Accountability sits with the identity and access programme that allowed a phishable factor to remain the primary trust mechanism for sensitive access. Security teams, IAM owners, and application owners share responsibility for removing replayable proof, because the failure is architectural, not just user behaviour. Frameworks that demand strong authentication and Zero Trust assumptions make that responsibility explicit.
Why This Matters for Security Teams
When a man-in-the-middle attack succeeds through weak authentication, the issue is not just interception. It is a governance failure that allowed a replayable factor, weak session binding, or over-trusted network position to remain acceptable for sensitive access. That makes accountability shared across IAM, security architecture, application ownership, and the business owner accepting the risk. The underlying lesson matches the broader NHI pattern documented in The 52 NHI breaches Report: identity weakness is usually systemic, not isolated.
Current guidance from CISA cyber threat advisories and Zero Trust practice points toward strong, phishing-resistant authentication, continuous verification, and explicit trust decisions instead of implicit network trust. For NHI environments, the same logic applies to service accounts, API keys, and automation paths that are often left with long-lived credentials and weak proof of possession. In practice, many security teams encounter this failure only after a credential replay or session hijack has already been used to move laterally.
How It Works in Practice
Accountability should be assigned to the control owners who failed to make weak authentication impossible, not only to the person or system that was intercepted. If a phishing-resistant factor was not required, if tokens were not bound to device or workload identity, or if privileged access could be reused without step-up verification, the design accepted MITM as a viable path. That is why practitioner reviews should start with authentication strength, session handling, and trust boundaries before blaming users or operators.
For NHI-heavy systems, the right pattern is to pair strong identity proof with short-lived access and explicit authorization at request time. The Ultimate Guide to NHIs — Why NHI Security Matters Now shows why this matters: NHIs outnumber humans by 25x to 50x in modern enterprises, so weak trust assumptions scale badly. Practical controls usually include:
- Phishing-resistant MFA or mutual authentication for sensitive human access.
- Workload identity for automation, so the system proves what it is before it gets a token.
- JIT credentials and short TTL secrets so captured access expires quickly.
- Session binding, token audience restriction, and replay detection to reduce MITM value.
- Step-up auth for high-risk actions, especially when the request context changes.
That approach aligns with the threat patterns described in the OWASP NHI Top 10 and with the AI identity guidance in Anthropic — first AI-orchestrated cyber espionage campaign report, where stolen access rapidly becomes an execution path. These controls tend to break down when legacy apps still accept reusable bearer tokens over untrusted networks because the protocol itself cannot distinguish a genuine session from a replayed one.
Common Variations and Edge Cases
Tighter authentication often increases user friction and integration overhead, so organisations have to balance assurance against operational speed. There is no universal standard for this yet in every environment, especially where legacy protocols, partner integrations, or kiosk-style access cannot easily support phishing-resistant methods. In those cases, the goal is to reduce blast radius rather than claim perfect prevention.
One common edge case is non-human access that is mistakenly governed like human access. Service accounts, CI/CD bots, and AI agents need workload identity, ephemeral secrets, and context-aware authorization because static RBAC alone cannot express what they are allowed to do at runtime. The Ultimate Guide to NHIs — Key Challenges and Risks notes that 91.6% of secrets remain valid five days after notification, which shows how slowly organisations often respond once trust has already been abused.
Another variation is shared responsibility during incident response. Security may own authentication standards, IAM may own implementation, and application owners may own whether a session can be replayed, but the business still owns the risk acceptance decision. For mature programmes, that accountability should be documented in policy, tested in architecture review, and validated against MITRE ATLAS adversarial AI threat matrix and Zero Trust guidance. When systems still depend on reusable credentials across multiple trust zones, MITRE ATLAS-style attacker chaining becomes more effective because interception can be turned into persistence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak auth lets stolen NHI access be replayed through a MITM path. |
| NIST Zero Trust (SP 800-207) | PR.AC-3 | Zero Trust rejects implicit network trust that enables MITM success. |
| NIST AI RMF | Accountability for autonomous behaviour needs explicit governance and oversight. |
Assign named owners for identity risk, test controls, and track residual AI access risk.
