Command integrity is the assurance that only authorised, intended control messages can change a device state. In OT, it matters more than packet validity alone because an attacker can send a well-formed command that is still operationally destructive.
Expanded Definition
Command integrity describes whether a control instruction is both authorised and operationally correct before it changes a device, service, or process state. In OT and cyber-physical environments, the issue is not just whether a packet is syntactically valid, but whether the command itself should be allowed to execute, under what conditions, and with what bounded effect. That makes command integrity a governance problem as much as a protocol problem.
Definitions vary across vendors, but the term is generally used to distinguish trusted operational control from merely authenticated transport. A signed or well-formed message can still be dangerous if it is replayed, injected from an overprivileged NHI, or accepted outside the intended safety context. This is why command integrity is closely related to NIST Cybersecurity Framework 2.0 concepts around access control and resilient operations, even though no single standard governs this term yet. It also intersects with NHI governance because machine identities often carry the authority to send commands that humans never directly review.
The most common misapplication is treating network-level authentication as proof of command legitimacy, which occurs when teams trust any command that arrives over a secure channel.
Examples and Use Cases
Implementing command integrity rigorously often introduces latency, policy complexity, and change-management overhead, requiring organisations to weigh safer actuation against faster automation.
- A PLC accepts a start or stop instruction only if the issuing service account matches an approved workflow and the command falls within the current operating window.
- A remote maintenance agent can request a valve adjustment, but the command is blocked unless a second policy engine validates the source, timing, and asset context.
- An orchestration platform sends shutdown commands to an industrial subsystem, yet the action is rejected when the command signature is valid but the issuing NHI lacks the right role.
- A safety-critical application cross-checks high-impact commands against approved change tickets to prevent replay or out-of-band actuation.
These use cases are easier to understand after reviewing the governance patterns in Ultimate Guide to NHIs, especially where machine identities have standing authority over devices and workflows. For protocol-level trust, practitioners often compare this control layer with the intent behind NIST Cybersecurity Framework 2.0, but command integrity goes beyond basic identity verification because it also evaluates whether the command itself is safe and authorised in context.
Why It Matters in NHI Security
Command integrity matters because NHI compromise is frequently operational, not just informational. If an attacker takes over a service account, API key, or automation agent, the result may be an apparently legitimate command that changes states, disables safeguards, or triggers unsafe actions. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes command-bearing identities a direct control plane risk. The same research also reports that only 5.7% of organisations have full visibility into their service accounts, which means many command paths are poorly governed from the start.
This is why command integrity must be treated as part of broader NHI lifecycle control, including issuance, privilege scoping, rotation, and offboarding. It aligns naturally with the guidance in Ultimate Guide to NHIs, where excessive privilege and poor visibility are recurring failure modes. The operational mistake is to assume that a command is trustworthy because the sender authenticated successfully, rather than proving the instruction was intended, authorised, and bounded for that exact asset at that exact moment.
Organisations typically encounter command integrity as a priority only after an unauthorised instruction changes a production state, at which point the distinction between valid transport and valid control becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Command-bearing machine identities can execute destructive actions when authority is overbroad. |
| NIST CSF 2.0 | PR.AC-4 | Access enforcement is required to ensure only approved identities can issue control commands. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires policy checks before commands are trusted, not just after network admission. |
Bind each command source to least privilege and verify it can only act within explicit operational scope.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
