Subscribe to the Non-Human & AI Identity Journal

Who is accountable for hybrid identity risk when control is split between platforms?

Accountability sits with the organisation, not the platform. Hybrid identity risk becomes a governance issue when no single team owns the combined access model across cloud and on-premises systems. Security, IAM, and infrastructure leaders need shared responsibility for policy, review, and remediation across the full identity estate.

Why This Matters for Security Teams

hybrid identity risk becomes difficult to govern when cloud IAM, on-prem directory services, PAM, and infrastructure teams each control only part of the access path. The technical issue is not just inconsistency. It is fragmentation of accountability, which creates gaps in review, incident response, and remediation. NIST Cybersecurity Framework 2.0 treats governance as a first-class function, and that matters here because identity risk cannot be reduced to a single platform control.

NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, while 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that partial ownership often means partial detection. The Ultimate Guide to NHIs is clear that identity sprawl becomes a governance problem before it becomes a technical one. Security teams should treat split control as a design flaw in operating model, not a reason to defer responsibility to the platform owner alone. In practice, many security teams encounter drift, stale access, and delayed revocation only after an incident exposes the missing handoff between teams.

How It Works in Practice

Accountability in a hybrid environment should be assigned to the organisation through a named identity risk owner, with execution shared across the teams that operate each control plane. That means cloud platform teams manage cloud-side enforcement, directory teams manage authoritative identity sources, PAM teams govern privileged elevation, and security owns policy, oversight, and exception handling. Current guidance suggests that ownership should follow the risk, not the platform boundary.

A workable model usually includes:

  • one control owner for policy decisions and risk acceptance
  • one operational owner for each identity domain, such as AD, Entra ID, IAM, or PAM
  • shared metrics for access review completion, orphaned accounts, and revocation latency
  • formal escalation paths for conflicts between platform teams
  • documented mapping between human, service, and workload identities

This is also where visibility matters. The Ultimate Guide to NHIs — Key Challenges and Risks highlights how secrets, service accounts, and machine credentials often sit outside the normal review cycle. NIST CSF 2.0 reinforces the need to identify, protect, detect, respond, and recover across the full identity estate, not just within one toolset. In mature programs, teams align reviews to the same inventory, same policy baseline, and same remediation SLA, so no platform can claim the risk is “somewhere else.” These controls tend to break down when hybrid estates have no authoritative inventory and each platform team uses different lifecycle rules for the same identity.

Common Variations and Edge Cases

Tighter shared-accountability models often increase coordination overhead, requiring organisations to balance faster local operations against stronger enterprise oversight. That tradeoff becomes sharper when cloud teams move quickly but legacy systems still depend on manual approvals or static service accounts. There is no universal standard for exactly where control ownership should sit, but best practice is evolving toward a federated model with central governance and local enforcement.

Edge cases usually appear in mergers, outsourced operations, and environments that mix contractor access with machine-to-machine trust. In those cases, the question is not whether a vendor or platform administers the control, but whether the organisation can prove who approved it, who reviews it, and who revokes it when the business need ends. The 52 NHI Breaches Analysis shows how failures in ownership and visibility recur across incidents even when the underlying platforms differ. External guidance such as the NIST Cybersecurity Framework 2.0 supports the same conclusion: governance must be explicit, measurable, and reviewed continuously. Where responsibility is split but not documented, no one owns the last mile of remediation, and that is where exposure persists.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Hybrid identity risk is a governance and risk ownership problem.
OWASP Non-Human Identity Top 10 NHI-01 Split control often leaves NHI ownership, inventory, and lifecycle gaps.
NIST AI RMF GOVERN Shared platform control requires formal governance and accountability.

Maintain a complete NHI inventory and explicit ownership for every service and workload identity.