They should govern effective access across both environments as one model, even if the systems stay separate operationally. That means correlating identities, roles, inherited permissions, and third-party paths so plant safety, operational reliability, and enterprise IAM decisions are not made in isolation. A single governance view is the starting point for control.
Why This Matters for Security Teams
Industrial firms often keep IT and OT separate for good operational reasons, but access governance cannot stay separate when identities, service accounts, API keys, vendor tunnels, and remote support paths can reach both sides. A single access decision can affect plant safety, uptime, and enterprise data loss at the same time. Current guidance suggests treating effective access as one governance problem, even when the control planes remain segmented.
This is especially important because non-human access is where the boundary usually blurs first. The Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means the access surface is larger than many IAM programs assume. NIST’s Cybersecurity Framework 2.0 reinforces that governance must span assets, risk, and access decisions rather than stop at departmental boundaries.
In practice, many security teams discover the real access picture only after a vendor session, shared credential, or legacy integration has already crossed from enterprise IT into OT.
How It Works in Practice
Effective IT and OT access governance starts with one inventory of who and what can act across both environments. That includes human users, service accounts, engineering workstations, remote support tools, jump hosts, certificates, and machine-to-machine paths. The goal is not to collapse the environments technically, but to create one authoritative view of effective privilege so security, operations, and plant leadership can review the same facts.
Practitioners usually need to correlate three layers:
Identity: the person, account, device, or workload requesting access.
Entitlement: the roles, group memberships, inherited permissions, and vault grants that shape access.
Path: the actual route into OT, including VPNs, brokers, PAM sessions, remote desktop tools, APIs, and third-party connections.
That correlation is critical because role assignments alone do not show effective access. A user may have no direct OT role but still reach a controller through a shared admin workstation or a vendor-managed session. The OWASP Non-Human Identity Top 10 is useful here because it focuses attention on overprivileged secrets, weak rotation, and unmanaged service identities. NHIMG’s lifecycle guidance for managing NHIs is also relevant, especially where industrial environments depend on long-lived credentials tied to equipment, vendors, or integrations.
In practice, firms should establish joint reviews for IT and OT entitlements, map third-party access paths to named business owners, and require removal or rotation triggers when a contractor, system, or plant integration changes. This works best when evidence comes from directory data, PAM logs, vault records, and OT access logs together, not from a single IAM source of truth. These controls tend to break down in brownfield plants with unmanaged legacy systems because identity data is incomplete and access is often embedded in device configuration rather than centrally issued.
Common Variations and Edge Cases
Tighter cross-domain governance often increases operational overhead, requiring firms to balance safer access reviews against the realities of 24x7 production and maintenance windows. That tradeoff is most visible when legacy OT devices cannot support modern identity controls or when a vendor insists on standing remote access for support continuity.
There is no universal standard for this yet, but best practice is evolving toward segmented enforcement with unified oversight. In some plants, the right answer is not shared authentication between IT and OT, but shared policy review, shared ownership, and shared reporting on effective privileges. In others, zero-trust style access can be applied to IT-facing brokers while OT remains constrained through jump servers and session recording.
Edge cases include safety systems, highly regulated production lines, and emergency response accounts. Those cases may need exception handling, but exceptions should still be time-bounded, approved, and auditable. NHIMG’s regulatory and audit perspective is useful for demonstrating why evidence, ownership, and revocation discipline matter as much as technical separation. The real test is whether a firm can explain, at any moment, who can reach which system, through which path, for what purpose, and for how long. For many industrial environments, that answer remains fragmented until an audit, outage, or supplier incident forces the full picture.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Industrial access often hinges on unmanaged non-human identities and secrets. |
| NIST CSF 2.0 | PR.AC-4 | Cross-domain governance depends on managing effective access consistently. |
| NIST Zero Trust (SP 800-207) | PDP/PEP | Unified policy enforcement helps control remote and third-party industrial access. |
Inventory all service accounts, API keys, and machine identities that can reach IT or OT.
Related resources from NHI Mgmt Group
- How should teams govern AI systems that can combine data across business apps?
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern API keys used for generative AI access?
- How should security teams govern access when sensitive data is spread across multiple systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
