Subscribe to the Non-Human & AI Identity Journal

Who is accountable when an insider collaborates with an external attacker?

Accountability usually spans identity governance, security operations, and the business owner of the access, because the failure is often shared across provisioning, monitoring, and response. Frameworks such as NIST CSF and IAM governance models expect clear ownership of access, logging, and corrective action when trusted identities are abused.

Why This Matters for Security Teams

When an insider works with an external attacker, the question is not only who clicked the wrong button. It is who owned the access path, who watched for misuse, and who had authority to stop it. In NHI-heavy environments, that often means shared accountability across identity governance, SOC monitoring, and the business owner that approved the access. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows why this matters: NHIs outnumber human identities by 25x to 50x, so a single insider-assisted compromise can touch many more systems than a human-only account abuse case.

The practical risk is that insiders rarely need broad technical sophistication if the organisation has over-permissive service accounts, stale API keys, or weak review of delegated access. That is why current guidance from CISA cyber threat advisories and NIST-aligned governance both emphasise logging, privilege review, and timely corrective action after abnormal access. In practice, many security teams only discover insider collaboration after exfiltration, not through a clean escalation path or a deliberate control checkpoint.

How It Works in Practice

Accountability should be assigned by control domain, not by a single scapegoat. The insider may have abused legitimate access, but the organisation still has to answer whether access was necessary, whether the session was monitored, and whether the response was fast enough. For NHI and agentic workloads, NHIMG research and the broader industry view both point to the same issue: the weakest point is often the credential lifecycle, not just the person using it. The Top 10 NHI Issues and the 52 NHI Breaches Analysis both reinforce that excessive privilege, weak rotation, and poor visibility are common contributors.

In practice, a defensible accountability model usually includes these roles:

  • Identity governance owns approval, entitlement review, and revocation for the account or secret.
  • Security operations owns detection, alert triage, and containment when the account is misused.
  • The business or system owner owns whether the access was justified for the workflow and whether the risk was acceptable.
  • Legal, HR, and incident response may join if there is evidence of collusion, policy violation, or data theft.

Operationally, teams should preserve logs, session records, secret rotation history, and approval trails so the investigation can separate insider misuse from control failure. The best next step is usually to validate whether the access was over-scoped, whether the insider could bypass normal checks, and whether third-party or service-account exposure enabled the external attacker. These controls tend to break down in environments with shared admin accounts, poor service-account ownership, or secrets embedded in CI/CD systems because attribution becomes ambiguous and containment takes too long.

Common Variations and Edge Cases

Tighter accountability often increases friction, requiring organisations to balance faster collaboration against stronger evidence, escalation, and approval discipline. Where the insider had legitimate delegated authority, blame is rarely binary; current guidance suggests separating policy breach from control failure so remediation is accurate. That distinction matters because a well-run organisation may still have a process gap even when an employee acted maliciously.

Edge cases often appear when the insider is a contractor, when the external attacker used a compromised non-human identity, or when the access was granted through a shared platform role rather than a named person. In those cases, the question is whether the organisation maintained clear ownership of the identity, secret, and workload. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it frames excessive privilege, poor rotation, and limited visibility as structural problems, not isolated mistakes.

For incident review, the most useful practice is to document three findings separately: who performed the action, which control failed to stop it, and which owner was responsible for that control. That approach is more actionable than assigning all blame to the insider or all blame to security. It also aligns with the reality described in Anthropic’s report on AI-orchestrated cyber espionage and MITRE’s adversarial framing, where abuse chains often span multiple identities and control layers. The model breaks down most sharply when ownership is unclear across SaaS admins, service accounts, and outsourced operations.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Identity proofing and accountability are central when insider misuse is suspected.
NIST CSF 2.0 PR.AC-4 Least-privilege access is often the control that failed before collusion became damaging.
OWASP Non-Human Identity Top 10 NHI-01 Compromised or mismanaged non-human identities often enable the attacker side of the collaboration.

Assign each access path to an owner and require traceable authentication and review.