Lifecycle orchestration and shadow-AI audit for manufacturing.

Why this matters for Manufacturing

How does Tenet bridge corporate IAM and plant OT access during offboarding?

Manufacturers run two stacks — corporate (HRIS, IAM, Microsoft 365) and plant / OT (MES, SCADA, QMS, CMMS) — with inconsistent offboarding across them. Contractors, temps, and seasonal workers cycle in and out with access to both sides. Shop-floor AI tools (predictive maintenance, quality inspection, scheduling optimization) are deployed without a formal governance layer.

SaaS per employee

15–30 corporate apps + 5–10 plant apps per role

Key regulatory pressure

NIST SP 800-171 for defense contractors, CMMC 2.0 access control controls, IEC 62443 for OT security, ITAR / EAR export control for sensitive-technology access, and SOC 2 Type II for customers selling into it.

Shadow-AI angle

Predictive maintenance and quality-vision AI tools deployed at plant level often ingest production data into third-party models. When a plant IT lead leaves, the AI tool they commissioned can lose its governance owner — Tenet captures the tool in the offboarding trail.

Executive summary

What does CMMC 2.0 expect from the former-contractor access trail?

Manufacturing at 500-5,000 employees is the only industry where a lifecycle tool must bridge two fundamentally different access architectures: the corporate IT stack (HRIS, IAM, Microsoft 365, CRM, ERP) and the plant / OT stack (MES, SCADA, QMS, CMMS, historian databases). Plus a third layer of contractor, temp, and seasonal workforce access that may touch either or both. The 2026 regulatory pressures converge here: CMMC 2.0 Level 2 (effective across defense supply chain), NIST SP 800-171 (federal contractor baseline), IEC 62443 (OT security), ITAR / EAR (export control), SOC 2 Type II (customer procurement expectation), and the emerging state AI laws on high-risk AI systems used in manufacturing quality and predictive maintenance.

Tenet is built for this bridged reality. The corporate stack integrates via the standard HRIS + IAM + SaaS connector surface. The plant / OT stack integrates via purpose-built connectors for common MES / CMMS platforms (Rockwell FactoryTalk, Siemens Opcenter, PTC ThingWorx, Plex, Wonderware) and via the IAM federation layer where plant systems federate to corporate AD / Entra. Contractor lifecycle gets per-contract scope enforcement. Shop-floor AI tools (predictive maintenance, quality vision, scheduling optimization) enter the shadow-AI registry with data-flow and vendor-governance metadata. The CMMC 2.0 Level 2 AC family, the NIST 800-171 3.1.x control family, and the IEC 62443-specific access-management requirements are all produced as native evidence exports.

Representative stack

How does Tenet handle the churn of temps and contract workers across plants?

Tenet plugs into the stack most manufacturing companies at 500–5,000 employees already run. You don’t switch HRIS. You don’t switch IAM. Tenet becomes the orchestration layer between them and the long tail of SaaS and AI tools where the audit evidence used to disappear.

• Workday / SAP SuccessFactors (HRIS)
• Microsoft Entra / Okta (IAM)
• SAP S/4HANA
• Salesforce Manufacturing Cloud
• Plant MES / QMS / CMMS
• Microsoft 365 + Teams

Use cases

How does Tenet enforce ITAR / EAR export-controlled access for non-US persons?

Implementation playbook

How does Tenet integrate with plant MES platforms like Rockwell FactoryTalk and Siemens Opcenter?

Most manufacturing deployments complete the 4-phase playbook in 28 days. Accelerated deployments (14-21 days) are available for teams with pre-approved service accounts and existing Okta / HRIS investments.

1. Phase 1 · Week 1

   Connect

   Activities

   Service accounts for Workday or SAP SuccessFactors HRIS, Microsoft Entra or Okta corporate IAM, plant AD instances, MES (FactoryTalk, Opcenter, Plex), CMMS (Maximo, Fiix), Salesforce Manufacturing Cloud, Microsoft 365. CISO + Plant IT Directors + Compliance approve per-integration scopes. CMMC 2.0 covered entities enable the AC family evidence pipeline.

   Artifacts produced

   Integration scope matrix · CMMC 2.0 AC readiness baseline · IT/OT integration map

2. Phase 2 · Week 2

   Baseline

   Activities

   Baseline audit: corporate orphan accounts, plant orphan accounts, contractor ghost access, shadow-AI on shop floor. Reconciliation across IT and OT. Orphan cleanup in dry-run with Plant IT Director + Compliance approval, then committed. ITAR / EAR boundary violations flagged and corrected.

