In today’s smart factories, production doesn’t go quiet at shift change. Behind the scenes, modern manufacturing systems never cease. They continuously exchange data, adjust software and processes in real time, and allow vendors to connect remotely to monitor performance or deliver updates. As these interactions multiply, the number of identity-driven points grows just as quickly.
This nonstop connectivity between operational technology (OT) and information technology (IT) has become integral to output, quality, and safety.
The benefits are clear. Unfortunately, so are the vulnerabilities.
In an earlier post, I discussed how identity influences the speed at which manufacturing organizations respond to disruptions. If access, ownership, and authority are unclear, even slight hesitations in decision-making can bring production to a halt, or worse, make it unsafe. Yet many manufacturers don’t yet treat identity governance as operational infrastructure.
In this post, I examine this mismatch: why identity governance breaks down under pressure and what must change for identity to support continuous, confident operations.
Where identity complexity grows in smart‑factory environments
Machine identities, automation systems, service accounts, and third-party integrations now dominate daily operations. In addition, automation and AI have introduced new velocity: systems can initiate actions, modify processes, and interact with multiple platforms without human intervention. What can go wrong?
Without manual override capabilities and decision checkpoints—a lot.
Humans need to be able to monitor and intervene when automation behaves unexpectedly. Machine and AI identities must be treated as privileged operational actors with defined ownership and limited access. Unfortunately, governance models can’t keep pace with the speed, scale, and autonomy of these identities.
What makes this gap even more urgent is that identity volume and autonomy aren’t slowing down. Machine identities outnumber humans by 82:1, and when they increasingly make decisions at machine speed, whether governance is ready or not. This accelerating imbalance exposes the limits of traditional, human-paced governance models, which were never designed for autonomous decision cycles.
So why don’t organizations see this perfect storm coming?
Why compliance frameworks miss operational decision needs
Manufacturing organizations increasingly rely on established regulatory and assurance frameworks to assess identity and operational risk. These include:
- International Organization for Standardization / International Electrotechnical Commission 27001 (ISO/IEC 27001)
- Trusted Information Security Assessment Exchange (TISAX)
- EU Network and Information Security Directive (NIS2)
- Cyber Resilience Act
- National Institute of Standards and Technology (NIST)
While these frameworks shape expectations around control, accountability, and reporting, they aren’t designed to test decision readiness during live production incidents. Controls may exist on paper, but in urgent conditions, teams often struggle to translate compliance into confident action.
I’ve seen this play out during an otherwise contained production incident, when teams weren’t sure whether disconnecting a vendor session would halt a live process. We had controls in place, and the access was logged, but no one had clear authority to act. So the line stayed idle for an hour while the decision was debated.
In my experience, identity is rarely the explicit focus of an audit. Audits confirm that identity controls exist and were followed, but they don’t reveal whether those controls can support fast, confident decisions when production is under threat. Identity weaknesses like these remain invisible until pressure exposes them.
Synchronizing identity governance across operations and IT
Most identity governance models are designed for steady-state access management, not for fast, high-stakes decisions. This is partly because authority is fragmented: IT teams manage access systems, security teams define policies, OT owns production outcomes, and vendors control embedded access mechanisms. Each group governs its portion responsibly, but no single function owns identity decisions.
When a production incident occurs, teams must coordinate identity decisions across organizational lines that were never designed for speed. Even in well-instrumented environments, the old governance model collapses in crisis mode because decision authority was never clearly defined.
To resolve this, organizations need identity governance designed around the actual flow of operational work, not departmental boundaries.
That doesn’t mean we need to centralize control away from operations or force IT processes onto the shop floor.
Instead, we must align identity authority with how manufacturing actually runs, so we can make informed, deliberate decisions (and act on them immediately) rather than improvising.
Manufacturers that succeed typically follow a familiar pattern:
- Establish visibility across human and machine identities
- Prioritize the most critical production assets
- Align decision makers from security, IT, and operations
- Standardize controls where possible and make deliberate, informed choices about acceptable risk where standardization isn’t feasible
This approach mirrors how manufacturers manage physical risk today: Discovery first, prioritization next, and continuous improvement over time. Identity governance works when it reflects production reality rather than fighting it. In the same way, identity decisions become safer and faster when teams follow a consistent, well-understood operational rhythm.
Preparing identity decisions before disruption hits
Manufacturers already understand the two rules of resilience: keep producing and recover quickly. Identity plays a quieter role in that process, but it’s often the deciding one. Compliance frameworks provide structure, but identity governance gives confidence.
Ultimately, resilience depends less on technology and more on the clarity of decision authority.
More tools won’t resolve a crisis as quickly as clear authority will.
When production is under pressure, who has the authority to decide—and do they have the information to act immediately?
Put simply, organizations that design identity governance around defining clear authority before a disruption occurs will recover faster.
Fabrice Delouche is the director of EMEA Broad Manufacturing at CyberArk, a Palo Alto Networks company.
Continue exploring identity security for manufacturing
For more insights on protecting identities and keeping modern manufacturing environments resilient, check out our eBook on securing identity in Industry 4.0 environments.
