Standard checks fail because they are designed for baseline trust, not elevated exposure. High-risk relationships can involve unusual jurisdictions, politically exposed persons, complex transactions, or changing affiliation patterns that require more evidence and ongoing review. Without that added scrutiny, the organisation may verify identity but still miss the actual risk.
Why This Matters for Security Teams
Standard due diligence is built to confirm whether a relationship is acceptable at the point of onboarding. Higher-risk relationships need more than identity verification because the real issue is exposure: sanctions, jurisdictional limits, beneficial ownership complexity, adverse media, and fast-changing affiliation patterns can all increase risk after the initial check. NIST’s NIST Cybersecurity Framework 2.0 treats risk as something to govern continuously, not only at intake.
NHI Management Group has repeatedly shown that identity can look sound while underlying exposure remains unresolved, especially when credentials, access pathways, or third-party relationships shift over time. That is why the broader NHI discussion in the Ultimate Guide to NHIs — Why NHI Security Matters Now is relevant even for human-centric due diligence: the pattern is the same, verify once and miss the changing attack surface. In practice, many security teams encounter relationship risk only after an adverse event, rather than through intentional ongoing review.
How It Works in Practice
Effective due diligence for higher-risk relationships starts with risk-based segmentation. Not every counterparty, affiliate, or external party needs the same depth of review, but elevated exposure requires enhanced evidence, periodic revalidation, and documented escalation criteria. That usually means combining KYC-style identity checks with sanctions screening, beneficial ownership review, source-of-funds or source-of-wealth validation where relevant, and monitoring for changes in control, geography, or transaction behaviour.
For security and governance teams, the operational question is not simply “who is this?” but “what risk does this relationship create over time?” Current guidance suggests treating due diligence as a lifecycle process with triggers for refresh, such as new jurisdictions, unusual payment routes, ownership changes, or repeated exceptions. The same principle appears in NHI governance: a single point-in-time check is not enough when access or trust can be reshaped by new tool use, new integrations, or new business workflows. NHIMG’s Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks both underscore that exposure often comes from hidden dependencies, not the initial approval decision.
- Use baseline checks for standard relationships, then apply enhanced due diligence for higher-risk categories.
- Refresh evidence when ownership, geography, behaviour, or control changes.
- Separate identity verification from risk acceptance so exceptions are visible and approved.
- Track ongoing monitoring signals, not just onboarding documents.
For teams handling sensitive access, the lesson is similar to secret hygiene in the DeepSeek breach: a relationship can appear acceptable at first, then become unsafe as the environment changes. These controls tend to break down when relationship data is fragmented across business, legal, and security teams because no single function sees the full change history.
Common Variations and Edge Cases
Tighter due diligence often increases onboarding time, documentation burden, and exception handling, so organisations have to balance speed against assurance. That tradeoff is unavoidable in higher-risk cases, especially where counterparties are complex conglomerates, politically exposed persons, shell entities, or subcontractor chains with incomplete transparency.
There is no universal standard for how much extra scrutiny is enough. Best practice is evolving, but current guidance suggests using a tiered model: enhanced checks for high-risk relationships, continuous monitoring for material exposure, and defined reassessment intervals tied to business events rather than calendar reminders. Where an organisation cannot obtain adequate evidence, the safe decision may be to restrict scope, reduce privileges, or decline the relationship altogether.
One practical pitfall is treating due diligence as a compliance artifact instead of an operational control. The Ultimate Guide to NHIs — Standards highlights the same governance problem in a different domain: policy only works when it is enforced continuously, not when it is archived after approval. Higher-risk relationships fail standard checks when the organisation assumes the first answer stays true forever.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Risk decisions for higher-risk relationships need ongoing governance, not one-time review. |
| NIST CSF 2.0 | ID.RA-03 | Higher-risk relationships require continuous risk analysis beyond onboarding checks. |
| NIST CSF 2.0 | PR.AC-01 | Access and trust decisions should reflect the actual level of relationship risk. |
Define risk thresholds and require periodic reassessment for elevated relationships.
Related resources from NHI Mgmt Group
- When should a business relationship move from standard review to enhanced due diligence?
- When do service accounts become a higher risk than ordinary user accounts?
- Why do high-risk customers need more than standard customer due diligence?
- Why do spreadsheet-based compliance checks fail in modern regulatory programmes?
