Accountability sits with the team that owns the end-to-end data access path, not just the policy author. If the application translates policy incorrectly or retrieves too much data before filtering, the control failed in architecture, implementation, or governance, and ownership must be clear across those layers.
Why This Matters for Security Teams
When authorization is split between the application and the data layer, accountability becomes a design question, not a paperwork question. The risk is not only “who approved the policy,” but who ensured that policy was enforced consistently across query building, filtering, caching, and downstream retrieval. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes layered access paths especially hard to govern. The broader pattern is visible in the Ultimate Guide to NHIs — Key Research and Survey Results and the NIST Cybersecurity Framework 2.0, both of which emphasise clear ownership, governance, and enforcement across the full control path.
Practitioners often assume that a correctly written access policy is enough. In reality, the application may over-fetch records, the data layer may trust app-provided context, or an intermediate service may transform requests in ways the policy never anticipated. That creates a split-brain control model where no single team can prove the final access decision was correct. In practice, many security teams discover this only after a data exposure, rather than through intentional control testing.
How It Works in Practice
The accountable team is the one that owns the end-to-end data access path, including policy definition, request translation, enforcement, logging, and review. If the application evaluates role claims but the database still returns broader rows than intended, the control is incomplete. If the data layer enforces row-level security but the application assembles sensitive objects before filtering, the same is true. Current guidance suggests treating this as a shared technical implementation with a single accountable owner, usually the platform, product, or service team that can change both layers.
Operationally, teams should map each decision point and assign responsibility for it:
- Policy authoring: who defines access intent and approved data scopes.
- Application enforcement: who validates user or NHI context before building a query.
- Data-layer enforcement: who guarantees row, column, or object filtering.
- Exception handling: who approves bypasses, break-glass paths, and service-to-service access.
- Evidence: who can show logs, tests, and reviews that prove the control worked.
This is especially important for non-human identities, where service accounts, API keys, and workload identities often outlive the application logic that created them. The NHIMG research on Ultimate Guide to NHIs — Key Research and Survey Results highlights how frequently secrets remain exposed or over-privileged, which makes split authorization paths even harder to secure. A strong model also aligns with NIST Cybersecurity Framework 2.0 by tying protection and governance to measurable outcomes, not just documented intent. These controls tend to break down when legacy applications and databases each enforce partial rules because neither layer can fully see the other’s decision context.
Common Variations and Edge Cases
Tighter split-layer enforcement often increases engineering overhead, requiring organisations to balance stronger assurance against slower delivery and more complex debugging. That tradeoff matters because not every architecture supports the same enforcement model, and guidance is still evolving on where the final decision should live in modern microservice and analytics stacks.
One common variation is defense in depth, where the application checks business intent and the data layer enforces record filtering. That can be sound if both layers are tested together and one team owns the combined outcome. Another edge case is shared services, where a central platform team manages the policy engine but product teams own query construction. In that model, accountability must still be explicit, because a central policy does not excuse a local implementation failure. For NHI-heavy systems, the best practice is to treat workload identity and data authorization as one chain of trust, not separate compliance items.
In environments with replicas, caches, ETL jobs, or analytics warehouses, the problem becomes harder because access can be granted in one layer and silently expanded in another. This is where ownership should be documented in architecture review, code review, and incident response runbooks, rather than left to audit interpretation alone. Where the data path includes third-party tools or async jobs, there is no universal standard for this yet, so teams should require explicit control mapping and evidence generation before production release.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Split authorization often hides excessive NHI privilege and weak ownership. |
| NIST CSF 2.0 | PR.AC-4 | Access control responsibilities must be assigned across application and data layers. |
| NIST AI RMF | AI RMF governance helps assign accountability for layered automated decision paths. |
Define one accountable owner for the full access path and test enforcement at each control point.
Related resources from NHI Mgmt Group
- What is the difference between centralized authorization and application-level access logic?
- What is the difference between application logic and policy-based authorization?
- What is the difference between attack surface management and NHI governance?
- Why is it important to integrate identity and data governance?
