Internet of Things

Expanded Definition

The Internet of Things, or IoT, is more than a collection of connected devices. In security and governance terms, it is a distributed population of non-human endpoints that generate data, receive commands, and often act with partial autonomy across business, operational, and physical environments. That makes each device an identity-bearing asset, not just a piece of hardware.

IoT is commonly discussed alongside the NIST Cybersecurity Framework 2.0, because the real issue is not connectivity alone but how assets are identified, monitored, protected, and recovered across their lifecycle. In NHI governance, IoT overlaps with device identity, certificate management, firmware integrity, network segmentation, and remote access policy. Definitions vary across vendors when they blur IoT with OT, embedded systems, or consumer smart devices, so the operational boundary should be defined by whether the device has networked identity, credentials, and executable trust relationships.

The most common misapplication is treating IoT as a hardware inventory problem, which occurs when organisations register the device but fail to govern its credentials, ownership, and permitted actions.

Examples and Use Cases

Implementing IoT rigorously often introduces operational overhead, requiring organisations to weigh continuous device assurance against deployment speed and field maintenance constraints.

• Industrial sensors authenticate to a telemetry platform with certificates and rotate credentials on a defined schedule, reducing the risk of persistent compromise.
• Smart building controllers are placed on segmented networks with limited command scope so a compromised thermostat cannot become a pivot point.
• Connected cameras are inventoried as NHIs, with ownership, firmware status, and remote access rights tracked through lifecycle controls described in the Ultimate Guide to NHIs.
• Manufacturing devices exchange signed updates and service tokens with a central platform, aligning device trust with NIST Cybersecurity Framework 2.0 principles for asset management and protective technology.
• Retail point-of-sale peripherals report health and identity status before being allowed to transact, lowering the chance of hidden rogue devices.

Why It Matters in NHI Security

IoT matters because every connected device expands the non-human attack surface, often with weaker patching, longer lifecycles, and less human attention than standard IT assets. When organisations do not govern device identities, attackers can exploit default credentials, stale certificates, exposed APIs, or forgotten endpoints to move laterally, intercept data, or issue unauthorized commands. The risk is amplified by scale: NHIs outnumber human identities by 25x to 50x in modern enterprises, and IoT devices are part of that population. NHI Mgmt Group research also shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why device identity cannot be separated from broader NHI governance.

For practitioners, the key question is whether the IoT estate can be proved, rotated, revoked, and segmented at scale. Without that discipline, incident response becomes blind, because many devices cannot be trusted to self-report compromise or support rapid recovery. Organisations typically encounter the full cost of IoT identity neglect only after a device is hijacked or used as an entry point, at which point IoT governance becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How should security teams secure internet-facing local AI inference servers?
• Why do internet-facing domains get prioritized in PQC planning?
• What breaks when Ray clusters are exposed to the internet without isolation?
• Why do internet-facing AI retrieval services create outsized risk?