Subscribe to the Non-Human & AI Identity Journal

Who should be accountable when an unplanned system change has no matching change record?

The accountable owner should be the person or team responsible for the configuration item, with the change routed back through the governance process for review and remediation. If no owner can be identified, that is itself a control failure. Change governance must make ownership visible before the incident matures.

Why This Matters for Security Teams

An unplanned system change without a matching change record is not just a documentation gap. It means the organisation has lost the chain of accountability for a configuration item, and that loss weakens incident response, auditability, and post-change verification. In mature environments, the accountable owner is expected to be visible before the change is executed, not reconstructed after the fact. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which is a useful reminder that ownership gaps are often systemic, not exceptional.

This is why change governance should be treated as an identity and control problem, not only an ITIL workflow issue. If a configuration changed without approval, the first question is who had authority over that asset, then whether the change was intentional, emergency-driven, or unauthorized. A control that cannot attribute action to a responsible owner cannot reliably support rollback, root-cause analysis, or segregation of duties. The NIST Cybersecurity Framework 2.0 reinforces the need for governed ownership and traceable response activities. In practice, many security teams discover missing ownership only after the change has already affected production behaviour.

How It Works in Practice

The accountable owner should normally be the person or team assigned to the affected configuration item, application, platform, or service account. That owner is responsible for validating whether the change was authorised, raising the record if it was not, and ensuring remediation happens through the formal process. If the change came from automation, the owner is still accountable for the system that initiated it, even when no human clicked a button. In other words, automation does not remove accountability; it shifts the burden to whoever provisioned, configured, or operated the control plane.

In a practical change workflow, teams usually need three pieces of evidence: who owns the asset, what was changed, and whether a ticket or approval existed at the time. If those cannot be linked, the response should be to freeze further drift, compare the current state to the approved baseline, and route the issue through incident and change management together. This is especially important for NHIs, where hidden credentials and service accounts can modify systems without leaving a clear human trail. NHI Mgmt Group’s Ultimate Guide to NHIs highlights the scale of visibility problems that make this attribution hard in the first place.

  • Map every production asset to a named business owner and a technical owner.
  • Require change records for human and automated changes, including emergency changes.
  • Use baseline comparison to detect drift when no approved record exists.
  • Escalate unresolved ownership gaps as control failures, not administrative exceptions.

Current guidance suggests pairing change records with configuration management data so the owner can be verified quickly and consistently. These controls tend to break down in highly dynamic environments such as ephemeral cloud infrastructure or agent-driven automation, because the asset can change faster than the record is created.

Common Variations and Edge Cases

Tighter change control often increases operational overhead, requiring organisations to balance speed against traceability. That tradeoff becomes more visible during emergency fixes, vendor-managed updates, and automated deployments where the change may be valid but still not properly recorded. Best practice is evolving, but there is no universal standard for whether the accountable owner should be the product owner, platform owner, service owner, or change approver in every case; the key is that one clearly named party must own the asset and the outcome.

There are also edge cases where the “owner” is shared across teams, such as jointly managed infrastructure or outsourced operations. In those situations, accountability should not be diluted into a committee. One team still needs explicit authority for record creation, approval escalation, and remediation sign-off. Where an unplanned change comes from an NHI such as a service account or API key, the owner of the workload and the owner of the secret both need to be visible, because hidden non-human access often masks the true source of the change. The broader governance challenge is described well in the NIST Cybersecurity Framework 2.0, especially where asset accountability and recovery discipline intersect.

In practice, organisations get into trouble when they treat missing records as a paperwork issue instead of evidence that ownership, approval, or automation boundaries are not under control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Unplanned changes without records are a governance and oversight failure.
OWASP Non-Human Identity Top 10 NHI-01 Hidden service-account ownership is central when changes lack traceable accountability.
NIST AI RMF AI governance emphasizes accountability for automated actions and system outcomes.

Assign explicit ownership and review drift events through governed oversight before remediation closes.