Accountability sits with the operating organisation, because auditors and regulators expect it to prove who accessed critical systems and under what authority. In practice, that means security, OT operations, and compliance must share one access record and one revocation process. If no one can reconstruct the session, the governance model has already failed.
Why This Matters for Security Teams
When OT remote access cannot be traced after the fact, the failure is not just technical. It becomes a governance and evidentiary problem. Auditors want a defensible answer to who approved access, what was reached, whether OWASP Non-Human Identity Top 10 controls were applied, and how revocation was enforced. Without that trail, incident response slows, root cause analysis weakens, and accountability shifts from a single owner to a shared control failure. NHIs already make visibility hard: only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
That matters especially in OT, where remote sessions often bridge IT tooling, vendor support, jump hosts, and legacy controllers. If the access path is fragmented, the record is fragmented too. The organisation must be able to show one authoritative record across security, OT operations, and compliance, not three partial logs that disagree. In practice, many security teams discover the missing chain of custody only after a plant event, a vendor dispute, or a regulator asks for reconstruction.
How It Works in Practice
Accountability depends on designing remote access so every session is attributable before it starts, visible while it runs, and revocable immediately when it ends. The practical model is a control stack: strong workload or operator identity, just-in-time approval, session recording, and centralized log correlation. Where OT vendors or engineers need access, the request should be tied to a named business purpose, a time window, and a specific asset. That is consistent with the intent of the 52 NHI Breaches Analysis, which shows how often weak identity controls turn into real exposure, and with the OWASP Non-Human Identity Top 10, which treats excessive standing access and weak lifecycle control as core failure modes.
A workable OT process usually includes:
- JIT access grants approved through PAM or a ticketing workflow.
- Session broker or bastion enforcement so the operator never connects directly.
- Immutable session logs, command capture, and time-synchronized authentication records.
- One revocation path for user accounts, service accounts, and shared vendor credentials.
Where possible, the evidence trail should also map to device identity and network path, not just usernames, because OT sessions often pivot through unmanaged endpoints and shared engineering tools. NHI guidance from Ultimate Guide to NHIs — Key Challenges and Risks is clear that visibility gaps and credential sprawl create the conditions where no one can reconstruct access with confidence. These controls tend to break down when legacy PLC environments, offline maintenance modes, or third-party emergency support require shared accounts and non-repudiable logging is not technically supported.
Common Variations and Edge Cases
Tighter traceability often increases operational friction, requiring organisations to balance access speed against evidentiary quality. That tradeoff is most visible in plants with 24/7 uptime, multiple OEMs, or air-gapped zones where standard identity tooling cannot be deployed uniformly. Current guidance suggests that organisations should not treat those constraints as a reason to accept anonymous access, but there is no universal standard for every OT topology yet.
In these edge cases, compensating controls matter: per-session approval, dual control for emergency access, unshared break-glass accounts, and rapid post-event review. If a vendor must connect through a jump server, the organisation should still preserve who requested the session, who approved it, which asset was touched, and what changed. The broader lesson from the Ultimate Guide to NHIs is that accountability fails when credentials outlive their purpose, and the same applies to OT access.
For high-risk environments, the question is not whether perfect traceability exists, but whether the organisation can reconstruct enough of the chain to prove control. If it cannot, the accountable party is still the organisation, because regulators will judge the control design, not the inconvenience of the environment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Traceability depends on controlling NHI access paths and accountability. |
| NIST CSF 2.0 | PR.AC-1 | Access control and logging are central to reconstructing OT sessions. |
| NIST AI RMF | Accountability for autonomous or tool-driven access aligns to governance duties. |
Centralize authentication, authorization, and logs so every remote session is attributable.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
