They should separate visibility from control. Build an authoritative model of local accounts, roles and sites first, then reconcile that model against corporate lifecycle records. Where live integration is unsafe, use snapshots, offline analysis and site-level ownership to prove who has access and why before changing production systems.
Why This Matters for Security Teams
OT identity governance is not a paperwork exercise. In plants, utilities and manufacturing sites, access often sits across local operator accounts, engineering workstations, vendor remote access and shared service identities that cannot be changed casually without risking uptime. That is why current guidance from the NIST Cybersecurity Framework 2.0 emphasises risk-based governance rather than blanket technical change. The operating challenge is to know who has access, at which site, for what purpose, and whether that access still matches the real-world job or maintenance need.
NHI Management Group’s Ultimate Guide to NHIs shows why this is urgent: only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges. In OT, that kind of exposure is harder to remediate because change windows are narrow and the tolerance for disruption is near zero. In practice, many security teams discover overprivileged access only after a maintenance event, vendor audit, or incident has already exposed the gap rather than through intentional identity governance.
How It Works in Practice
The safest pattern is to separate visibility from control. Start by building an authoritative model of local accounts, shared operator roles, engineering access, site-specific exceptions and vendor pathways, then reconcile that model against corporate lifecycle records. For OT, the first objective is not immediate removal; it is accurate attribution. If a local HMI account exists because of a commissioning workflow, that context must be captured before any enforcement action is considered.
Where live integration is unsafe, use offline methods. Snapshot account inventories from controllers, historians, jump hosts and Windows domains; compare them to HR, IAM and ticketing records; and assign site ownership so plant teams can validate business necessity. This is consistent with the Lifecycle Processes for Managing NHIs guidance, which treats identity as a lifecycle problem rather than a one-time inventory task.
- Use read-only discovery first, especially where PLCs, safety systems or vendor-managed devices are sensitive to change.
- Tag accounts by site, function, owner and expiry so that review decisions are operationally meaningful.
- Prefer compensating controls such as segmented access, jump servers and approvals before touching production credentials.
- Align remediation with maintenance windows and rollback plans, not security-team cadence alone.
For governance structure, map the identity model to a control framework such as NIST Cybersecurity Framework 2.0 so access review, asset inventory and recovery responsibilities are visible to OT, IT and audit. These controls tend to break down when legacy systems depend on shared accounts with no owner because there is no safe way to enforce unique identity without interrupting production.
Common Variations and Edge Cases
Tighter identity control often increases operational overhead, requiring organisations to balance security assurance against uptime, vendor support and plant maintenance constraints. That tradeoff is real in OT, and best practice is evolving rather than universal. For example, some sites can enforce unique operator identities and time-bound access, while others must rely on shared accounts plus compensating controls until equipment reaches a replacement cycle.
Edge cases usually appear around third-party maintenance, emergency response, and safety-related systems. Vendor access may need to remain available for incident restoration, but it should still be brokered through site-owned approvals, monitored sessions and clear expiry rules. NHI Management Group research highlights the scale of the problem: 92% of organisations expose NHIs to third parties, which makes OT vendor pathways a high-value control point. Where the environment cannot support automation, current guidance suggests documenting exception handling explicitly, then reviewing it site by site rather than applying a uniform enterprise policy.
That same caution applies to credentials embedded in engineering tools or scripts. The objective is not to force immediate rotation everywhere, but to reduce unknowns and move toward accountable ownership. In many OT estates, identity governance succeeds only when the security team accepts that visibility, segmentation and staged remediation are the operational controls that make safer enforcement possible later.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | OT local and service accounts need authoritative ownership and lifecycle tracking. |
| NIST CSF 2.0 | ID.AM-1 | OT identity governance depends on accurate inventory of users, accounts and assets. |
| NIST AI RMF | Risk governance and accountability translate well to OT identity decisions. |
Inventory each NHI, assign an owner, and reconcile it before changing any production credential.
Related resources from NHI Mgmt Group
- How should organisations govern SaaS licenses alongside identity access reviews?
- How can organisations reduce identity risk without replacing every legacy system?
- How should organisations govern access when identity state changes daily?
- Why do legacy OT systems create more identity risk than standard IT environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
