Accountability usually sits with the organisation that granted access, even if a third-party provider handled part of the verification process. Security, IAM, and business sponsors all need defined roles so that the trust decision is traceable and reviewable after the fact.
Why This Matters for Security Teams
Misidentified contractors and vendors are not just a procurement issue. They create a traceability failure in access governance, because the organisation that accepted the trust decision is still accountable for the outcome. That matters when a third party is used for screening, verification, or identity proofing, since a broken handoff can leave an unapproved person with valid access and no clear owner for remediation.
This is especially risky in environments where third parties already have broad exposure. NHI Mgmt Group notes that 92% of organisations expose NHIs to third parties in its Ultimate Guide to NHIs — The NHI Market, which makes identity assurance and accountability part of day-to-day supply chain risk. The right control question is not only who performed verification, but who approved access, who can revoke it, and who must explain the decision later. NIST’s Cybersecurity Framework 2.0 reinforces that governance and accountability must be explicit, not implied.
In practice, many security teams discover misidentification only after access has already been granted and evidence is fragmented across IAM, vendor management, and the business owner.
How It Works in Practice
Accountability should follow the trust decision, not the vendor workflow. If a contractor is onboarded through a third-party identity proofing step, the organisation still owns the access decision, the exceptions process, and the revocation path. The control model should make that ownership visible in policy, tickets, and audit records.
Practitioners usually need three layers of responsibility:
-
Security defines assurance requirements, reviews risk, and validates that identity evidence is sufficient for the access level requested.
-
IAM or platform teams enforce the technical controls, including access provisioning, attribute checks, and revocation.
-
The business sponsor confirms the need for access and remains the accountable approver for ongoing business risk.
This is where identity lifecycle discipline matters. If an external worker is misidentified, the response should include immediate suspension, investigation of the evidence chain, and re-verification before reinstatement. Where secrets or accounts are involved, the organisation should also rotate or revoke dependent credentials, because access often persists beyond the original identity check. NHI Mgmt Group’s JetBrains GitHub plugin token exposure illustrates how identity and token trust can diverge when controls are not tightly tied to the issuing authority.
Current guidance suggests using documented decision records, time-bounded access, and periodic re-certification so that accountability remains auditable. NIST’s Cybersecurity Framework 2.0 supports this governance approach by emphasizing clear roles, risk management, and recovery. These controls tend to break down when vendor-managed identities are provisioned outside the central IAM workflow because revocation, evidence retention, and owner assignment become inconsistent.
Common Variations and Edge Cases
Tighter verification and approval controls often increase onboarding friction, so organisations need to balance speed against assurance. That tradeoff is real, especially in contractor-heavy environments where access is temporary and demand is high.
There is no universal standard for this yet, but best practice is evolving toward shared accountability with explicit handoff points. For low-risk access, a lighter approval path may be acceptable if it is still traceable. For privileged, production, or data-access scenarios, the bar should be higher: stronger identity proofing, documented sponsor approval, and mandatory re-checks before extension. This matters even more when secrets or automation are involved, because a misidentified person can inherit more access than the original review assumed. NHI Mgmt Group’s Ultimate Guide to NHIs — The NHI Market is a useful reference point for third-party exposure patterns and why revocation discipline cannot be optional.
Edge cases usually arise when a managed service provider handles verification but the buying organisation keeps the risk. In those situations, accountability should still remain with the organisation that granted access, because delegation of process is not delegation of responsibility.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Governance must assign clear accountability for identity decisions. |
| NIST CSF 2.0 | PR.AA-04 | Identity proofing and authorisation depend on traceable access decisions. |
| NIST AI RMF | AI RMF governance applies when third parties or automation influence trust decisions. |
Document who approves, reviews, and revokes contractor access, then retain evidence for audit and incident response.
Related resources from NHI Mgmt Group
- Who is accountable for removing access when a contractor or vendor leaves?
- Who should be accountable when access review escalations reach senior leadership?
- Who is accountable when identity decisions are not governed?
- Who is accountable when access remains in place after it should have been removed?
