Accountability sits with the organisation that owns the regulated service, even when access is delivered through a supplier or a legacy platform. Frameworks such as NIS2 and the UK Telecommunications Security Act expect demonstrable control, not shared blame. The team accountable for evidence is the team accountable for compliance.
Why This Matters for Security Teams
When telecom identity controls fail a regulatory review, the issue is rarely just a missing document. It usually means the organisation cannot prove who can access what, under which authority, and for how long. That failure lands on the service owner, even if the access path runs through a supplier, an outsourced operations team, or a legacy platform. Regulators care about demonstrable control, not shared intent, as reflected in the NIST Cybersecurity Framework 2.0 and the regulatory posture described in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives.
The practical risk is bigger than an audit finding. Telecom environments often combine privileged engineer accounts, non-human service identities, and brittle exception handling across OSS/BSS, network functions, and supplier-administered tooling. If identity proof, logging, and revocation are inconsistent, the organisation cannot defend access decisions after the fact. The evidence trail matters as much as the control itself. In practice, many security teams encounter accountability gaps only after a regulator asks for proof that no one can produce.
How It Works in Practice
Accountability in telecom identity controls is usually assigned to the entity that operates the regulated service, not the party that merely implements part of it. That means the compliance owner must be able to show a complete chain for identity lifecycle, privileged access, secret handling, review cadence, and exception management. Supplier contracts can delegate tasks, but they do not delegate regulatory responsibility.
For non-human identities, this becomes a control-evidence problem as much as an access problem. Teams should be able to show:
- which NHIs exist and why they exist;
- which systems each identity can reach;
- how credentials or tokens are issued, rotated, and revoked;
- who approved the access and on what basis;
- what logs prove the control operated as designed.
That evidence model aligns with NHIMG guidance on the Ultimate Guide to NHIs and the operational reality shown in the 52 NHI Breaches Analysis, where unmanaged or poorly governed identities become a direct assurance failure. For control design, the current guidance suggests using least privilege, strong ownership, and time-bounded access, with review artefacts preserved for audit. Where possible, map controls to established governance language in NIST Cybersecurity Framework 2.0 so the control narrative is traceable to recognised security outcomes.
These controls tend to break down when responsibility is split across multiple outsourcing layers because no single party can produce the full evidence set.
Common Variations and Edge Cases
Tighter accountability often increases operational overhead, requiring organisations to balance auditability against supplier complexity and legacy constraints. In telecom, that tradeoff is common because identity flows may span old network platforms, modern cloud services, and managed service providers.
One edge case is a legacy platform that cannot support modern logging or just-in-time access. Best practice is evolving here, but current guidance suggests compensating controls rather than accepting a vague exception: bastion logging, approval records, periodic access recertification, and short-lived credentials where technically possible. Another variation is a supplier-managed identity store. The supplier may run the platform, but the regulated operator still needs evidence that access is bounded, reviewed, and revoked on schedule.
If the review touches AI-assisted operations or autonomous tooling, the bar is even higher because identities may be used by systems that act faster than human review cycles. In those cases, the accountability question extends to whether the organisation can explain machine-issued access in a way that is consistent with the Lifecycle Processes for Managing NHIs and the governance direction in the EU AI Act regulatory framework. There is no universal standard for this yet, but the safe position is simple: if the organisation cannot evidence the control, it should assume it owns the deficiency.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Regulatory review failures expose governance and risk ownership gaps. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and weak lifecycle control are central to telecom NHI failures. |
| NIST AI RMF | Autonomous systems can complicate identity accountability and evidence trails. |
Inventory all NHIs, define owners, and enforce lifecycle controls with audit-ready evidence.
Related resources from NHI Mgmt Group
- Who is accountable when identity controls fail an insurance review?
- Who is accountable when privileged access controls fail in cloud environments?
- Who is accountable when identity proofing and access provisioning fail together?
- Who is accountable when machine-identity review logic becomes part of the control plane?
