Subscribe to the Non-Human & AI Identity Journal
Home FAQ Why do mixed IT and OT environments break…

Why do mixed IT and OT environments break traditional segmentation assumptions?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

Because IT and OT share neither the same tolerance for failure nor the same control objective. In IT, a mistaken block is inconvenient; in clinical or industrial settings, it can stop care or production. Traditional network segmentation assumes those consequences are interchangeable, which they are not.

Why This Matters for Security Teams

Mixed IT and OT environments fail for the same reason many segmentation programs fail: the network is being asked to enforce a safety decision it was never designed to make. In IT, a denied connection may trigger a ticket. In OT, the same denial can interrupt alarms, dosing, telemetry, or a production line. That difference means the control objective is not just confidentiality or containment, but availability, safety, and recovery under constrained maintenance windows. Current guidance suggests segmentation must be treated as an operational design problem, not a pure firewall rule exercise, especially when identities, remote access, and vendor support paths cross the boundary. The NIST Cybersecurity Framework 2.0 is useful here because it frames protection and recovery as coordinated functions rather than a single perimeter decision. NHIMG’s Ultimate Guide to Non-Human Identities is also relevant because most cross-domain traffic is driven by service accounts, APIs, and machine credentials rather than human users. In practice, many security teams discover segmentation failure only after an engineering change, vendor session, or emergency access path has already bypassed the intended boundary, rather than through intentional test of the design.

How It Works in Practice

Effective mixed-environment segmentation starts by mapping what actually needs to talk, when, and under what failure conditions. A flat “IT zone” and “OT zone” split is usually too coarse because historians, patch servers, jump hosts, identity systems, and remote support tools create legitimate dependencies that cannot simply be blocked. The better pattern is to classify traffic by function and criticality, then apply policy that reflects the operational tolerance of each path. That often means:
  • Separating control traffic, business traffic, and vendor maintenance traffic into different trust paths.
  • Using allowlists tied to exact ports, protocols, sources, and time windows instead of broad subnet trust.
  • Constraining non-human identities with least privilege, short-lived credentials, and explicit ownership.
  • Monitoring east-west movement for service accounts and machine tokens, not only human logins.
For identity-heavy environments, the security boundary is increasingly the workload identity itself. NHI controls such as lifecycle management, rotation, and revocation matter because a forgotten API key can cross segmentation without touching a human workflow. NHIMG’s research on Schneider Electric credentials breach illustrates how credential exposure can collapse a boundary that looked sound on paper. NIST’s Cybersecurity Framework 2.0 supports this by emphasizing governance, risk management, and response as continuous functions, not one-time network placement decisions. These controls tend to break down in plants with legacy protocols, shared engineering workstations, and vendor remote access because segmentation cannot easily distinguish essential command traffic from unsafe lateral movement.

Common Variations and Edge Cases

Tighter segmentation often increases operational friction, requiring organisations to balance blast-radius reduction against uptime, safety, and supportability. That tradeoff becomes sharper in brownfield OT environments where devices cannot be patched frequently, traffic patterns are poorly documented, and resegmentation may require shutdowns that the business cannot absorb. Best practice is evolving, but there is no universal standard for this yet: some teams favour microsegmentation around high-value assets, while others use compensating controls such as jump servers, protocol-aware gateways, and continuous identity checks. The right answer depends on whether the environment is a hospital, utility, manufacturing line, or hybrid data center, because the acceptable failure mode is different in each case. Two edge cases matter most. First, emergency access can invalidate elegant segmentation if break-glass accounts are shared, static, or broadly trusted. Second, third-party support often enters through exceptions that outlive their original approval. NHIMG’s Ultimate Guide to Non-Human Identities shows why this matters: machine identities outnumber human identities by orders of magnitude, so a single overlooked credential can become the real bridge between zones. The practical test is not whether IT and OT are separated on a diagram, but whether every dependency is provable, minimal, and revocable without stopping the operation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Segmentation depends on managing access to assets and services by least privilege.
NIST Zero Trust (SP 800-207)Zero Trust replaces implicit zone trust with continuous verification between IT and OT.
OWASP Non-Human Identity Top 10NHI-01Machine identities often become the hidden bridge that defeats segmentation boundaries.
CSA MAESTROAgentic and machine-driven workflows require policy-aware trust boundaries across environments.
NIST AI RMFRisk management must account for operational and safety impact when controls affect availability.

Assess segmentation changes against mission impact, safety risk, and recovery requirements before rollout.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org