Q: What is the difference between role review and effective access review in industrial IAM?

A: Role review checks what roles a user or system has been assigned. Effective access review checks what that identity can actually do once inheritance, nesting, integrations, and cross-domain permissions are taken into account. In converged OT and IT environments, effective access is the control that exposes real risk.

👉 Read our full editorial: IT/OT convergence exposes identity governance gaps in industrial firms



   
ReplyQuote
Share: