Governance gaps are quietly emerging as a critical fault line in manufacturing cybersecurity, particularly as firms digitize core systems across supply chain, procurement, and ERP environments. Research from Pathlock shows that modernization efforts are often outpacing access controls, with more than 70% of organizations lacking automation in key processes such as access risk analysis, user reviews, and provisioning. This reliance on manual controls is creating blind spots across hybrid IT and OT environments, leaving sensitive operational systems exposed to misuse and compliance failures.
The consequences are already materializing. Nearly 40% of organizations report security or compliance incidents linked directly to governance gaps introduced during cloud migration, while insider-driven risks are rising as access privileges go unchecked. Delays in revoking user access, often exceeding 24 hours after employee termination, further widen the attack window. In manufacturing environments where downtime can cost millions per hour, weak access governance is no longer just an IT issue but a direct operational and financial risk.
“Every spring, manufacturing organizations scale up fast with additional temporary workers, contractors, and third-party specialists, each needing system access, often within hours,” Chris Radkowski, a SAP GRC Expert at Pathlock, wrote in a blog post this week. “At the same time, many of these organizations are mid-way through digital transformation projects that are reshaping how core business functions operate. The timing creates a compounding problem. The people and processes needed to manage access governance and security risks are already stretched, yet the volume and complexity of access requests is at its peak.”
The governance gaps identified in this research are already translating into tangible business impact. One in four manufacturing organizations has experienced compliance violations, while one in five has suffered security incidents. Notably, 46% of reported incidents were suspected or confirmed to be linked to governance, risk, and compliance gaps introduced during digital transformation efforts.
Insider involvement was reported by only 22% of organizations, suggesting that these incidents are driven less by malicious intent and more by systemic weaknesses in governance and control frameworks.
Organizations face significant security risks from their business applications, with 55% reporting at least one incident in the past 12 months. The most common incidents were compliance violations (25%), security vulnerabilities exploited by external attackers (20%), and data breaches caused by misconfigured access (18%). Loss of visibility into user access and material weaknesses were each reported by 14% of respondents, while insider fraud by employees affected 12% and third-party breaches impacted 10%.
When it comes to GRC gaps created during digital transformation, 46% of organizations reported that incidents were either confirmed (22%) or suspected but unconfirmed (24%) to have originated from such gaps. A further 29% said no such link existed, while 25% found the question not applicable. Separately, 22% of organizations experienced a confirmed or suspected insider-related incident during or shortly after a cloud migration project, with 12% confirmed and 10% suspected, while 16% were unsure and 62% reported no such incident.
GRC controls are frequently updated too late or not at all in relation to cloud migrations. Only 9% of organizations updated their controls before migration, while 24% did so during the migration phase. Another 14% updated within three months post-migration, 12% beyond three months, and 14% reported that no update took place at all. A further 22% were not sure when controls were last updated.
Segregation of Duties (SoD) risk simulations prior to deploying new roles in production remain inconsistent. Only 31% conducted comprehensive simulations, while 39% performed only partial checks for critical roles. A notable 22% conducted no simulations at all, and 8% were unsure.
“Unfortunately, our research shows that governance controls frequently lag behind business change,” Radkowski noted. “Only 9% of manufacturing organizations updated their GRC controls before migration, while roughly half did so during the project phase or after go-live. Alarmingly, 14% did not update GRC controls at all.”
Additionally, he pointed that 61% of organizations did not conduct comprehensive SoD risk simulations before deploying new roles. This is especially problematic in manufacturing, where role complexity spans plants, shared services, procurement, maintenance, and production planning. If SoD simulations were performed partially or skipped, excessive access enters production quietly and often goes undetected for a long time.
Privileged access governance during migrations is particularly challenging for third-party consultants and implementation partners, flagged as the hardest group to govern by 57% of respondents. Internal IT admins followed at 47%, application owners at 31%, and system integrators or managed service providers, developers, and business users with temporarily elevated access were each cited by 29%. Elevated access during migration projects is managed through time-bound, automated and monitored access by 45% of organizations, while 39% rely on manual emergency access processes with approval steps. However, 12% grant elevated access without centrally tracking or monitoring usage, and 2% have no defined emergency access management process at all.
De-provisioning access for terminated users is also slow for many organizations. Only 18% complete the process in less than an hour, while 14% take one to two hours and 18% take between two and 24 hours. A combined 28% of organizations take anywhere from more than 24 hours up to two weeks or more, with 6% taking two weeks or longer.
Automation levels across access governance processes remain low overall. For user account provisioning, modifying, and de-provisioning, 5% have no processes in place, 30% are just getting started with manual processes, 39% have some automation and rules in place, and 26% are mostly automated. For access risk identification and remediation, 7% lack processes entirely, 36% are at the manual stage, another 36% have some automation, and 21% are mostly automated. User access reviews show the widest automation gap, while 53% have some automation and rules in place, only 10% are mostly automated with defined controls, 28% are just getting started, and 9% have no process in place.
The Pathlock research findings show that access governance failures in the manufacturing sector represent a systemic vulnerability that organizations can no longer afford to overlook. While building a comprehensive access governance program is a multi-stage effort tailored to each organization, several priorities stand out.
Automated provisioning and de-provisioning must be treated as a non-negotiable control. In environments defined by operational complexity, heavy reliance on third parties, and seasonal workforce fluctuations, manual or partially automated processes are not sustainable. Access should be revoked within hours, not days, when roles change or projects end.
Privileged access for third parties and administrators also needs to be standardized and automated. These roles carry the highest risk, and elevated access should be time-bound, centrally monitored, and tightly controlled through automated mechanisms.
Access governance must also be embedded into digital transformation initiatives from the outset rather than addressed after deployment. This includes running segregation of duties simulations before systems go live, automating user access reviews across facilities and platforms, and aligning governance checkpoints with transformation timelines to prevent gaps that can escalate during periods of peak operational demand.
