The service provider may operate the process, but the customer organisation remains accountable for access decisions, review outcomes, and audit evidence. Governance ownership cannot be outsourced. Teams should define decision rights, escalation paths, and evidence retention requirements before relying on a managed identity model.
Why This Matters for Security Teams
managed identity services often improve scale and consistency, but they do not change the accountability model. The provider may execute access reviews, joiner-mover-leaver workflows, or privilege provisioning, yet the customer organisation still owns the risk decisions, approval criteria, and evidence retention. That distinction matters most when auditors ask who approved access, who reviewed exceptions, and who accepted residual risk.
In NHI environments, this is not a theoretical concern. NHIs outnumber human identities by 25x to 50x in modern enterprises, and NHI governance gaps are already visible in breach data and lifecycle failures. NHI Management Group’s Ultimate Guide to NHIs highlights how visibility and rotation gaps compound over time, while the NIST Cybersecurity Framework 2.0 reinforces that governance remains a customer responsibility even when controls are operationalised by a third party.
In practice, many security teams discover this only after an access exception, audit finding, or incident has already exposed the absence of clear decision ownership.
How It Works in Practice
A managed service can run the mechanics of identity governance, but it should do so under customer-defined policy, thresholds, and escalation rules. The customer organisation determines who may approve access, what evidence must be captured, how often reviews must occur, and when exceptions must be escalated. The provider then executes those rules and returns logs, attestations, and workflow outcomes. That operating model aligns with Ultimate Guide to NHIs — Regulatory and Audit Perspectives, which frames governance as an evidence-producing control, not just a service activity.
For managed identity governance to stand up in audits, organisations should define:
- Decision rights for approvals, denials, and exception acceptance
- Review cadence for privileged NHIs, service accounts, and API keys
- Evidence format, retention period, and immutable storage requirements
- Escalation paths when the provider cannot complete a review or when risk is unresolved
- Responsibilities for rotation, revocation, and post-incident remediation
This is especially important for non-human identities because governance failures often cluster around stale access, missing offboarding, and weak visibility. The NHI Lifecycle Management Guide is useful here because lifecycle ownership is where managed service boundaries most often fail. Current guidance suggests that organisations should also map the service into their own control framework, including continuous monitoring and exception handling, rather than treating the provider as the control owner.
These controls tend to break down when the managed service is given approval authority without customer-approved policy guardrails, because operational speed then replaces accountable decision-making.
Common Variations and Edge Cases
Tighter outsourcing often increases operational convenience, requiring organisations to balance efficiency against evidence quality and decision control. That tradeoff becomes more visible in hybrid models where a provider performs routine reviews but the customer retains approval for high-risk accounts or emergency access.
There is no universal standard for this yet, but best practice is evolving toward a split model: the provider administers the workflow, while the customer approves the policy and owns the final risk decision. This matters when regulated data, shared administrative platforms, or third-party integrations are involved, because the provider may not have enough business context to judge whether access is appropriate.
Edge cases include delegated administration, offshore operations, and multi-tenant managed services. In those environments, teams should insist on separate evidence trails, named approvers, and service-level commitments for review completion. If the provider uses automation, the customer still needs to know which decisions are fully automated, which are sampled, and which require human review. The practical test is simple: if an auditor asks who accepted the risk, the answer cannot be “the vendor” alone. Where this model fails most often is in organisations that outsource tooling before defining governance ownership, because the contract then describes operations but not accountability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Governance risk ownership stays with the customer, even in managed services. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Managed services must still control NHI access, review, and accountability. |
| NIST AI RMF | GOVERN | Delegated identity governance needs explicit accountability and oversight. |
Define NHI ownership, review evidence, and exception handling before outsourcing operations.
Related resources from NHI Mgmt Group
- Why is it important to integrate identity and data governance?
- Who is accountable when PHI is exposed through poor identity governance?
- Who is accountable when a cloud-hosted identity governance service cannot meet sovereignty requirements?
- Why do role models still matter in modern identity governance?
