Subscribe to the Non-Human & AI Identity Journal

Who should own compliance controls in a crypto business?

Ownership should be shared across legal, compliance, security, and platform teams, but the control evidence should sit in the identity layer. Each regulated process needs a named owner, an approval path, and a review cycle. If no identity can be held accountable for the action, the control is not operationally complete.

Why This Matters for Security Teams

In a crypto business, compliance ownership fails when it is treated as a policy document instead of an operational control. Trading, custody, settlement, wallet operations, and KYC each create different identity risk, but regulators still expect clear accountability, evidence, and review. NHI controls matter because the systems executing these obligations are often service accounts, API keys, signing jobs, and automation pipelines rather than people. That makes the identity layer the only durable place to anchor evidence and approval history.

This is why NHI governance has to be tied to audit-ready process ownership, not just security tooling. NHI Mgmt Group’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives frames the control problem correctly: if a process cannot be tied to a named identity and a review cycle, it is not operationally complete. The broader control structure should map cleanly to the NIST Cybersecurity Framework 2.0, especially where governance, access control, and evidence retention intersect.

In practice, many security teams encounter control failures only after auditors ask who approved access, who reviewed it, and which identity actually exercised it.

How It Works in Practice

The practical model is shared ownership with identity-backed evidence. Legal defines the regulatory obligation, compliance defines the control requirement, security defines the access and monitoring standard, and platform teams implement the workflow. But the control itself should live where execution happens: in the identity layer that governs service accounts, API keys, signing identities, and automated approvals. That means each regulated process needs three things: a named owner, a documented approval path, and a review cadence tied to the identity that performs the action.

For example, a withdrawal approval workflow should not rely on a shared team mailbox or manual ticket alone. It should bind the action to a specific workload identity, store approval evidence with that identity, and enforce revocation or rotation if ownership changes. NHI Mgmt Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle control is what turns compliance intent into auditable operation. For a quick control inventory, the Top 10 NHI Issues also highlights where ownership breaks down most often, especially around rotation, offboarding, and overprivilege.

  • Assign one business owner per regulated process, not per tool.
  • Bind approvals to a workload or automation identity, not a shared human inbox.
  • Track evidence in the same system that issues and revokes access.
  • Review privileged identities on a fixed schedule, with exception handling.
  • Revoke or rotate credentials when ownership, scope, or purpose changes.

Current guidance suggests that compliance evidence becomes far more defensible when it is attached to the identity that executes the control, rather than recreated later from tickets and spreadsheets. These controls tend to break down in highly automated crypto environments because fast-moving deployment pipelines and ad hoc emergency access make it easy for ownership to drift away from the actual identity performing the regulated action.

Common Variations and Edge Cases

Tighter ownership rules often increase operational overhead, so organisations have to balance audit clarity against speed, especially in markets where trading and custody changes happen quickly. There is no universal standard for this yet, but best practice is evolving toward shared accountability with explicit control handoffs rather than single-team ownership of everything.

One edge case is emergency response. During incident containment or wallet compromise events, temporary control may shift to security, but the identity used for emergency actions still needs a post-incident review trail. Another is vendor-operated infrastructure, where compliance may remain internal while platform execution sits with a third party. In those cases, contract language alone is not enough; the business must still know which identity performed the action and which team approved it. The Ultimate Guide to NHIs — Standards section is helpful for mapping these controls to repeatable identity practices without confusing policy ownership with operational accountability.

For control design, the key question is not who wrote the policy, but who can prove the control ran, when it ran, and under which identity. That distinction is what makes a crypto compliance program auditable instead of merely documented.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-01 Defines governance ownership and accountability for regulated processes.
OWASP Non-Human Identity Top 10 NHI-05 Covers lifecycle ownership and evidence for non-human identities in regulated workflows.
NIST SP 800-63 AAL2 Identity assurance matters when regulated actions need strong proof of actor integrity.

Bind approvals, reviews, and revocation to the workload identity that performs the control.