SOCI Act IAM obligations: what critical infrastructure teams must change

TL;DR: Australia’s SOCI Act 2018 and the ERP 2024 amendments push critical infrastructure operators toward stronger IAM, IGA, audit logging, and incident reporting controls across sectors including energy, finance, health, and transport, according to RSA Security. The practical issue is not compliance alone but whether identity governance can support real-time detection, least privilege, and lifecycle enforcement under national resilience requirements.

NHIMG editorial — based on content published by RSA Security: Zero Trust SOCI Act 2018 IAM Obligations for Critical Infrastructure

By the numbers:

• Mandatory incident reporting requires critical infrastructure operators to notify within 12 hours for incidents with a significant impact on availability and 72 hours when the impact is not immediately disruptive.

Questions worth separating out

Q: How should critical infrastructure teams align IAM with SOCI obligations?

A: They should map each regulated asset to explicit identity controls, then verify that authentication, authorisation, logging, and lifecycle management produce evidence for audits and incident reporting.

Q: Why do critical infrastructure operators need stronger identity governance under SOCI?

A: Because SOCI treats identity as part of operational resilience.

Q: What breaks when separation of duties is not enforced in regulated environments?

A: High-risk actions become easier to execute without challenge, and the organisation loses a major control against both misuse and insider risk.

Practitioner guidance

• Rebuild access evidence chains Tie each critical system to an owner, a role model, an authentication control, and a log source so incident reporting can be supported without manual reconstruction.
• Automate lifecycle changes for regulated identities Remove manual delay from onboarding, role changes, and offboarding for staff, contractors, and privileged accounts that touch SOCI-covered assets.
• Enforce separation of duties in high-risk workflows Block any access path where one identity can approve and execute the same sensitive action, especially where availability or incident response could be affected.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

• A sector-by-sector mapping of SOCI-covered industries and how the obligations apply to each regulated environment
• Specific control examples for RBAC, MFA, passwordless authentication, and real-time behavioural monitoring
• Detailed examples of identity lifecycle automation for onboarding, access changes, and offboarding
• How RSA positions its IAM and IGA capabilities against SOCI reporting and compliance obligations

👉 Read RSA Security’s analysis of SOCI Act IAM obligations for critical infrastructure →

SOCI Act IAM obligations: what critical infrastructure teams must change?

Explore further

View Full Forum →  |  NHI Foundation Course →