   Artifacts produced

   Baseline IT + OT audit · ITAR/EAR boundary report · Orphan cleanup receipt · Shadow-AI plant inventory

3. Phase 3 · Week 3

   Activate

   Activities

   Termination automation live across corporate, plant, and contractor populations. Role change automation live. Scheduled access reviews prepared for next CMMC assessment cycle or customer SOC 2 audit. Shop-floor AI tool monitoring continuous.

   Artifacts produced

   Live termination automation · Contractor lifecycle receipt · Scheduled review preview

4. Phase 4 · Week 4

   Audit-ready

   Activities

   First CMMC 2.0 Level 2 AC family evidence packet. First NIST 800-171 3.1.x evidence export. First customer SOC 2 CC6.x flowdown export. First ITAR / EAR DCSA-ready audit extract. Compliance Officer presents audit readiness to CISO, Chief Operating Officer, and CEO.

   Artifacts produced

   CMMC 2.0 AC evidence packet · NIST 800-171 3.1.x export · SOC 2 CC6.x export · DCSA audit extract

Regulatory deep dive

What does SOC 2 CC6.x customer flowdown look like for industrial IoT manufacturers?

Manufacturing at 500-5,000 employees operates under a bifurcated regulatory stack that few mid-market lifecycle tools address cleanly. The federal tier includes CMMC 2.0 (Cybersecurity Maturity Model Certification), NIST SP 800-171 (Protecting Controlled Unclassified Information), ITAR (International Traffic in Arms Regulations, 22 CFR 120-130), EAR (Export Administration Regulations, 15 CFR 730-774), and the emerging cluster of state AI laws applicable to high-risk manufacturing AI.

CMMC 2.0 Level 2 (effective across the defense industrial base through 2026-2027 phased rollout) requires certification to 110 NIST 800-171 controls across 14 domains. The Access Control (AC) family is the most evidence-intensive with 22 specific controls; the Audit and Accountability (AU) family adds 9 more. Tenet's continuous per-subject event log produces the required evidence for AC.L2-3.1.1 through AC.L2-3.1.22 and AU.L2-3.3.1 through AU.L2-3.3.9. Defense contractors subject to DFARS 252.204-7012 clause in DoD contracts must comply with NIST 800-171 at minimum, and CMMC 2.0 Level 2 certification is increasingly flowed down through subcontractor contracts.

ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) require access-control enforcement based on US-person status and, for ITAR, specific authorization. Release of controlled technical data to non-US persons without authorization is a civil and criminal matter. Tenet's policy engine enforces the ITAR / EAR access boundary at the identity level with DCSA-audit-acceptable trail.

IEC 62443 (Industrial Automation and Control Systems Security, ISA/IEC series) is the dominant OT security standard, with sections 2-1 (IACS security program requirements) and 3-2 (security risk assessment for system design) most relevant to access management. Tenet's plant / OT integration surface produces IEC 62443-2-1 SR.1.1 (human user identification and authentication) evidence and SR.1.2 (software process and device identification) evidence per-subject.

For customer procurement, SOC 2 Type II is the dominant expectation — particularly for manufacturers selling industrial IoT software, connected products, or OEM software. The CC6.x logical access controls are evidence-intensive and Tenet's output flows directly to auditor evidence rooms (Drata, Vanta, Secureframe, Tugboat Logic).

On the AI side, Colorado SB 24-205 (effective 2026) and the NAIC Model Bulletin on AI, together with the pending California AB 2930, introduce impact-assessment requirements for high-risk AI systems. Manufacturing AI used in workforce decisions, customer-harm determinations, or regulated-product-quality decisions is likely to be classified high-risk. Tenet's shadow-AI registry plus Article 26 operator record schema supports the impact-assessment evidence.

Pricing context

What pricing looks like for manufacturing at buyer scale

At 2,000 employees in manufacturing (spanning corporate HQ + multiple plants), Tenet pricing typically lands $60,000-90,000 annual for the bridged corporate + plant + contractor stack. Competing enterprise IGA + GRC + OT-security combinations typically run $400,000-800,000 annual at the same scale given the IT + OT footprint. The CISO and Plant IT Directors co-fund in most mid-market manufacturers, often with Operations budget participation given the contractor lifecycle value. CMMC 2.0 certification ROI typically justifies year-one spend alone for defense contractors.

Frequently asked — Manufacturing

What manufacturing buyers ask before signing

Does Tenet support ITAR-controlled access revocation for defense contractors?

