Subscribe to the Non-Human & AI Identity Journal

Who should own account recovery policy in a zero-knowledge password system?

Identity and security teams should own it jointly, because recovery is an access control decision, not a help desk shortcut. In a zero-knowledge model, recovery settings determine whether the organisation can restore access without weakening secret confidentiality or handing administrators uncontrolled visibility into vault contents.

Why This Matters for Security Teams

In a zero-knowledge password system, account recovery is not a convenience feature. It is the control point that decides whether access can be restored without breaking the promise that no operator can read user secrets. That makes ownership a governance question, not a support ticket workflow. Security teams usually own the risk model, while identity teams own the recovery mechanics, and both have to agree on the abuse cases that matter.

The risk is material because recovery often becomes the easiest path for attackers, insiders, or rushed administrators. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 96% of organisations still store secrets outside of secrets managers in vulnerable locations, according to the Ultimate Guide to NHIs. That same governance pressure applies here: once recovery bypasses normal assurance, the system stops being zero-knowledge in practice.

Current guidance from the NIST Cybersecurity Framework 2.0 and NIST control families supports clear ownership, access review, and recovery assurance, but there is no universal standard for zero-knowledge recovery ownership yet. In practice, many security teams encounter recovery abuse only after a lockout, insider request, or support escalation has already exposed a weak path.

How It Works in Practice

Effective ownership usually splits into two layers. Identity engineering designs the recovery flow, while security sets the approval rules, assurance thresholds, and audit requirements. That means defining who can initiate recovery, what evidence is required, how many approvals are needed, and whether the action restores access immediately or places the account into a constrained state first.

For a zero-knowledge system, the recovery design should preserve secret confidentiality even during remediation. That typically means using verifiable recovery factors, delayed activation for high-risk changes, and strong logging that records the event without exposing the vault contents. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same lifecycle discipline that applies to NHI onboarding, rotation, and offboarding also applies to recovery state changes.

  • Security should define the recovery policy, including risk thresholds and exception handling.
  • Identity teams should implement the workflow, challenge checks, and revocation logic.
  • Privileged access workflows should require approvals that are separate from the user’s normal admin path.
  • Recovery events should be time-bound, reviewed, and searchable for audit.

This maps cleanly to NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where access enforcement, audit logging, and incident response overlap with identity governance. It also aligns with NHIMG’s regulatory view in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives, which treats recovery as part of the control environment rather than an afterthought.

These controls tend to break down when help desk processes can approve recovery without security review, because that creates an implicit override around secret confinement and auditability.

Common Variations and Edge Cases

Tighter recovery controls often increase user friction and support cost, requiring organisations to balance confidentiality against operational continuity. That tradeoff becomes more visible in regulated environments, high-availability services, and delegated admin models where someone must recover access quickly without creating a standing backdoor.

Best practice is evolving for zero-knowledge systems that use recovery contacts, backup keys, social recovery, or threshold-based approvals. There is no universal standard for this yet, so the ownership model should be explicit in policy: security owns the risk acceptance, identity owns the control implementation, and legal or compliance may need to approve retention or evidence rules where recovery events are considered sensitive records.

Edge cases also matter. If the account controls sensitive infrastructure, recovery may need a break-glass path with stronger approval and shorter expiry. If the platform supports shared or delegated access, the policy must separate account recovery from permission elevation so that restoring access does not automatically restore privilege. The Top 10 NHI Issues is a useful reminder that weak lifecycle governance is usually what turns an operational convenience into an exposure.

In practice, the right owner is not the team that can move fastest, but the team accountable for ensuring recovery cannot become an invisible privilege escalation path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Recovery ownership defines who can grant or restore access.
NIST SP 800-63 AAL Recovery assurance should match the original authentication strength.
NIST SP 800-53 Rev 5 AC-2 Recovery changes account state and access permissions.
OWASP Non-Human Identity Top 10 NHI-03 Recovery paths can weaken NHI secret handling and revocation.

Assign recovery approvals and assurance checks to identity and security owners under a documented access policy.