When EDD is treated as a one-time check, the organisation loses the ability to catch changes in ownership, behaviour, or jurisdictional risk after onboarding. That creates stale risk decisions, weak audit evidence, and a blind spot between initial approval and later transaction activity. EDD only works when review remains connected to ongoing monitoring.
Why This Matters for Security Teams
enhanced due diligence is supposed to separate acceptable risk from unacceptable risk, but a one-time review cannot keep pace with how counterparty exposure changes after onboarding. Ownership shifts, control relationships change, transactions move into new jurisdictions, and previously hidden dependencies emerge. That is why current guidance from NIST Cybersecurity Framework 2.0 emphasizes continuous governance rather than isolated assessment.
For non-human identity programs, the same pattern appears in Ultimate Guide to NHIs: initial approval is not the end of risk management, because secrets, service accounts, API keys, and automated access paths remain active long after the original decision. If EDD stops at onboarding, the organisation may keep trusting a profile that no longer reflects reality. In practice, many security teams discover this only after a transaction, compliance review, or incident has already exposed the gap.
How It Works in Practice
EDD should operate as a lifecycle control, not a single checkpoint. The practical model is to tie initial due diligence to ongoing monitoring, periodic reassessment, and event-driven review. That means the organisation re-evaluates ownership, beneficial control, sanctions exposure, transaction patterns, geography, and adverse signals whenever the risk context changes. This is the same operational logic that underpins modern NHI governance: identities, credentials, and permissions must be revalidated as conditions change.
Security and compliance teams usually make this workable by combining policy, workflow, and evidence collection:
- Set triggers for review when ownership changes, high-risk jurisdictions are introduced, unusual transactions appear, or adverse media flags emerge.
- Keep a risk record that shows what was assessed, when it was reassessed, and what evidence supported the decision.
- Link EDD outcomes to access decisions, transaction approvals, and escalation paths so risk findings actually change control behaviour.
- Use time-bounded approvals where the risk rating expires unless refreshed by new evidence.
This approach aligns with the broader control philosophy in Ultimate Guide to NHIs, where long-lived assumptions create blind spots and stale privileges. It also fits the NIST view that risk management should be continuous and adaptive, not merely documented once for audit comfort. Where implementation becomes strongest, organisations pair governance review with automated monitoring from case management, sanctions screening, and transaction surveillance tools, then route exceptions to human review.
These controls tend to break down when EDD is embedded only in onboarding portals and not connected to downstream monitoring systems, because the review can no longer react to new evidence.
Common Variations and Edge Cases
Tighter EDD often increases review time and operational overhead, so organisations have to balance faster onboarding against the cost of missing a later risk shift. That tradeoff becomes especially visible when volume is high or counterparties span multiple jurisdictions.
There is no universal standard for exactly how often EDD must be refreshed. Current guidance suggests using risk-tiered review intervals, with more frequent reassessment for higher-risk relationships and event-driven review whenever material changes occur. In lower-risk cases, annual or periodic review may be acceptable if monitoring is strong; in higher-risk cases, the threshold for escalation should be lower. The key failure mode is treating “approved once” as synonymous with “approved forever.”
For NHI-heavy environments, the same edge case appears when a service account or third-party integration is approved during a project and then left untouched for years. NHIMG’s research shows that only 5.7% of organisations have full visibility into their service accounts, which means stale trust is common and hard to detect. When business relationships, system integrations, or delegated authorities change faster than review cycles, one-time EDD creates a compliance record that looks complete while the actual risk posture drifts out of date.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC | EDD needs ongoing governance and context-aware oversight, not a one-time decision. |
| NIST AI RMF | GOVERN | Risk decisions must be traceable and continuously updated as new evidence appears. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Stale identity and secret assumptions create the same drift problem as one-time EDD. |
Continuously validate identity risk, rotation, and offboarding instead of relying on initial approval.
