Accountability should sit jointly with HR and security leadership because the control failure spans recruitment, identity proofing, and access governance. The practical answer is a shared decision path for offer, hire, and access issuance, with clear escalation when identity assurance is incomplete.
Why This Matters for Security Teams
A fraudulent hire is not just an HR screening miss. It becomes a security accountability problem the moment identity proofing, offer approval, and access issuance are separated across teams with no shared control point. That gap is where compromised applicants, impersonation, and policy exceptions slip through. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is a reminder that weak governance tends to amplify small onboarding mistakes into large access failures. The practical issue is not who made the hiring decision, but who accepted risk without verified identity assurance.
Security teams often assume HR owns hiring and IAM owns access, yet fraudulent onboarding usually exposes the absence of a single accountable path across both functions. OWASP’s OWASP Non-Human Identity Top 10 frames identity lifecycle and privilege gaps as security risks, not administrative inconveniences. In practice, many security teams encounter this only after an access review, a payroll anomaly, or a post-incident investigation, rather than through intentional control design.
How It Works in Practice
Accountability works best when it is assigned to the decision chain, not to a single department. HR should own the integrity of candidate intake, documentation, and offer workflow. Security leadership should own identity assurance, access gating, and exception handling. IAM or PAM operators then enforce the controls that make the decision real. Current guidance suggests that no account should be issued until the person has passed the required identity proofing level and the approval trail is complete.
For most organisations, this means building a joint workflow with explicit checkpoints:
- HR verifies the candidate record, employment status, and approved start date.
- Security confirms identity proofing strength, fraud signals, and policy exceptions.
- IAM issues access only after both conditions are satisfied.
- PAM or JIT access is used for elevated permissions rather than standing access.
- Audit logs preserve who approved, who attested, and who overrode controls.
Where identity assurance is incomplete, access should default to denial or a constrained, time-bound state. NHI Management Group’s 52 NHI Breaches Analysis shows how often weak lifecycle controls and over-privilege combine into material exposure. In parallel, security teams should align the process with NIST’s Cybersecurity Framework by treating onboarding as a governed access decision, not a clerical handoff. These controls tend to break down when temporary hires, contractors, or urgent start dates are allowed to bypass the identity proofing step because speed is prioritised over assurance.
Common Variations and Edge Cases
Tighter onboarding control often increases hiring friction, requiring organisations to balance fraud resistance against time-to-start and employee experience. That tradeoff becomes sharper in high-volume recruiting, remote hiring, and contractor-heavy environments, where manual review can slow operations and create pressure for exceptions.
There is no universal standard for this yet, but current best practice is evolving toward risk-based gating. A low-risk internal transfer may justify a lighter path than an external candidate with limited verifiable history, while a privileged role should require stronger proofing and tighter approval thresholds. The same principle applies to agents and service identities that act on behalf of people: if the account can trigger sensitive actions, it deserves stronger governance than a normal user profile.
For this reason, shared accountability should be documented in policy and enforced in tooling. The key challenges and risks section in NHI Management Group’s guidance is especially relevant where onboarding spans multiple systems and approvers. OWASP’s guidance remains useful here as a control lens, but the operational answer is simple: when identity assurance is incomplete, the organisation should be accountable for the risk it still chooses to accept.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers identity lifecycle gaps that enable fraudulent access. |
| NIST CSF 2.0 | PR.AC-1 | Addresses access control decisions and approval accountability. |
| NIST AI RMF | Supports governance and accountability for automated or assisted decisions. |
Define ownership, escalation, and oversight for every identity-related approval path.
