Organisations should require stronger proofing for contractors, job candidates, and vendors, especially where access can affect finance, wallets, or approvals. Borrowed identities succeed when the organisation trusts the relationship more than the person. Liveness checks, callback validation, and role-based access separation reduce that exposure.
Why This Matters for Security Teams
Borrowed identities are a trust failure, not just an access-control problem. In high-value environments, attackers and insiders alike exploit relationships that look legitimate on paper: a contractor who should not have finance access, a vendor who can influence approvals, or a candidate whose identity was never strongly verified. Once that trust is accepted, the misuse often blends into normal business activity and bypasses standard review. Current guidance suggests pairing stronger proofing with separation of duties and evidence-based validation, rather than assuming that relationship status equals trust. The NIST Cybersecurity Framework 2.0 reinforces that identity risk must be managed as a governance issue, not only a technical one. NHIMG research on Why NHI Security Matters Now shows how quickly identity trust gaps become operational exposure, especially where privileged workflows are involved. In practice, many security teams discover borrowed identity abuse only after a payment, wallet transfer, or approval path has already been misused.
How It Works in Practice
Reducing borrowed identity risk starts before access is granted and continues through the full lifecycle of the relationship. The strongest programs treat contractors, job candidates, and vendors as high-risk identities until they prove otherwise. That means verifying the person, validating the relationship, and constraining the permissions separately.
Practical controls usually include:
- Stronger identity proofing for any user who can touch finance, treasury, wallet, payroll, or approval systems.
- Liveness checks or equivalent proof-of-person controls when remote onboarding creates impersonation risk.
- Callback validation to a known corporate number or registered business channel before final access is approved.
- Role-based access separation so no single borrowed identity can request, approve, and execute the same transaction.
- Short-lived access with step-up verification for sensitive actions, rather than broad standing access.
NHIMG’s Top 10 NHI Issues and the Ultimate Guide to NHIs both underline the same operational lesson: identity trust must be continuously revalidated, especially when third parties can influence high-value workflows. Organizations should also tie access to business need, expiration dates, and sponsor accountability so access ends when the project, engagement, or candidate relationship ends. Where approval chains exist, dual control and independent review reduce the chance that a borrowed identity can both trigger and conceal fraud. These controls tend to break down when third-party access is granted through informal exceptions because the environment lacks a single owner for proofing, approval, and revocation.
Common Variations and Edge Cases
Tighter proofing often increases onboarding friction, so organisations must balance fraud resistance against hiring speed and vendor experience. That tradeoff is real, but in high-value environments the cost of a false trust decision is usually higher than the cost of a slower start.
Best practice is evolving for borderline cases such as executive assistants, finance partners, and outsourced operations staff who need broad visibility but not broad authority. In these environments, current guidance suggests using context-aware approval flows, just-in-time elevation, and explicit separation between informational access and transactional authority. Borrowed identities also appear in mergers, temporary staffing, and shared service centres, where legacy accounts and informal sponsorship can outlive the actual business need. The failure mode is often not weak password policy but overreliance on organisational familiarity.
For environments handling payments, digital wallets, or regulated approvals, the practical benchmark is simple: if the identity can materially move value, the proofing standard should be stronger than a normal employee onboarding path. That is especially important when the person is external, the role is temporary, or the approval chain has financial impact. NHIMG’s research on the JetBrains GitHub plugin token exposure is a reminder that identity trust breaks fastest where access is convenient and oversight is weak.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Borrowed identities often begin with weak proofing and overtrust in access requests. |
| NIST CSF 2.0 | PR.AC-1 | Access permissions must be tied to verified identity and business need. |
| NIST SP 800-63 | IAL2 | Higher assurance identity proofing reduces impersonation risk for sensitive roles. |
Apply stronger identity assurance for contractors, candidates, and vendors touching financial or approval systems.
