They should look for evidence that local OT accounts are reconciled to a current owner, a current purpose and a current lifecycle state. If the organisation cannot show how role changes and leavers are reflected in plant access, the control environment is not fully provable.
Why This Matters for Security Teams
OT identity governance is about proving that every local account, service account, and shared operator login still has a current owner, a current purpose, and a current lifecycle state. That matters because plant environments often preserve access long after people change jobs, contractors leave, or equipment is repurposed. For auditors, the absence of provable identity hygiene is not a paperwork gap; it is evidence that access may still exist without operational justification.
This is where identity control becomes a safety and resilience issue. The NIST Cybersecurity Framework 2.0 expects governance to be measurable, while NHIMG research shows the scale of the problem: only 5.7% of organisations have full visibility into their service accounts, and 71% of NHIs are not rotated within recommended time frames. For OT, that lack of visibility can hide stale access on engineering workstations, PLC-adjacent tools, and vendor support accounts. In practice, many security teams discover weak identity governance only after a site change, incident, or audit exception has already exposed it.
How It Works in Practice
Auditors should trace OT identity governance from request through approval, provisioning, review, and removal. The key question is whether the organisation can show that access is tied to a named business owner, a defined operational task, and a documented end date or review cycle. Strong evidence usually includes joiner-mover-leaver records, account inventories, privileged access reviews, and logs showing that dormant or orphaned accounts were disabled on time.
In OT, the challenge is that account ownership is often split between plant operations, engineering, and third-party maintenance teams. That means auditors should look for a reconciled source of truth, not just a directory export. Useful artefacts include:
- A current inventory of local OT accounts, service accounts, and vendor support access
- Documented mapping from each account to a business owner and purpose
- Evidence that role changes trigger access review in plant systems, not only in corporate IAM
- Lifecycle controls for temporary access, including expiry and revocation
- Periodic recertification showing who approved continued access and why
NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same governance logic applies to non-human and operational identities: access must be current, attributable, and revoked when the need ends. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives also reinforces that lifecycle evidence is what turns policy into provable control. These controls tend to break down when legacy OT platforms cannot support timely deprovisioning because identity records are maintained manually across multiple sites.
Common Variations and Edge Cases
Tighter OT identity controls often increase operational overhead, requiring organisations to balance auditability against uptime and vendor support constraints. Not every plant system supports modern RBAC or automated lifecycle workflows, so current guidance suggests using compensating controls where native controls are limited. That may include supervised shared accounts, time-bound vendor access, and documented break-glass procedures with post-use review.
The main edge case is legacy or air-gapped OT where local accounts are embedded in equipment, not centrally managed. In those environments, auditors should not expect perfect automation, but they should expect evidence of manual reconciliation, periodic physical or logical review, and explicit accountability for each account. Another common gap is “temporary” access that becomes permanent because no one owns the offboarding step. NHIMG’s Ultimate Guide to NHIs shows how often lifecycle weaknesses persist, and the lesson transfers directly to OT: if the organisation cannot prove removal, it should assume access still exists. There is no universal standard for this yet, but audit expectations are converging on traceable ownership and timely revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | OT access must be linked to authorised identities and current ownership. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale OT accounts and poor rotation are core non-human identity governance failures. |
| NIST AI RMF | AI RMF governance is relevant where OT identity workflows are increasingly automated. |
Inventory OT accounts, rotate credentials, and disable orphaned identities on a defined schedule.
Related resources from NHI Mgmt Group
- Why is it important to integrate identity and data governance?
- How should security teams evaluate Centrify alternatives for identity governance?
- When does an ITSM platform become part of identity governance?
- How should security teams compare Microsoft 365 admin tools with broader identity governance platforms?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
