One of the main competitive advantages of the manufacturing sector, provided by rapid scaling, seasonal agility, and third-party integration, is also its identity security liability. In manufacturing environments, access is provisioned at operational speed, and governance is rarely able to keep up. The sector’s structural rhythms have created a systemic, compounding access problem that neither seasonal hiring nor digital transformation alone can fully explain. Recent research from Pathlock reveals the nature and scope of the risk.
The 24-Hour Problem Nobody Is Solving
According to Pathlock’s research, 48% of manufacturers fail to enact the widely accepted 24-hour access revocation benchmark after role changes or departures. This means that when a user changes roles or leaves an organization, their access and privileges often linger beyond what best practices consider to be the secure window. Not meeting this security and governance benchmark for revoking access significantly multiplies risk.
This risk is best mitigated by the automation of access provisioning, which reduces the need for manual review and action to manage access and permissions. Almost three-fourths (74%) of organizations in manufacturing lack fully automated provisioning and de-provisioning, requiring human intervention in access management. The consequence of this is that offboarded contractors and seasonal workers leave behind active credentials that accumulate silently across systems.
Ghost Accounts and the Invisible Attack Surface
The accumulation of active but unused credentials leads to compounding security risks over time in areas to which organizations often fail to pay sufficient attention to prevent attacks. This actively increases the attack surface and the potential for bad actors to use lesser-monitored vectors to infiltrate organizations without detection. Dormant credentials rarely trigger behavioral alerts, making them low-friction targets for credential stuffing, password spraying, and phishing attacks.
These accounts operate under trusted identities, allowing attackers to move through systems without tripping conventional detection logic. The problem of ghost accounts is not an anomaly, but a common and predictable byproduct of manual de-provisioning at scale. Handling these processes manually quickly becomes untenable as organizations and roles continue to grow.
The Users Who Are Hardest to Govern Hold the Most Power
Certain types of users and credentials are even harder to manage than others, and these are often the ones that pose the greatest risk. Groups like third-party consultants and internal IT admins carry the broadest permissions and represent the highest-risk, least-governed user groups, creating perfect opportunities for attackers to take advantage. Threat actors who are able to compromise these accounts can achieve a wide range of malicious actions within targeted systems.
Over half (51%) of manufacturing organizations in the Pathlock report have no automated elevated access management, and 14% have minimal or no privileged access governance at all. 57% of these manufacturing organizations struggle the most with third-party consultant access—precisely the user class that expands most aggressively during spring ramp-up.
Digital Transformation Is Making It Worse
The expansion and evolution of digital environments only serve to compound the risk even further beyond what is caused by privilege and account accumulation alone. Cloud migrations fundamentally redesign roles and permissions, but governance rarely moves at the same pace. Adopting and migrating to new digital platforms requires reviewing and updating security and governance measures to account for new and increasing risks.
A concerning 61% of manufacturers skipped comprehensive segregation-of-duties (SoD) risk simulations before deploying new roles. Less than one in ten (9%) updated governance, risk, and compliance (GRC) controls before migration. These simulations, reviews, and updates are crucial for ensuring security in manufacturing and other organizational environments. Legacy roles copied into new environments silently introduce excessive permissions and SoD conflicts that persist long after going live.
The Real Cost: Incidents, Not Just Audit Findings
The risk presented by these issues is not theoretical, but very real: 1 in 4 manufacturers experienced compliance violations, while 1 in 5 suffered security incidents. Almost half (46%) of these incidents were tied to GRC gaps created during digital transformation, rather than isolated insider behavior. Less than one fourth (22%) involved insider activity.
Experts underscore that the idea borne out in this data is that this risk is a structural exposure problem, not a people problem. “This once again demonstrates that identity deprovisioning and governance can no longer be treated simply as a GRC task,” according to Vincenzo Iozzo, CEO and Co-founder at SlashID, a Chicago-based Identity Threat Detection and Response (ITDR) provider.
Why Access Reviews Aren't Catching It
A major factor in the perpetuation of the identity and access crisis is the failure of reviews to adequately detect the problem. Access reviews continue to fall short in flagging these risks for mitigation for a number of reasons. Nearly 9 in 10 (89%) of manufacturers have not fully automated user access reviews, forcing them to be carried out manually, which is a method that takes up more time and is more prone to error.
In environments spanning multiple plants, ERP modules, OT-adjacent systems, and external vendors, manual reviews become checkbox exercises. Rather than manually finding and fixing flaws like lingering access and overpermissioning, these reviews are rushed and ineffective. Stale accounts and excessive permissions often persist until a breach or audit finding forces the issue.
What a Resilient Access Governance Model Looks Like
It is crucial for organizations to implement robust, resilient access governance to counteract the risks of the ongoing crisis in identity, access, and permissions. Automated provisioning and de-provisioning must be treated as non-negotiable baseline controls, not optimization projects. Privileged access for third parties and admins must be time-bound, centrally monitored, and revoked automatically at project end. SoD simulations and governance milestones must be embedded into digital transformation timelines from day one, not tacked on as an afterthought.
It is important to fundamentally shift the way that privilege is managed, leaning on best practices and evolving standards for reducing the risk of over-privileged identities and lingering access. “Security teams should focus on shrinking standing privilege, ideally taking a just-in-time approach for privilege and access, especially for contractors and integrators,” says James Maude, Field CTO at BeyondTrust, an Atlanta, Georgia-based privilege-centric identity security provider. “When you reduce the amount of privilege in the system, you reduce the impact of inevitable mistakes.”
Identity Is the New Perimeter—Manufacturing Hasn't Caught Up
The confluence of seasonal hiring, third-party reliance, and cloud migration has made identity the most consequential and most neglected security domain in manufacturing. The sector's access governance posture reflects a fundamental mismatch between operational tempo and security architecture, leading to a significant gap in security. The path forward is not more audits but automation—embedded early, sustained continuously, and built to scale with the workforce cycles that continue to define the industry.
