An organisation-owned account is a business account whose email, phone number, recovery methods, and authentication factors are controlled by the company rather than an individual. This model preserves continuity during role changes, enables policy enforcement, and reduces the risk of orphaned access.
Expanded Definition
An organisation-owned account is a business-controlled identity whose email, phone number, recovery paths, and authentication factors remain under company governance rather than personal ownership. In NHI and IAM programs, the key distinction is not just who uses the account, but who can administer, recover, rotate, and revoke it. That makes it different from personal accounts used for work, delegated access, or ad hoc shared inboxes.
Definitions vary across vendors when these accounts are tied to teams, roles, or automation, but the governance pattern is consistent: the organisation retains control over lifecycle and recovery. This matters because organisation-owned accounts often sit at the boundary between human access and non-human identity management, especially when they protect shared mailboxes, admin consoles, support channels, or emergency recovery paths. Guidance from the NIST Cybersecurity Framework 2.0 reinforces the need for controlled identity lifecycle management and least privilege. The most common misapplication is treating an employee’s personal mailbox or phone number as the recovery anchor for a business account, which occurs when account provisioning prioritises speed over organisational control.
Examples and Use Cases
Implementing organisation-owned accounts rigorously often introduces lifecycle overhead, requiring organisations to balance continuity and auditability against extra provisioning and recovery governance.
- A finance team uses a shared payments inbox where the mailbox, MFA device, and recovery contact are owned by the company, not the individual analyst who currently handles invoices.
- An IT support queue is tied to a role-based account with a company-managed phone number and escrowed recovery options, so access survives staff turnover without manual resets.
- A privileged admin account is created for break-glass use and enrolled through policy so that revocation, monitoring, and audit trails remain under central control, consistent with the lifecycle patterns described in Ultimate Guide to NHIs.
- An automation workflow sends alerts from a company-owned identity, making the sender address and trust relationship stable even when the underlying operator changes.
- A vendor-facing service desk account is kept organisation-owned so offboarding a contractor does not interrupt customer communications or expose recovery settings to personal devices.
For account assurance, the organisation can align setup and recovery controls with the identity assurance principles in NIST Cybersecurity Framework 2.0 while keeping all recovery paths under policy.
Why It Matters in NHI Security
Organisation-owned accounts reduce orphaned access, but they also become high-value control points when the organisation fails to govern them. NHIMG reports that Ultimate Guide to NHIs notes only 5.7% of organisations have full visibility into their service account, which shows how often ownership and recovery are left partially unmanaged. When recovery methods point to personal devices or employee mailboxes, attackers can exploit turnover, forgotten credentials, or unmanaged MFA resets to retain access after role changes. This is especially dangerous in environments that rely on shared support, admin, or automation identities, because the account outlives any single employee but may not outlive poor governance. Strong ownership also supports zero trust by making every recovery and authentication event attributable, reviewable, and revocable. The NIST view of continuous control validation in NIST Cybersecurity Framework 2.0 is especially relevant when these accounts bridge human administration and machine operation. Organisations typically encounter the risk only after an employee departs, a mailbox is abandoned, or a compromised recovery channel is used to retain access, at which point organisation-owned account governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Organisation-owned accounts require clear lifecycle ownership and recovery control. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and account governance support controlled access for business-owned identities. |
| NIST Zero Trust (SP 800-207) | Zero Trust treats every account as a governed identity with continuous validation. |
Assign one owner, remove personal recovery paths, and enforce revocation on role changes.
