Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SOCI compliance: what critical infrastructure teams need to change


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Australia’s SOCI Act now extends across 11 sectors and requires asset registration, risk management programs, incident notification, and resilience measures, according to Commvault. For IAM teams, the practical shift is that identity, access, supplier, and recovery controls now sit inside enforceable critical-infrastructure governance, not side programmes.

NHIMG editorial — based on content published by Commvault: an analysis of Australia’s SOCI Act and critical infrastructure resilience

By the numbers:

Questions worth separating out

Q: How should organisations prepare identity governance for SOCI compliance?

A: Start by linking asset registers to the identities that can access or change those assets, including vendors and service accounts.

Q: Why do critical infrastructure regulations force stronger access governance?

A: Because regulations such as SOCI make resilience, reporting, and accountability auditable obligations rather than informal expectations.

Q: What breaks when OT access is managed like standard enterprise access?

A: Operational systems often depend on availability, legacy protocols, and vendor support paths that do not fit normal enterprise assumptions.

Practitioner guidance

  • Build a SOCI-aligned asset and identity register Link regulated assets to the humans, service accounts, vendors, and admin paths that can influence them.
  • Map third-party access to regulated services Identify every provider that stores, processes, or can reach business-critical data and verify that offboarding, notification, and review obligations are explicit in governance records.
  • Reduce standing privilege in OT-adjacent paths Review shared accounts, persistent admin access, and remote support channels that can reach operational systems.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • A sector-by-sector explanation of how SOCI obligations differ between legacy operators and newer entrants.
  • Examples of how OT environments complicate segmentation, patching, and least-privilege access.
  • The specific reporting timelines, incident duties, and governance obligations described in the Act.
  • The article’s framing of resilience as a recovery capability rather than only a prevention model.

👉 Read Commvault’s analysis of SOCI obligations for critical infrastructure teams →

SOCI compliance: what critical infrastructure teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

SOCI shows that critical-infrastructure identity governance is now a compliance control, not just a security control. The article makes clear that asset registration, incident reporting, and risk management are now enforceable obligations rather than voluntary maturity markers. That matters because identity evidence, access ownership, and supplier accountability are part of proving resilience. Practitioners should treat access governance as a regulated control surface, not a back-office administration task.

A few things that frame the scale:

  • From our research: 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who is accountable for incident notification under critical infrastructure law?

A: The regulated asset owner or responsible entity remains accountable even when third parties store data, support systems, or deliver managed services. That means provider contracts, access records, and escalation paths must be clear before an incident occurs. Accountability cannot be delegated away if the service is in scope.

👉 Read our full editorial: SOCI turns critical infrastructure resilience into enforceable identity governance



   
ReplyQuote
Share: