Accountability usually sits with the obliged entity, but the practical answer is shared across compliance, operations, and governance owners who approved the risk decision. Regulators expect the organisation to prove that enhanced review was applied when warranted and that the decision was documented, reviewed, and monitored over time.
Why This Matters for Security Teams
High-risk relationship approvals are not just a compliance paperwork issue. They determine whether an organisation has evidence that enhanced due diligence was applied before exposure to money laundering, sanctions, fraud, or supply-chain abuse. When EDD is skipped, the failure usually shows up later as a control gap, not at the point of approval. That makes accountability difficult unless the decision trail is clear.
For security and governance teams, the practical risk is that a weak approval path becomes a repeatable exception process. Once that happens, the issue moves from a single missed review to a systemic control failure. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs, which is a useful reminder that poor visibility often hides poor accountability as well. The same governance logic applies to relationships, counterparties, and delegated access paths.
Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that accountability must be traceable to named owners, documented controls, and continuous oversight. In practice, many teams discover the missing EDD only after an adverse event, rather than through intentional review.
How It Works in Practice
Accountability usually sits with the obliged entity, but operational responsibility is shared across the people who approved the relationship, accepted the risk, and failed to escalate when the file did not meet EDD thresholds. In mature governance models, that means compliance owns the decision standard, operations owns evidence collection, and the approver owns the final risk acceptance. Where this is not explicit, organisations struggle to show who made the call and why.
Good practice is to treat EDD as a gated control, not a best-effort review. The file should show why the relationship was classified as high-risk, what additional checks were required, who completed them, and who signed off on any residual risk. That aligns with the broader control patterns described in NHIMG’s Top 10 NHI Issues and the Ultimate Guide to NHIs, where over-privilege and weak oversight are recurring failure modes.
- Require a named approver for every high-risk exception, not a team or mailbox.
- Log the specific EDD triggers that were reviewed, including sanctions, beneficial ownership, source of funds, and adverse media where applicable.
- Use time-bound approvals so the relationship is revalidated when risk changes.
- Preserve evidence of challenge, not just final sign-off, so reviewers can see whether the decision was questioned.
- Escalate unresolved gaps to a higher authority rather than allowing conditional approval to become permanent.
Where digital controls are involved, the same accountability principle should extend to access governance, because privileged relationships can hide behind service accounts, API keys, or delegated integrations. These controls tend to break down when approvals are decentralised across jurisdictions and the organisation cannot reconcile policy ownership with local business sign-off.
Common Variations and Edge Cases
Tighter EDD controls often increase onboarding time and review overhead, requiring organisations to balance faster relationship setup against stronger risk assurance. That tradeoff becomes more visible when the counterparty is time-sensitive, cross-border, or part of a regulated supply chain.
Current guidance suggests there is no universal standard for every scenario, especially where local legal thresholds differ. A low-value relationship may still require EDD if the counterparty is politically exposed, operating in a high-risk jurisdiction, or using opaque ownership structures. Conversely, some organisations over-apply EDD to low-risk files and create backlog, which can weaken attention on truly risky cases.
This is where governance discipline matters most. The approver should not be shielded by committee language if the record shows they accepted a risk decision without the required review. At the same time, accountability should not be assigned to compliance alone if operations bypassed the workflow or if management overrode the control. NHI Management Group’s research on compromised identities shows how governance failures compound quickly once a weak decision path is normalised.
In practice, the safest model is explicit ownership: compliance defines the EDD rule, operations executes it, management signs the exception, and audit tests whether the file could withstand regulator scrutiny.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Governance oversight maps to accountable approval of high-risk decisions. |
| NIST AI RMF | GOVERN | Risk governance requires traceable accountability for approved exceptions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak approval and oversight patterns mirror poor NHI governance controls. |
Tie sensitive relationship approvals to least-privilege review and evidence retention.
Related resources from NHI Mgmt Group
- Who is accountable when enhanced due diligence fails to catch a high-risk relationship?
- When should organisations treat an NHI as a high-priority risk?
- Who is accountable when an AI workflow touches CUI without a distinct identity?
- How should security teams govern access requests for high-risk cloud resources?