Yes — Tenet's per-event audit trail records ITAR / EAR controlled-access grants and revocations with the specificity required for DCSA audits, and the platform supports FedRAMP Moderate-compatible deployment for contractors whose customers require it. Tenet does not itself handle classified systems; it handles the SaaS and identity layer around them and produces the revocation evidence the CMMC 2.0 AC-2 and AC-6 controls expect.

How does Tenet integrate with plant MES platforms?

Tenet integrates with Rockwell FactoryTalk, Siemens Opcenter, PTC ThingWorx, Plex, Wonderware, and other common MES platforms via the IAM federation layer (where plant systems federate to corporate Entra or AD) and via direct API where the MES platform provides a user-provisioning API. The MES-specific role schema maps to Tenet's role model so revocation evidence at MES role granularity is produced natively.

Does Tenet handle contractor offboarding across plants in different geographies?

Yes. Contractor lifecycle is per-contract-scope aware — access grants at contract start, per-plant scope enforcement, per-geography licensing / export-control enforcement where applicable, and revocation at contract end. The trail supports CMMC 2.0, customer SOC 2 flowdowns, and ITAR / EAR audit readiness.

Can Tenet produce CMMC 2.0 Level 2 AC family evidence?

Yes. Tenet's continuous per-subject event log produces evidence for AC.L2-3.1.1 through AC.L2-3.1.22 (the full AC family) plus AU.L2-3.3.1 through AU.L2-3.3.9 (audit and accountability) natively. Defense contractors in CMMC 2.0 certification cycles use the Tenet export as primary or supporting evidence depending on assessment-organization preference.

How does Tenet handle shop-floor AI tools like predictive maintenance and quality vision?

Tenet's shadow-AI registry captures shop-floor AI tools (Uptake, Augury, Senseye for predictive maintenance; Landing AI, Matroid, Cognex VisionPro AI for quality vision; ThroughPut.AI, Rootstock for scheduling). The registry records data flow, model owner, retention policy, and vendor-governance posture. This supports state AI law impact assessments and customer SOC 2 diligence.

Is Tenet's audit acceptable for customer SOC 2 flowdown on industrial IoT products?

Yes. Tenet's event-driven audit covers CC6.2 (logical access revocation) and CC6.3 (credential lifecycle) for the combined corporate + plant + contractor workforce. The SOC 2 evidence export flows directly to Drata, Vanta, Secureframe, or Tugboat Logic, supporting the customer auditor's diligence for your SOC 2 Type II report.

How is Tenet different from Stitchflow?

Tenet is built for the 500-5,000 employee mid-market with shadow-AI discovery and state-privacy audit trails as first-class capabilities, priced for dept-head purchase ($500-2,000/mo entry), while Stitchflow is moving upmarket with an IT-first UX and enterprise pricing. Both orchestrate SaaS lifecycle across HRIS and IAM, but Tenet's spine is the audit line — every provision, revocation, and shadow-AI tool detection produces a record a state-privacy regulator can read, and VP People + CISO share one view instead of Stitchflow's IT-centric console.

What is the smallest company that actually needs Tenet?

Roughly 100 employees with more than 20 SaaS apps per person, or any company where an employee departure triggers a manual checklist across more than 5 systems. Below that threshold, spreadsheets still scale. Above it, the probability of a 90-day-old ghost account rises sharply, and that single ghost account is the fact pattern every state-privacy and EU AI Act audit begins with.

Does Tenet work with my HRIS — Rippling, BambooHR, Workday, or Gusto?

Yes, Tenet reads lifecycle events from Rippling, BambooHR, Workday, and Gusto at launch, with ADP, Deel, Justworks, and UKG on the 2026 roadmap. Tenet is designed as the unbundled orchestration layer that sits above your HRIS — you do not switch HRIS to adopt Tenet, and Tenet never tries to replace payroll, benefits, or time tracking. HRIS stays your system of record for people; Tenet becomes your system of record for what those people can access.

How does Tenet's shadow-AI audit trail satisfy EU AI Act and state privacy law requirements?

Tenet records every shadow-AI tool discovered in employee workflows, every provisioning and revocation event, and every policy decision as an immutable audit entry in a format that exports to the evidence templates expected under EU AI Act (effective August 2026), ISO 42001, NIST AI RMF, and state privacy laws including CCPA-CT and CPRA. The audit format is citizen-request-ready — when a former employee exercises access or deletion rights, Tenet produces the per-subject trail in minutes instead of the week most orgs currently budget. Regulated customers can also export to their existing GRC tooling (Vanta, Drata, Secureframe) via webhook.