Why do OT access reviews often miss the highest-risk identities?

Why This Matters for Security Teams

OT access reviews often miss the riskiest identities because the review process is built around enterprise directories, not the accounts that actually operate plant systems, engineering workstations, HMIs, historians, and vendor remote access paths. That gap matters because OT environments commonly accumulate local accounts, shared operator credentials, service accounts, and one-off emergency access that never flows cleanly through HR-driven joiner-mover-leaver processes. When those identities are invisible, reviews can create false confidence instead of real risk reduction.

This is not just a housekeeping problem. The same blind spots that affect human accounts also affect non-human identities, and NHI governance guidance consistently shows how quickly stale access, excessive privilege, and weak visibility compound operational risk. NHI Management Group has documented that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which helps explain why reviews so often certify the wrong inventory. Current guidance from the OWASP Non-Human Identity Top 10 also aligns with this risk pattern.

In practice, many security teams encounter the problem only after a plant audit, contractor exit, or incident investigation exposes accounts that were never in scope for the review.

How It Works in Practice

The core failure is scoping. A traditional access review starts with Active Directory, HR records, or an enterprise IAM export, then asks managers to attest to who should still have access. OT environments do not behave that neatly. Access may be enforced locally on PLC engineering tools, SCADA jump hosts, vendor laptops, or embedded accounts maintained by site engineers. If the review data set does not include those sources, the attestation process can only validate a partial picture.

Practitioners usually need to build the review around actual control points, not just corporate identity sources. That means reconciling directory data with plant-level account inventories, remote support channels, and service or shared accounts tied to production systems. The operational goal is to identify whose access exists, where it is enforced, why it still exists, and whether it is tied to a current operational need. This is where NHI lifecycle thinking becomes relevant even in human-access reviews, because the real issue is unmanaged account sprawl. The NHI Lifecycle Management Guide is useful here, and the broader risk profile is captured in the 52 NHI Breaches Analysis.

• Pull accounts from OT local systems, not only enterprise directories.
• Map each account to a system owner, business purpose, and last-used date.
• Separate human operator access from shared or vendor-maintained access.
• Verify dormant accounts, orphaned vendor paths, and emergency accounts.
• Revoke or reauthorize access based on current plant need, not historical entitlements.

Where teams mature faster, they also align the review with NIST Cybersecurity Framework 2.0 practices for asset visibility and access governance, rather than treating OT as an exception. These controls tend to break down when the site uses offline engineering stations, shared vendor accounts, or undocumented local overrides because the authoritative identity source is fragmented across engineering and operations teams.

Common Variations and Edge Cases

Tighter OT access review coverage often increases operational overhead, requiring organisations to balance production continuity against stronger assurance. That tradeoff is real because some OT systems cannot support standard IAM connectors, frequent password rotation, or automated attestation workflows without risking downtime.

Current guidance suggests treating these environments as exceptions that still require evidence, not as exempt zones. In practice, that may mean scheduled exports from local account databases, manual validation of break-glass accounts, and a separate review cadence for vendor access tied to maintenance windows. Shared accounts remain especially difficult because attribution is weak, yet they often carry the highest operational privilege. A review that only asks whether the account exists misses whether it is tied to a named approver, a documented work order, and a current support contract.

Another common edge case is compensating control drift. Teams may rely on network segmentation or physical isolation as a substitute for access hygiene, but those controls do not fix stale credentials or unused privileged paths. The evidence from Ultimate Guide to NHIs — Why NHI Security Matters Now and the Top 10 NHI Issues reinforces a simple point: visibility and rotation failures persist even in mature environments. The standard review model breaks down in plants with legacy controllers, air-gapped support processes, and undocumented emergency procedures because no single system holds the full access record.

Related resources from NHI Mgmt Group

• Why do SaaS access reviews often miss the highest-risk access?
• What breaks when manual access reviews are used for OT identities?
• How should security teams run access reviews for non-human identities?
• Why do identity reviews often miss the real risk in cloud data access?