Use SMS only where the organisation can prove consent, maintain opt-out handling, and preserve an auditable record of when and why the message was sent. For regulated workflows, SMS should support completion, not replace governance. The safe design is channel choice plus lifecycle control, not SMS by default.
Why This Matters for Security Teams
SMS in eSignature workflows looks operationally simple, but it creates compliance exposure when teams treat the channel as proof of identity, consent, or authority. For regulated approvals, the real risk is not the text message itself. It is the lack of governance around who can trigger it, what evidence is retained, and whether the workflow can prove the signer was informed and opted in. NIST’s Cybersecurity Framework 2.0 is useful here because it pushes organisations toward repeatable control outcomes rather than ad hoc messaging.
That matters because SMS delivery can be fast while still being weak from an audit perspective. If teams cannot reconstruct the reason for send, the approval state, and the retention rule for the message record, the workflow can fail legal review even when the signature completed. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues both reinforce a common pattern: identity-adjacent controls fail first at the lifecycle layer, not at the point of send. In practice, many security teams encounter SMS evidence gaps only after legal discovery or audit sampling has already begun.
How It Works in Practice
The safest design is to treat SMS as a delivery and notification channel, not as the control that proves authority. The workflow should establish consent before any message is sent, record the business purpose for each send event, and preserve immutable logs that link the SMS event to the document version, signer state, and approval chain. If the organisation uses the channel to prompt signature completion, the message should support a workflow that already has its own identity verification and policy checks.
Practically, teams should separate three questions: can this person receive a message, can this person sign this document, and can this document be executed now. Those decisions should not be collapsed into a single SMS step. Current guidance suggests the most defensible pattern is channel choice plus lifecycle control, backed by retention rules and exception handling. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is relevant here because the same discipline used for NHI issuance, rotation, and offboarding applies to message-triggering accounts, workflow bots, and signing services.
- Require explicit opt-in or documented legal basis before SMS is used for signatures or reminders.
- Log sender identity, recipient, purpose, template version, and timestamp for every message.
- Use step-up verification for higher-risk documents instead of relying on SMS alone.
- Set retention and deletion rules that match records policy and regulatory needs.
This guidance tends to break down in high-volume customer onboarding flows where teams automate message triggers without a clear approval boundary, because exceptions and retries quickly erode the audit trail.
Common Variations and Edge Cases
Tighter SMS governance often increases friction for sales, HR, and onboarding teams, so organisations must balance completion speed against evidentiary strength. The right answer is not always to remove SMS, but to limit where it is used and define what it can prove. There is no universal standard for this yet, especially across jurisdictions that differ on consent, electronic records, and admissibility requirements.
For low-risk acknowledgements, SMS may be acceptable as a convenience layer if the organisation can show consent, opt-out handling, and durable recordkeeping. For regulated signatures, however, best practice is evolving toward stronger identity proofing and channel separation. The Ultimate Guide to NHIs — Key Challenges and Risks is useful because many of the same failure modes appear here: over-privileged automation, poor visibility, and weak lifecycle controls. Organisations should also distinguish between SMS used for notification, SMS used for approval, and SMS used as a fallback when a primary signature channel fails. Those are different risk levels and should not share the same policy.
Where SMS becomes difficult to defend is in cross-border workflows, delegated signing, or workflows with delayed approval, because the message record alone rarely proves the legal intent behind the act.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-03 | SMS signature workflows need clear business purpose and governance ownership. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Workflow accounts and messaging services need lifecycle control and rotation. |
| NIST SP 800-63 | AAL | eSignature assurance depends on the identity strength behind the workflow. |
Match SMS usage to the required assurance level and do not use it as sole proof for high-risk signing.
Related resources from NHI Mgmt Group
- How should organisations govern SMS notifications in eSignature workflows?
- How should healthcare organisations use facial biometrics without creating new privacy risk?
- How can organisations reduce vendor access risk without stopping external work?
- What should organisations check before adopting eSignature for HR workflows?
