Because many connected devices cannot run endpoint agents, and many operational protocols do not produce the same visibility that IT tools expect. Attackers can exploit shared connectivity, weak segmentation, and trusted engineering paths to move between systems. That means control effectiveness depends on network design, identity boundaries, and response authority, not just on malware detection.
Why This Matters for Security Teams
IoT and OT environments change the lateral movement problem because defenders cannot rely on the same agent-based telemetry, host containment, or rapid patch cycles used in IT. Many devices are unmanaged, long-lived, or vendor-controlled, while the operational impact of disruption is higher than in office networks. MITRE’s MITRE ATT&CK Enterprise Matrix is useful for mapping movement paths, but it does not remove the constraint that many industrial protocols and embedded assets remain opaque.
NHI Management Group research shows how often identity boundaries are already weak in connected environments: Ultimate Guide to NHIs — Standards notes that 97% of NHIs carry excessive privileges and 90% of IT leaders say proper NHI management is essential to zero trust. In practice, that means an attacker who reaches one trusted device, engineering workstation, or service account may inherit far more reach than the network diagram suggests. In practice, many security teams encounter lateral movement only after a vendor laptop, historian, or remote maintenance path has already been abused.
How It Works in Practice
Lateral movement is harder to control in IoT and OT because the control points are fragmented. A single factory cell may include PLCs, HMIs, sensors, historians, jump hosts, and remote access gateways, each with different trust assumptions. Static RBAC is often too coarse for this environment because the question is not just who may access a system, but what state the device is in, what task is underway, and whether the request is coming through an approved maintenance path.
Current guidance increasingly favours a combination of network segmentation, workload identity, and runtime policy enforcement. For connected workloads, the identity primitive is often the device or service itself, not a human user. That is why short-lived credentials, per-task access, and strong device attestation matter more than long-lived shared secrets. The NHI Management Group’s Schneider Electric credentials breach illustrates how exposed credentials can become a movement channel once an attacker reaches a trusted environment.
- Separate IT, OT, and vendor pathways so that one compromised endpoint cannot reach engineering or safety zones by default.
- Use allow-listed communication, not broad trust, especially for remote administration and machine-to-machine traffic.
- Issue credentials with tight time limits and revoke them after the maintenance task ends.
- Apply policy at request time, because pre-defined access rules rarely capture the full operational context.
For implementation detail, SPIFFE and CISA both reinforce the value of strong identity boundaries and segmented trust zones. These controls tend to break down when legacy OT protocols must remain always-on and vendor remote support requires persistent access because the operational team cannot safely enforce short-lived access without a replacement workflow.
Common Variations and Edge Cases
Tighter segmentation often increases operational overhead, requiring organisations to balance resilience against maintenance speed and safety constraints. That tradeoff is real in OT, where downtime may affect production, environmental controls, or physical safety. Best practice is evolving, and there is no universal standard for how much segmentation or identity enforcement is enough in every plant, substation, or building automation system.
Edge cases usually appear where vendors insist on fixed IP allow-lists, shared service credentials, or always-on VPN access. Those patterns reduce friction for support teams, but they also expand the blast radius when one account or gateway is compromised. The 52 NHI Breaches Analysis is a useful reminder that identity compromise, not just malware, often drives access expansion. For operational resilience, teams should also treat remote monitoring tools, firmware update channels, and historian integrations as potential movement bridges rather than benign utilities.
In high-assurance environments, the practical answer is not to eliminate lateral movement entirely, but to make it slow, detectable, and operationally expensive. That means strong segmentation, explicit trust boundaries, and fast revocation paths for credentials tied to maintenance and automation. In mixed IT/OT estates, the weakest point is often the exception path, not the main production network.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Focuses on protecting non-human identities and their blast radius. |
| OWASP Agentic AI Top 10 | A2 | Autonomous tool use can expand movement paths across trusted systems. |
| CSA MAESTRO | SP1 | Covers secure orchestration and trust boundaries for agentic workloads. |
| NIST AI RMF | GOVERN | Governance is needed where machine actions can cross zones unpredictably. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust access control directly addresses lateral movement containment. |
Constrain autonomous actions with runtime approval, scoped tools, and revocation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org