Accountability sits with the programme that owns device lifecycle, session termination, and access governance, not with the clinician who inherits the problem. Shared mobility requires an explicit owner for allocation, reset, and audit evidence. Without that ownership, compliance reports describe the issue without actually containing it.
Why This Matters for Security Teams
Shared devices turn a routine workflow into an identity-containment problem. If the previous user’s session, tokens, or cached secrets remain available, the device becomes a conduit for unauthorised access rather than a neutral endpoint. That is why accountability belongs to the programme that owns lifecycle controls, not the individual who happens to inherit the device. The control gap is usually not a missing policy statement; it is a missing operational owner for reset, verification, and evidence.
This issue shows up repeatedly in broader NHI governance. NHIMG’s Ultimate Guide to NHIs frames identity sprawl and weak lifecycle discipline as recurring root causes, while the OWASP Non-Human Identity Top 10 highlights the same pattern in machine access: standing credentials persist long after their safe use window. In practice, a shared kiosk, tablet, or clinical workstation can expose the same failure mode when logout, session revocation, and device wipe are treated as optional rather than as part of the access control chain.
In practice, many security teams encounter the breach only after an inherited session is used for a task that should never have been possible, rather than through intentional lifecycle testing.
How It Works in Practice
Accountability should be assigned to the team that can actually prevent recurrence. That usually means the application owner, endpoint operations team, or clinical mobility programme, depending on who controls sign-in, session teardown, and post-use sanitisation. The relevant question is not who noticed the issue, but who can force logout, rotate tokens, clear cached credentials, and prove the reset happened.
Operationally, strong shared-device governance usually includes three layers: first, the session must terminate cleanly at handoff; second, any privileged or persistent access material must be invalidated; third, the device must return to a verified baseline before the next user. This is where the 52 NHI Breaches Analysis is useful as a reminder that identity incidents often begin with lifecycle failures, not sophisticated exploitation. The same logic applies when devices hold reusable access material such as API keys, refresh tokens, or cached authentication artefacts.
- Define one owner for allocation, reset, and audit evidence.
- Use automatic sign-out and session revocation on handoff.
- Remove local storage of secrets wherever possible.
- Verify the post-reset state before the next user receives the device.
- Treat failed handoff checks as access-control incidents, not housekeeping issues.
Current guidance suggests that shared-device controls work best when they are enforced by workflow, not memory. Where possible, align them with identity proofing and access policy so the device cannot be reassigned until the prior session is fully terminated. These controls tend to break down in fast-turnover environments such as emergency departments, field operations, or high-volume service desks because handoff pressure outruns reset verification.
Common Variations and Edge Cases
Tighter handoff control often increases operational friction, requiring organisations to balance user throughput against assurance that no prior access survives the reset. That tradeoff matters most where the device is shared by staff, contractors, and temporary workers, or where the device also accesses privileged systems. In those settings, a simple sign-out policy is usually not enough.
Best practice is evolving for environments that mix human users with always-on applications or embedded agent workflows. If a shared device also hosts automation, then responsibility must separate human session handling from machine credential handling. The human user may be the last person to touch the device, but the programme that owns the access path still owns the cleanup. This is especially important when the device stores long-lived tokens or supports offline operation, because stale access can survive longer than the shift that created it.
There is no universal standard for this yet, but the direction is clear: accountability should follow control. If the team cannot force logout, rotate credentials, or prove the reset, it does not truly own the risk. That is why NHIMG’s DeepSeek breach is relevant as a cautionary example of how exposed credentials and residual access quickly become systemic problems once they escape the intended boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared-device leftovers are a lifecycle failure in non-human access handling. |
| NIST CSF 2.0 | PR.AC-4 | Access control must cover session termination and reassignment of shared endpoints. |
| NIST AI RMF | Accountability for autonomous or shared access depends on governance and traceable ownership. |
Assign a named owner for access lifecycle, evidence, and incident response across the device workflow.
