Manual reviews are usually stale by the time they finish, and OT environments change in ways that spreadsheets and periodic sign-off cannot capture. That means toxic combinations, ownerless service accounts, and inherited permissions can remain active long after they should have been challenged. Reviews need continuous evidence, not a one-time certification snapshot.
Why This Matters for Security Teams
Manual access reviews break down quickly in OT because the environment is not static. PLCs, historians, engineering workstations, vendor jump hosts, and service accounts often change on different cadences, while spreadsheets and quarterly attestations assume a stable asset and identity picture. That gap creates a false sense of control: permissions appear approved even after the underlying process, owner, or trust relationship has changed.
This is especially dangerous for non-human identities, where privilege is often inherited, shared, or embedded in tooling rather than assigned to a named person. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which helps explain why manual review cycles so often miss toxic combinations and stale access. OWASP also flags non-human identity governance as a distinct control problem in the OWASP Non-Human Identity Top 10.
In practice, many security teams discover the review failed only after a maintenance account, vendor credential, or shared service identity has already been used outside its intended scope.
How It Works in Practice
Manual reviews usually collapse into a snapshot exercise: extract accounts, ask an owner to certify them, then file the result until the next cycle. That approach may work poorly in IT, but it is especially weak in OT because access is often function-based, time-bound, and tied to plant events rather than ticketing workflows. A technician may need elevated access for commissioning, a vendor may require remote support for a short window, and an automation service may depend on credentials that rotate outside human visibility.
Effective review design shifts from periodic approval to continuous evidence. That means collecting current signals from identity systems, PAM, asset inventories, CMDBs, OT monitoring, and secrets inventory, then validating whether each identity still maps to an active operational need. It also means separating human ownership from machine use: the reviewer should confirm who is accountable for the identity, what system it serves, what privilege it holds, and whether the credential is still active, rotated, and scoped correctly.
- Link each OT identity to a system, function, and accountable owner.
- Review active permissions against current device state, not last quarter’s spreadsheet.
- Flag shared, inherited, and vendor-issued credentials for tighter scrutiny.
- Cross-check standing privilege against expected maintenance windows and runtime logs.
The NHI Lifecycle Management Guide is useful here because it frames review as part of a broader lifecycle: issuance, rotation, monitoring, and offboarding. That lifecycle view aligns with OWASP guidance on secrets and identity hygiene, especially where static credentials remain valid long after operational need ends.
These controls tend to break down when OT assets are air-gapped or partially undocumented because evidence collection becomes manual too, and the review process reverts to guesswork.
Common Variations and Edge Cases
Tighter access review often increases operational overhead, requiring organisations to balance stronger assurance against plant uptime and maintenance constraints. That tradeoff is real in OT, where production windows are limited and some legacy systems cannot emit clean identity telemetry. Current guidance suggests treating these cases as exceptions to be risk-ranked rather than exempting them outright.
One common edge case is the shared vendor account. Another is the service identity hardcoded into an engineering tool or HMI integration. A third is inherited access from a group or role that no one “owns” directly. Manual review tends to miss these because the approver sees a name, not the actual execution path. Where possible, review should be paired with short-lived credentialing, explicit break-glass process, and evidence from runtime activity. Where that is not possible, the control should at least require documented compensating measures and a shorter re-certification interval.
The most important practical point is that OT review quality depends on evidence freshness. If the inventory is stale, the reviewer is certifying fiction. The NHIMG 52 NHI Breaches Analysis reinforces the pattern that overlooked machine identities and stale access paths are recurring breach conditions, not rare exceptions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Manual OT reviews miss stale or excessive NHI privileges. |
| NIST CSF 2.0 | PR.AC-4 | Access reviews must confirm least privilege for OT identities. |
| NIST AI RMF | AI risk governance supports continuous evidence and accountability. |
Use AI RMF governance principles to require current evidence, ownership, and review cadence for machine access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
