Establish trusted OT device identity and context (what the device is, where it lives, and how it behaves) before introducing Cisco ISE enforcement and TrustSec segmentation. This reduces operational risk and removes the common fear of disrupting critical OT operations that can keep organizations in monitor-only mode indefinitely.