Ownership should be shared across SOC, IAM, and the business function that controls the affected workflow, because the incident often spans mailbox, account, and transaction layers. A clean handoff model is less important than a single escalation path that can contain access and freeze risky actions quickly.
Why This Matters for Security Teams
When phishing turns into an identity incident, the problem is rarely confined to email. A stolen session, recovered mailbox, or consent grant can become a pathway into IAM, SaaS, finance, and even privileged workflows. That is why response ownership cannot sit with a single queue. The practical question is who can contain access fastest while preserving evidence and keeping the business process from being abused.
Current guidance suggests that response should be coordinated across SOC, IAM, and the business owner of the affected workflow, with one incident lead to prevent duplicated actions and missed containment. This is especially important where phishing leads to token theft, OAuth abuse, or mailbox rule manipulation. The breach pattern described in NHIMG research on 52 NHI Breaches Analysis shows how identity compromise often spills beyond the initial entry point. In practice, many security teams discover the real blast radius only after the attacker has already used the account to trigger transactions or alter access paths.
How It Works in Practice
The cleanest operating model is a shared response path with role clarity, not a rigid handoff. SOC usually detects the phishing event, confirms indicators of compromise, and preserves evidence. IAM owns account containment, session revocation, password resets, token invalidation, conditional access tightening, and step-up authentication. The business function owns the workflow that can be abused, such as payments, payroll, customer communications, or procurement approvals.
That division matters because phishing incidents often involve multiple identity layers at once. A mailbox compromise can expose reset links. A stolen browser session can bypass password changes. A consented app can persist after the user account is recovered. NIST guidance on incident response and identity assurance supports rapid containment, while CISA’s phishing guidance reinforces the need to isolate accounts, revoke access, and search for lateral movement rather than treating the case as a simple user-awareness issue.
One practical pattern is to define an incident commander who can issue a single containment decision while the SOC and IAM teams execute parallel actions. That command path should include:
- Immediate session and token revocation for the suspected identity
- Mailbox rule and forwarding review for persistence
- Privilege check for delegated access, app consent, and service account linkage
- Business process freeze where payment, approval, or data export risk exists
- Post-containment review to confirm no secondary identities were exposed
NHIMG’s Ultimate Guide to NHIs is useful here because phishing often lands on humans but the durable risk frequently sits in the identities, tokens, and secrets attached to the workflow. That becomes more severe in environments with shared mailboxes, delegated admin, and automations that can continue operating after the user is locked out. These controls tend to break down when the business process depends on a single mailbox or approval account because containment slows operations and responders hesitate to revoke access quickly.
Common Variations and Edge Cases
Tighter containment often increases operational friction, requiring organisations to balance speed of lockout against continuity for revenue, support, and operations. That tradeoff is real, especially when a phishing event hits executives, finance staff, or shared service queues. Best practice is evolving, but current guidance suggests treating the workflow as the asset, not just the user account.
Some cases need broader ownership than a standard phishing response. If the attacker used OAuth consent, the IAM team may need to review enterprise app permissions and downstream service identities. If the phishing message triggered payroll changes or vendor payment fraud, finance or procurement must own the business-side freeze. If the incident affected a service account or automation account, the response should include secrets rotation and dependency mapping, not only user recovery. That is why NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now matters to this question: identity incidents routinely outlive the initial phishing message.
There is no universal standard for ownership in every organisation, but the most resilient model assigns one incident lead, one containment authority, and one business decision maker for the affected workflow. Where that does not exist, response usually fragments across ticket queues, and the attacker keeps using the valid session longer than defenders expect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | RS.RP-1 | Defines how response plans should be executed during an identity-driven phishing incident. |
| NIST SP 800-63 | IAL/AAL | Phishing response often depends on assurance of the account and session being recovered. |
| OWASP Non-Human Identity Top 10 | NHI-08 | Identity incidents often involve exposed secrets, tokens, or excessive access tied to the workflow. |
Revoke compromised credentials fast and validate downstream access paths after phishing containment.
Related resources from NHI Mgmt Group
- Who should own response when credential theft crosses endpoint and identity controls?
- Who should own response when LLM abuse becomes a phishing channel?
- Who should own identity context for incident response and SOC operations?
- Who should own identity risk when governance spans IAM, PAM, and security operations?
