Subscribe to the Non-Human & AI Identity Journal

Who is accountable when AI-assisted decisions affect public services?

Accountability sits with the agency that approves the workflow, the teams that control access to data and models, and the owners of the business process being automated. If the system cannot produce traceable evidence for a decision, accountability is incomplete. That is why audit logs, policy rules, and data lineage must be part of the operating model.

Why This Matters for Security Teams

When AI-assisted decisions influence public services, the core issue is not whether the model “decided” correctly. The issue is whether the agency can show who approved the workflow, what data informed it, which policy constrained it, and how exceptions were handled. That aligns with control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where auditability and access governance are required.

This matters because public-sector automation can create distributed accountability gaps. The business owner may assume the platform team is responsible, the platform team may assume the policy team owns the decision logic, and the data team may not realise its lineage choices affect the final outcome. NHIMG research on the DeepSeek breach shows how quickly exposed secrets and weak control boundaries can turn AI systems into enterprise risk amplifiers. In practice, many security teams encounter accountability failures only after a contested decision, a complaint, or an audit request has already exposed the missing evidence trail.

How It Works in Practice

Accountability in public services should be treated as an operating model, not a one-time approval. The agency that authorises the use case remains accountable for the service outcome, while technical teams are accountable for the controls that make the outcome defensible. That means the decision path needs clear ownership for model selection, training or tuning data, prompt or policy logic, access to sensitive records, and human override authority.

Practitioners usually need three layers of evidence:

  • decision provenance, showing what inputs and rules produced the output
  • access provenance, showing who or what system could read, write, or trigger the AI workflow
  • change provenance, showing when prompts, models, policies, or datasets changed

For AI-specific governance, current guidance suggests pairing NIST AI RMF with operational controls from NIST SP 800-53 Rev 5 Security and Privacy Controls so accountability is not just documented but testable. For agentic or workflow-driven systems, the organisation also needs to know whether an AI agent had execution authority, whether it could call tools, and whether its actions were bounded by policy. That intersection is especially important when NHI credentials, service accounts, or API keys can be used to trigger public-service decisions at machine speed.

In practical terms, agencies should define a named decision owner, separate model operators from approvers, log every material override, and retain evidence long enough for complaints, investigations, and statutory reviews. These controls tend to break down when legacy case-management systems, multiple contractors, and loosely governed AI APIs all participate in the same decision chain because no single team can reconstruct the full path after the fact.

Common Variations and Edge Cases

Tighter decision controls often increase operational overhead, requiring organisations to balance faster service delivery against stronger review and evidence requirements. That tradeoff becomes sharper in high-volume public services, where automated triage can reduce backlog but also increases the risk of opaque edge-case handling.

There is no universal standard for this yet, but best practice is evolving toward differentiated accountability. Low-risk recommendations may be approved at a process level, while high-impact decisions such as eligibility, enforcement, benefits, or public safety should require explicit human review and stronger traceability. The key edge case is partial automation: if an AI system only drafts a recommendation, accountability still sits with the approving authority, but the organisation must be able to explain how the draft was generated and why it was accepted or rejected.

Another common failure mode is shared platforms. When one model serves multiple agencies or departments, accountability must follow the decision domain, not the infrastructure layer. NHIMG’s research on the broader secrets and access problem in The State of Secrets in AppSec reinforces a practical point: if access to credentials, prompts, or models is fragmented, accountability becomes harder to prove even when the policy is sound. In public-sector settings, that gap is usually exposed during incident response, legal challenge, or a freedom-of-information review, not during initial deployment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack surface, NIST AI RMF and NIST CSF 2.0 set the technical controls, and EU AI Act define the regulatory obligations.

Framework Control / Reference Relevance
NIST AI RMF AI governance needs explicit accountability, traceability, and oversight for public-service decisions.
NIST CSF 2.0 GV.OV Oversight and governance map directly to accountable operation of AI-assisted public services.
OWASP Agentic AI Top 10 Agentic systems need bounded execution authority and traceable tool use to preserve accountability.
EU AI Act High-risk public-sector AI requires defined responsibilities, oversight, and recordkeeping.

Use governance controls to define approvers, escalation paths, and audit evidence for each AI workflow.