Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a compromised NHI exposes data?

Accountability sits with the team that created, approved and operates the identity, not with the platform alone. NHI incidents often happen because ownership is diffuse across development, infrastructure and security. Governance frameworks should make ownership explicit, tie entitlements to business purpose and require revocation when that purpose ends.

Why This Matters for Security Teams

When a compromised NHI exposes data, the immediate technical failure is usually obvious, but the accountability failure is what turns an incident into a repeat breach. Service accounts, API keys and workload tokens are often created in one team, approved by another and operated by a third, which makes post-incident blame easy and prevention hard. NHI governance needs a named owner, a business purpose, a revocation path and a review cadence, or the identity becomes everyone’s problem and no one’s responsibility. NHIMG’s Ultimate Guide to NHIs shows why this matters at scale: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That figure is not just a breach statistic, it is a warning that weak ownership and weak lifecycle control are now direct exposure drivers. The same pattern appears in 52 NHI Breaches Analysis, where operational gaps recur across discovery, rotation and offboarding. In practice, many security teams encounter the ownership gap only after a leaked token has already been used to access production data.

How It Works in Practice

Accountability should be assigned to the function that can actually prevent recurrence, not just the platform team that hosts the workload. In practical terms, that means the application owner, service owner or product team remains accountable for the NHI’s business use, while security and infrastructure provide control enforcement, evidence and guardrails. Current guidance suggests treating NHI ownership like an operating model, not a ticket queue: define the identity’s purpose, map it to an owning team, tie it to an approved workload, and require explicit sign-off before the identity can be used in production.

Effective controls usually include:

  • Named ownership for each NHI, with one accountable team and one backup approver.
  • Purpose-bound entitlements, so access exists only for the workload that justified it.
  • JIT issuance of secrets and tokens, so long-lived credentials are replaced with short-lived credentials where possible.
  • Automatic revocation when the workload ends, the purpose changes, or the owner leaves.
  • Evidence collection through CI/CD, vault, PAM and IAM logs so accountability is auditable.

This approach aligns with the direction of least privilege and Zero Trust thinking in Ultimate Guide to NHIs — Why NHI Security Matters Now, and it is consistent with the supply-side realities described in Anthropic — first AI-orchestrated cyber espionage campaign report, where autonomous systems can chain tools and make security boundaries matter differently. For operational teams, the key is not simply rotating secrets faster, but ensuring the team that benefits from the identity is also the team that must answer for its misuse. These controls tend to break down in legacy shared-service environments because multiple applications consume the same credential and no single team can prove exclusive control.

Common Variations and Edge Cases

Tighter ownership controls often increase operational overhead, requiring organisations to balance speed of delivery against the cost of review, revocation and exception handling. In shared platforms, the accountable party may be the product team for the workload, while the platform team is accountable for control enforcement and the security team is accountable for policy design. That split is acceptable only if it is documented; otherwise incident response becomes a chain of handoffs. Best practice is evolving for ephemeral workloads, agentic systems and vendor-managed identities, so there is no universal standard for this yet. For autonomous agents, accountability also extends to the workflow that granted the agent tool access, because the agent’s behaviour can be goal-driven and unpredictable. That is why frameworks such as Top 10 NHI Issues and the The 52 NHI breaches Report are useful for spotting where ownership, rotation and offboarding fail together. The same lesson applies when secrets are embedded in CI/CD pipelines, because the developer who commits the secret may not be the person who can revoke it. In those cases, accountability should be mapped to the team that can change the identity lifecycle, not the team that merely consumes it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Defines ownership and lifecycle control for non-human identities.
NIST CSF 2.0 PR.AA-01 Identity and access governance supports accountable access decisions.
NIST Zero Trust (SP 800-207) Zero Trust requires explicit, continuous authorization for workload identities.

Treat every NHI request as context-based and revoke access when trust conditions change.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.