A governance pattern that requires two independent authorised people to approve a sensitive action before it is released. In finance, it reduces the chance that a single compromised identity can move money or alter payment instructions on its own.
Expanded Definition
Dual control is a governance pattern that requires two independent authorised people to approve a sensitive action before it can proceed. In NHI security, it is used to reduce the risk that one compromised identity, one insider, or one automation path can unilaterally release funds, rotate a high-value secret, or change a payment destination.
Definitions vary across vendors and control frameworks, but the core idea is consistent: separation of authority for high-impact operations. It is closely related to segregation of duties, yet dual control is narrower because it focuses on a specific transaction or administrative action rather than an entire job function. In practice, dual control often appears alongside NIST Cybersecurity Framework 2.0 principles for access control and governance, and it becomes especially important where NHI tokens, API keys, or privileged workflows can bypass normal human review. NHI Management Group treats dual control as a compensating safeguard, not a substitute for least privilege, audit logging, or Zero Trust design.
The most common misapplication is treating a second approval as a rubber stamp, which occurs when both approvers share the same delegated access path or review the same compromised request.
Examples and Use Cases
Implementing dual control rigorously often introduces operational friction, requiring organisations to weigh faster execution against stronger protection for high-risk actions.
- Two separate approvers must confirm a bank beneficiary change before payment instructions are released, preventing a single compromised admin session from redirecting funds.
- An SRE can request emergency elevation for a production service account, but a second authorised reviewer must approve the change before the secret is issued.
- A security team rotates a high-value API key only after one operator requests the change and another validates the business justification and target system.
- An NHI governance board uses dual control for offboarding critical service accounts, pairing operational verification with independent risk approval.
- For control design guidance, NHI Mgmt Group’s Ultimate Guide to NHIs is the best starting point, especially when paired with NIST Cybersecurity Framework 2.0 mapping for approvals, auditability, and access oversight.
In mature environments, dual control is applied to secret escrow release, privileged configuration changes, and emergency break-glass workflows where misuse would have immediate impact.
Why It Matters in NHI Security
Dual control matters because NHIs often operate at machine speed, with broad permissions and limited human visibility. When a service account, API key, or automation credential is abused, a single approval path can become a single point of failure. NHI Mgmt Group reports that 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into their service accounts, which makes independent approval especially important for high-impact actions. The same guide also notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, reinforcing why release controls must not depend on one identity alone.
Dual control does not replace secrets hygiene, rotation, or ZSP. It adds a governance checkpoint that slows attackers, deters insider abuse, and creates an auditable decision trail. It is also useful where NHI visibility and lifecycle control are still immature, because two-person review can compensate for weak automation until those controls improve. Organisational teams typically encounter the need for dual control only after a fraudulent transfer, unauthorized secret release, or privileged change has already been attempted, at which point the control becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-07 | Dual approval helps constrain high-risk NHI actions and reduces single-identity abuse. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access governance support independent approval for sensitive actions. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports continuous verification, including controlled authorization for sensitive actions. |
Treat dual control as an added verification step for privileged actions inside Zero Trust workflows.
