Subscribe to the Non-Human & AI Identity Journal

Who is accountable when legacy software keeps running after support ends?

Accountability should sit with the application owner, the security team, and the business sponsor jointly. The owner manages the migration or retirement plan, security defines the minimum acceptable controls, and the business sponsor decides whether the residual risk is worth funding. Frameworks such as NIST CSF and ISO 27001 both reinforce the need for clear ownership, documented exceptions, and tracked remediation for unsupported assets.

Why This Matters for Security Teams

Unsupported software rarely stays a contained IT problem. Once vendor support ends, security teams lose timely patches, reliable defect fixes, and a clear assurance baseline, while business teams often assume “it still works” means “it is still acceptable.” That gap creates exposure across vulnerability management, compliance, incident response, and third-party risk. NIST treats ownership and continuous risk treatment as core control discipline in NIST SP 800-53 Rev 5 Security and Privacy Controls, and NHIMG’s Ultimate Guide to NHIs shows how unmanaged identities and secrets create similar “still running, no longer governed” risk patterns in other parts of the stack. The accountability question matters because unsupported assets usually persist due to budget delays, dependency confusion, and weak exception governance, not because anyone explicitly chose to accept the exposure. In practice, many security teams encounter the risk only after an audit finding, a vulnerability scan, or a breach forces the retirement decision rather than through intentional lifecycle management.

Ownership should be explicit, time-bound, and documented. The application owner is responsible for the replacement or decommission plan, the security team defines compensating controls and monitoring, and the business sponsor signs off on residual risk if the system must keep running. That model works only when exceptions are tracked with expiry dates, named approvers, and measurable mitigation tasks. The support-status issue is especially important when the application depends on third-party libraries, API integrations, or service accounts that are themselves long-lived. NHIMG’s research on the Ultimate Guide to NHIs is useful here because unsupported software often also carries unsupported credentials, and those credentials can outlive the application owner’s assumptions. Current guidance suggests treating support end as a governance trigger, not just an engineering milestone.

How It Works in Practice

A workable accountability model starts with an asset inventory that distinguishes supported, end-of-life, and end-of-support software. From there, the owner should map the application to business services, data sensitivity, and technical dependencies so leadership can see what breaks if retirement slips. Security then applies minimum compensating controls, which usually include network segmentation, stronger logging, hardening, access restriction, and tighter monitoring for exploit activity. NIST’s control catalog in NIST SP 800-53 Rev 5 Security and Privacy Controls is a useful reference for documenting those controls, especially where patching is no longer available.

  • Define one named application owner, one security approver, and one business risk owner.
  • Record the support end date, the exception expiry date, and the retirement target date.
  • Identify compensating controls that are observable, such as alerts, segmentation, and restricted admin access.
  • Review the risk acceptance on a fixed cadence rather than leaving it open-ended.
  • Track any embedded secrets, service accounts, and integrations that must be rotated or retired alongside the software.

This is where NHI governance becomes relevant. Unsupported software often remains reachable because an API key, service account, or CI/CD token still works, even after the original team has moved on. NHIMG’s Ultimate Guide to NHIs highlights how frequently such identities are overprivileged or poorly offboarded, which means the real accountability question extends beyond the application binary itself. These controls tend to break down when legacy applications are tightly coupled to business-critical workflows and retirement requires multiple teams to coordinate cutover windows, data migration, and credential replacement.

Common Variations and Edge Cases

Tighter control often increases operational overhead, requiring organisations to balance faster remediation against business continuity. Some legacy systems cannot be patched without breaking validated processes, so the right answer is not always immediate shutdown. In those cases, current guidance suggests formal risk acceptance with compensating controls, but there is no universal standard for how strong those controls must be across every environment. For regulated sectors, the bar is typically higher because unsupported software can affect auditability, resilience, and incident response obligations.

Edge cases usually involve vendor dependency, embedded systems, or long-lived infrastructure where replacement is expensive and downtime is unacceptable. If the software supports identity, secrets, or machine-to-machine access, accountability must also include whoever owns those credentials. That intersection is where security programs often miss the real issue: the application may be unsupported, but the access path is still fully operational. Where migration is delayed, the business sponsor should be the explicit risk owner, while the application owner remains accountable for executing the plan and the security team verifies controls and deadlines. In practice, exceptions fail when they become permanent by default, rather than being reviewed, renewed, or retired on schedule.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk ownership and exceptions are central to unsupported software accountability.
NIST SP 800-53 Rev 5 CM-8 Asset inventory is needed to track unsupported systems and lifecycle status.

Keep an accurate inventory of end-of-support assets and link each one to a retirement plan.