Without session monitoring, organisations lose the ability to see what a privileged user or vendor actually did inside the environment. In OT and ICS, that gap matters because the same access used for maintenance can also be used for unsafe command execution or lateral movement. Recording and intervention are what turn remote access into governable access.
Why This Matters for Security Teams
Industrial remote access is not just a connectivity problem. It is a governance problem where a session can become a maintenance action, a configuration change, or an unsafe command path in minutes. When session monitoring is absent, teams lose the ability to verify intent, reconstruct operator activity, or intervene before a harmless-looking login turns into a process impact. That gap is especially dangerous in OT and ICS, where availability and safety matter as much as confidentiality.
Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG research on Ultimate Guide to NHIs both point to the same operational truth: access without visibility is difficult to govern, whether the identity is human, vendor-controlled, or a service account supporting remote operations. In practice, monitoring is the control that turns remote access from a trust assumption into an auditable workflow. The lack of monitoring and logging is also cited by 37% of organisations as a cause of NHI-related attacks in The State of Non-Human Identity Security.
In practice, many security teams discover misuse only after an outage, an alarm, or a vendor dispute has already made the session impossible to reconstruct.
How It Works in Practice
Session monitoring should capture enough context to answer three questions: who connected, what they touched, and whether the activity stayed within approved bounds. In industrial environments, that usually means recording session metadata, command streams, file transfers, elevated actions, and timing data, then correlating those events with ticketing, maintenance windows, and asset criticality. This is not the same as generic logging. OT remote access needs operator-grade evidence that can support both incident response and safety review.
Best practice is evolving toward layered controls rather than relying on a single recorder. That often includes privileged access management, jump hosts, session recording, alerting on risky commands, and human review for high-impact actions. For identity and access governance, the relevant question is not only whether the session was authenticated, but whether the session was continuously authorized as it unfolded. That aligns with the control logic described in NHI Lifecycle Management Guide and the monitoring emphasis in Top 10 NHI Issues.
- Record privileged remote sessions, not just authentication events.
- Link sessions to approved work orders, vendors, and time windows.
- Alert on command classes that can alter logic, safety settings, or network paths.
- Retain evidence in a form that is usable for incident response and audits.
- Require intervention paths for sessions that drift outside scope.
For standards-based identity assurance, NIST SP 800-63 Digital Identity Guidelines remains useful for authentication confidence, but it does not solve OT session governance by itself. These controls tend to break down in brownfield plants with shared vendor jump boxes because recording is often incomplete, network segmentation is inconsistent, and legacy equipment cannot tolerate intrusive monitoring.
Common Variations and Edge Cases
Tighter session monitoring often increases operational friction, so organisations have to balance safety, privacy, and maintenance speed against the need for evidence and intervention. That tradeoff is real in industrial environments where external contractors, emergency support, and 24/7 uptime all compete for the same access path.
There is no universal standard for this yet, but current guidance suggests treating high-risk sessions differently from routine access. For example, read-only diagnostics may warrant lighter monitoring than controller changes, safety parameter updates, or firmware work. Some environments also need compensating controls when recording is restricted by regulation or union policy. In those cases, strong metadata capture, dual approval, and real-time alerting may be the minimum viable alternative.
NHIMG research shows why this matters: Ultimate Guide to NHIs - Key Challenges and Risks notes that only 5.7% of organisations have full visibility into their service accounts, and the same visibility gap often appears in vendor sessions and remote operator workflows. Where that visibility is missing, session monitoring becomes the difference between assuming control and actually having it. The most fragile cases are shared vendor portals, emergency access accounts, and systems that permit direct command execution without command-level logging.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Runtime visibility and intervention are central to governing autonomous or tool-using agents. | |
| CSA MAESTRO | MAESTRO addresses governance and observability for autonomous systems and their actions. | |
| NIST AI RMF | AI RMF supports monitoring, traceability, and accountability for high-impact automated behaviour. |
Establish traceability for remote actions and define escalation paths when monitored behaviour becomes unsafe.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
