Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security Why do air gaps and static perimeters fail…
Cyber Security

Why do air gaps and static perimeters fail in IT/OT convergence?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 12, 2026 Domain: Cyber Security

Air gaps and static perimeters fail because modern OT rarely stays isolated. Hybrid connectivity, remote administration, and virtualised gateways create new paths that traditional zone designs do not capture. Once those paths exist, attackers can traverse them laterally unless access policy, monitoring, and containment are updated to reflect the live environment.

Why This Matters for Security Teams

IT/OT convergence changes the security model from isolated zones to connected services, shared identities, and operational dependencies. That makes air gaps and static perimeters fragile assumptions rather than reliable controls. Once engineering workstations, remote vendors, historians, or cloud connectors become part of the path, security teams need a live control model that reflects actual trust relationships, not diagrams frozen at design time. The NIST Cybersecurity Framework 2.0 is useful here because it pushes organisations to manage outcomes across governance, identification, protection, detection, response, and recovery rather than relying on boundary myths.

The main risk is that defenders assume the perimeter still contains the blast radius, while attackers target the administrative routes, protocol bridges, and supplier access that bypass it. In OT, those routes often exist for valid operational reasons, which is why simplistic deny-all models usually fail in practice. The real task is to reduce implicit trust, expose all access paths, and treat every exception as a control that must be monitored and reviewed. In practice, many security teams encounter perimeter failure only after remote access or vendor connectivity has already become business-critical, rather than through intentional architecture review.

How It Works in Practice

Effective convergence security starts by mapping every pathway into the operational environment, including remote support tools, jump servers, cloud management planes, data historians, API bridges, and engineering laptops. Static segmentation alone is not enough if identities can move across zones or if shared credentials can be reused on both IT and OT assets. Best practice is evolving toward identity-aware access, strong device posture checks, continuous logging, and explicit approval for high-risk actions. Where remote privileged access is unavoidable, many organisations align the operational model with CISA Zero Trust guidance and apply least privilege with short-lived elevation rather than standing administrative reach.

A practical control pattern usually includes:

  • Separate administrative identities for IT and OT, with no shared credentials.
  • Brokered remote access through monitored jump points rather than direct device-to-device links.
  • Asset and protocol inventory that includes vendor tools, virtual appliances, and maintenance interfaces.
  • Telemetry from identity, network, endpoint, and process layers so anomalous access can be correlated quickly.
  • Containment plans that assume perimeter compromise and focus on stopping lateral movement and unsafe commands.

For asset visibility and control validation, many teams also use the CISA Known Exploited Vulnerabilities Catalog to prioritise exposed systems that sit on convergence paths. The operational reality is that OT security is as much about trusted pathways and change control as it is about network boundaries. These controls tend to break down when legacy controllers require flat trust relationships and direct vendor access because compensating monitoring cannot fully inspect proprietary traffic or safety-critical command paths.

Common Variations and Edge Cases

Tighter segmentation often increases operational friction, requiring organisations to balance safety and uptime against faster maintenance and troubleshooting. That tradeoff becomes especially sharp in plants that rely on legacy controllers, outsourced support, or thinly documented integrator dependencies. Current guidance suggests that the goal is not to eliminate every connection, but to make every connection explicit, justified, and observable.

There are important edge cases. Some OT environments cannot tolerate aggressive authentication changes, which means identity controls may need phased deployment around maintenance windows and vendor agreements. In highly regulated sectors, converged environments may also need to align with NIS2 expectations for resilience and incident handling, especially where operational outage has wider service impact. The security lesson is that air gaps are often replaced by “connected gaps” such as jump hosts, wireless maintenance links, or cloud-managed OT tooling. That is where identity governance matters most, because access paths now behave like NHI or privileged admin routes rather than fixed physical boundaries. A final edge case is safety engineering: some systems prioritise deterministic availability over rapid patching, so monitoring and recovery controls often provide more value than attempting perfect isolation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-01Converged IT/OT access paths need explicit identity and access governance.
NIST Zero Trust (SP 800-207)SA-4Static perimeters fail where trust is implicit and access is broad.
NIS2Critical service resilience and incident response are central in converged environments.
OWASP Non-Human Identity Top 10Shared machine and service identities often create hidden OT traversal paths.

Build incident handling and recovery plans that assume perimeter compromise and operational disruption.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org