But what was once a convenience has quietly become one of the most significant and least governed risks in critical infrastructure environments.
In 2026, that trade-off no longer holds.
The issue is no longer whether vendors can be trusted — it’s whether organisations can afford to outsource control over access to systems they remain legally and operationally accountable for.
When Access Becomes the Risk
In many operational environments, vendor access has grown organically.
A connection here for a turbine supplier. A VPN there for a building management contractor. Remote credentials created during commissioning that were never revoked. Temporary access that quietly became permanent.
Individually, each connection seems manageable. Collectively, they create a web of access paths that sit outside the asset owner’s direct visibility and control.
This is what makes vendor access so dangerous in OT environments. Not because vendors are malicious — but because unmanaged access compounds risk over time:
- Access credentials exist beyond central identity systems
- Activity occurs outside standard monitoring and logging
- Permissions persist long after operational need has passed
- Incident response depends on third parties, not asset owners
Most high-profile supply-chain and access-based incidents of recent years have followed this same pattern. The breach didn’t come through the front door. It came through a trusted connection no one was actively governing.
Regulation Has Caught Up with Reality
For critical infrastructure operators, this is no longer just a technical discussion.
Regulatory frameworks — including Australia’s SOCI obligations — now place explicit accountability on asset owners for access, monitoring and response. Boards are being asked to demonstrate not just that systems are secure, but that control sits where accountability sits.
“We trusted the vendor” is no longer a defensible position.
If a third party can access your operational systems, regulators expect you to be able to answer three questions with confidence:
- Who accessed the system?
- When did they access it?
- What did they do while they were there?
If those answers depend on a vendor’s logs, a vendor’s processes or a vendor’s goodwill, control has already been ceded.
Self-Custody Is Not About Distrust
This is where the conversation often becomes uncomfortable — and where it’s frequently misunderstood.
Self-custody of access does not mean cutting vendors off. It does not mean slowing operations. And it does not mean assuming bad intent.
It means recognising that access itself is critical infrastructure.
In a self-custody model:
- All remote access is brokered through enterprise-controlled portals
- Identity is centrally managed, authenticated and auditable
- Permissions are time-bound, role-based and revocable
- Activity is logged, monitored and retained by the asset owner
Vendors still get the access they need — just not on their terms.
Control, visibility and authority remain with the organisation that owns the risk.
Secure Access Moves to the Boardroom
As IT and OT environments converge, access can no longer be treated as an operational detail.
Identity-aware access, monitoring and secure connectivity are no longer “IT plumbing.” They are foundational controls that underpin resilience, safety and compliance.
This is why secure access is increasingly being discussed alongside topics like safety systems, redundancy and incident response — not buried in technical subcommittees.
Boards are beginning to ask different questions:
- Who actually controls access to our critical systems?
- How quickly can access be revoked in a crisis?
- What visibility do we have today — not after an incident?
In 2026, these are governance questions, not technology ones.
What Leaders Should Do Now
Organisations don’t need to solve everything at once — but they do need to reframe the problem.
A practical starting point is to treat vendor access as owned infrastructure, not a vendor-managed convenience. That shift alone changes the internal conversation.
From there, leaders should be asking:
- Do we have a complete inventory of who can access our OT environments?
- Is access identity-based, auditable and centrally controlled?
- Can permissions be revoked immediately — without vendor involvement?
The answers will quickly reveal where risk has accumulated quietly over time.
Taking Back the Keys
Self-custody of access is not a future-state aspiration. It is becoming the baseline expectation for organisations operating critical infrastructure in regulated environments.
The shift is subtle but significant: from trusting access to governing it.
Those who act early will find that control and operational continuity are not opposing forces — they reinforce each other.
And those who delay may discover that the hardest part isn’t implementing change — it’s explaining why control was never retained in the first place.
If this raises questions about how vendor access is managed in your environment, reach out to one of our experts for a conversation.
