Ownership should sit with IAM or identity security, with the service desk operating the workflow under policy rather than controlling the policy itself. That distinction matters because password recovery affects authentication assurance, directory state, and audit evidence. If the process is owned only as a support function, security requirements tend to erode over time.
Why This Matters for Security Teams
Password reset and account unlock are not simple help desk tasks. They are identity recovery controls that can weaken authentication assurance, trigger audit findings, and create a back door into privileged access if ownership is unclear. The control owner has to balance user availability with proof of identity, recovery evidence, and directory hygiene. NIST Cybersecurity Framework 2.0 treats identity as a core security capability, not an afterthought, which is why governance should sit with IAM or identity security rather than with a generic support function.
That distinction matters because service desk teams optimise for speed and ticket closure, while security teams must optimise for risk reduction, exception control, and evidence retention. NHIMG’s Top 10 NHI Issues highlights how lifecycle mistakes and weak operational ownership turn routine processes into recurring exposure. The same pattern appears in human account recovery: if policy is not owned by identity security, reset rules tend to drift, escalation paths become informal, and unlock exceptions get normalized. In practice, many security teams discover recovery abuse only after a compromised account has already been used for lateral movement.
How It Works in Practice
The clean operating model is a split between policy ownership and workflow execution. IAM or identity security should define who can reset passwords, who can unlock accounts, what proof is required, what approval is needed for exceptions, and what evidence must be logged. The service desk can execute the workflow, but only within those guardrails. This lines up with the governance and audit emphasis in NHIMG’s Regulatory and Audit Perspectives guidance, where accountability and traceability are treated as first-class controls.
Practitioners usually harden the process in five places:
- Identity proofing and step-up verification before any reset or unlock action.
- Separate policies for self-service reset, service desk-assisted reset, and privileged account recovery.
- Strict logging of requester, approver, technician, timestamps, and directory changes.
- Reauthentication after unlock, especially for high-risk users or recent anomalous activity.
- Periodic review of reset rates, unlock reasons, and exception patterns to find abuse or process failure.
For standards alignment, NIST CSF 2.0 and related identity guidance frame this as a governance and access-control problem, not just a support workflow. Current guidance suggests that recovery actions should be as tightly controlled as initial authentication, because attackers often target the recovery path when primary credentials are protected. NHIMG’s Lifecycle Processes for Managing NHIs reinforces the same lifecycle principle: operational convenience cannot outrank state control, expiry discipline, and reviewability. These controls tend to break down in large federated environments because multiple directories, local exceptions, and outsourced support desks make policy consistency hard to enforce.
Common Variations and Edge Cases
Tighter recovery control often increases friction, so organisations have to balance user downtime against the risk of account takeover. That tradeoff becomes sharper for executives, privileged admins, contractors, and users in regulated environments, where a mistaken unlock can be more damaging than a delayed ticket.
There is no universal standard for every recovery scenario yet, but best practice is evolving toward risk-based governance. For example, privileged accounts often need out-of-band verification, manager approval, or stronger step-up checks than ordinary user accounts. Break-glass accounts should usually sit outside normal password reset flows altogether and be managed through separate PAM procedures. If the enterprise uses outsourced service desk operations, the vendor should execute the scripted workflow while IAM retains policy authority, exception approval criteria, and audit ownership.
NHIMG’s research on Why NHI Security Matters Now is a useful reminder that identity controls fail when operational ownership is blurred. The same operational reality applies here: recovery controls erode fastest when the team running the ticketing queue is also allowed to rewrite the rules.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Covers identity proofing and access control for account recovery. |
| NIST SP 800-63 | IAL2 | Identity assurance is central when validating who may recover access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Recovery workflows can expose credentials if governance is weak. |
Treat password reset paths as sensitive identity lifecycle controls with auditable ownership.