An operating arrangement where the provider and internal team share triage, tuning, and escalation responsibilities. It preserves more internal control than a fully managed model, but it also requires clear RACI definitions, shared visibility, and agreed decision rights to avoid confusion during incidents.
Expanded Definition
A co-managed security model is a shared operating model where an internal security or identity team and an external provider split responsibilities for monitoring, triage, tuning, escalation, and response. In NHI operations, the model is most useful when the organisation wants more control than full outsourcing but lacks the staff depth to run every workflow alone. The distinction matters because co-management is not simply a vendor contract; it is a governance arrangement that depends on clear decision rights, shared telemetry, and agreed service thresholds.
Definitions vary across vendors, especially around where advisory work ends and operational authority begins. For NHI programs, the model should be aligned to explicit control ownership for secrets rotation, service account review, alert handling, and incident escalation. This is consistent with the governance principles in NIST Cybersecurity Framework 2.0, which expects clearly assigned risk and response responsibilities.
The most common misapplication is assuming shared visibility means shared accountability, which occurs when incident ownership and escalation authority are not documented before the first alert.
Examples and Use Cases
Implementing a co-managed security model rigorously often introduces coordination overhead, requiring organisations to weigh faster specialist coverage against the cost of tighter process discipline.
- An internal platform team retains ownership of service account creation while a provider monitors anomalies and flags suspicious token use for review.
- A security operations team handles first-line triage of NHI alerts, while the provider performs tuning of detections and recommends rule refinements based on recurring patterns.
- An organisation uses co-management for secrets hygiene, pairing internal approval for rotation windows with external operational support for execution and verification, as discussed in the NHI Lifecycle Management Guide.
- A third-party support model is used for OAuth app oversight, with the provider surfacing risk and the internal team deciding whether to suspend, remediate, or re-authorize access.
- During audit preparation, the provider assembles evidence while the internal team validates control intent and signs off on exceptions, aligning with the Ultimate Guide to NHIs guidance on regulatory and audit perspectives.
These arrangements work best when the shared operating model is documented in a RACI, backed by shared logs, and reviewed against NIST Cybersecurity Framework 2.0 implementation outcomes.
Why It Matters in NHI Security
Co-managed security matters because NHI environments fail quickly when no one knows who owns triage, who can approve emergency action, or who must revoke access after a compromise. NHIs outnumber human identities by 25x to 50x in modern enterprises, and that scale makes ambiguity in operating responsibility a direct security risk, not a process inconvenience. NHI Mgmt Group research shows that only 5.7% of organisations have full visibility into their service accounts, which means most teams are already operating with partial context when incidents occur.
That is why co-management must include escalation paths, logging access, and authority boundaries for high-risk actions such as rotation, suspension, and offboarding. The issue is especially visible in the guidance on Ultimate Guide to NHIs and the Top 10 NHI Issues, where visibility gaps and excessive privilege repeatedly appear as root causes. Organisations typically encounter the limits of the model only after an alert is missed or a compromised credential remains active, at which point co-managed decision rights become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared ownership affects NHI lifecycle, visibility, and escalation control boundaries. |
| NIST CSF 2.0 | GV.RM-03 | Governance requires explicit roles, responsibilities, and risk ownership across parties. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust limits require tightly scoped, monitored access even when duties are shared. |
Apply least-privilege access and verify each party's authority before permitting sensitive actions.
