Subscribe to the Non-Human & AI Identity Journal

Who is accountable for MFA and session governance on on-prem application delivery?

Accountability should sit with the identity and access team, working with infrastructure owners, because the control is part of the authentication and access decision. NIST-style access governance and Zero Trust thinking both assume identity controls follow the access path, not just the application location.

Why This Matters for Security Teams

Accountability for MFA and session governance on on-prem application delivery sits at the point where identity, infrastructure, and access policy intersect. That matters because a session is not just a user convenience layer. It is the control surface that determines who can get in, how long they stay in, and whether privileged actions can be challenged or revoked. NIST CSF 2.0 frames this as a governance and access management issue, not a server-location issue, which is why identity and access teams usually own the control design even when infrastructure teams run the platform.

Security teams often get this wrong by treating MFA as a front-door checkbox and session lifetime as an application setting. In practice, those decisions affect authentication strength, token handling, reauthentication, and revocation across the delivery path. The result is usually inconsistent enforcement, especially when the same application is published through different on-prem gateways or remote access layers. The Top 10 NHI Issues research shows how quickly control gaps appear when identity ownership is split across teams, even before a formal incident occurs. In practice, many security teams encounter weak session governance only after an access path has already been abused, rather than through intentional design.

How It Works in Practice

The practical split is usually straightforward: identity and access management defines the MFA policy, session rules, and reauthentication standards, while infrastructure or platform owners implement them in the delivery stack. On-prem application delivery often includes VPNs, reverse proxies, application gateways, SSO brokers, or privileged access layers, and each component may enforce a different part of the control. That is why accountability should follow the access path end to end, not stop at the application server.

A workable operating model usually includes three layers:

  • MFA policy design by identity and access, including step-up requirements for sensitive applications and privileged actions.
  • Session governance by identity and access, including idle timeout, absolute timeout, token revocation, and reauthentication triggers.
  • Platform implementation by infrastructure owners, who configure the gateway, proxy, or access broker to enforce the approved standard.

This division aligns with the NIST Cybersecurity Framework 2.0, which places access control and governance under accountable security functions rather than under application hosting alone. It also matches the lifecycle view in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, where identity controls must be managed continuously, not only at onboarding. For audit purposes, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is especially useful because it reinforces that ownership, evidence, and enforcement must be traceable.

In mature environments, identity teams also define how long sessions last for different risk tiers, whether device trust is required, and when a session must be reverified after network change or privilege escalation. Infrastructure teams then translate those rules into gateway policy, SSO settings, and proxy configuration. These controls tend to break down when legacy on-prem delivery stacks cannot support centralized session enforcement because teams fall back to app-by-app exceptions and manual review.

Common Variations and Edge Cases

Tighter session governance often increases operational friction, requiring organisations to balance stronger access control against user disruption and support overhead. That tradeoff is real, especially for high-frequency internal applications, shared workstations, or legacy systems that cannot handle modern federated authentication cleanly.

There is no universal standard for this yet across every on-prem architecture, so current guidance suggests using the identity team as policy owner and the infrastructure team as control operator. In some environments, the help desk or endpoint team may administer MFA enrollment workflows, but that should not mean they own the policy decision. Likewise, an application owner may request exceptions, but exceptions should be approved through identity governance and recorded as compensating controls.

The hardest edge case is hybrid delivery, where one application is exposed through multiple paths such as direct network access, a remote access broker, and a web portal. In those cases, accountability must include all access paths or the weakest path becomes the real policy. The 2024 ESG Report: Managing Non-Human Identities shows how governance gaps become visible only after control failure, and the same pattern applies to session control in mixed environments. Best practice is evolving, but the operational rule remains consistent: the team that defines access assurance should own MFA and session policy, even when another team runs the hardware.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Identity assurance and access control map directly to MFA and session governance.
NIST Zero Trust (SP 800-207) PE-1 Zero Trust places access decisions on identity and context, not system location.
OWASP Non-Human Identity Top 10 NHI-03 Session and credential governance failures often mirror broader NHI control ownership gaps.

Assign identity team ownership for MFA policy, session rules, and access assurance across all delivery paths.