Accountability sits with the organisation that owns the access path and approves the workflow, even when a third party is involved. If a vendor account, help desk reset, or remote support process enables compromise, the control owner must show how identity proofing, logging, and approval steps were enforced. Shared responsibility does not remove accountability.
Why This Matters for Security Teams
When a vendor or help desk workflow is abused, the failure is usually not the third party itself but the organisation’s own control design. The business approved the access path, the exception process, and the evidence requirements, so it also owns the security outcome. That matters because abused resets, delegated support, and remote access often bypass the controls that teams assume are already in place. NIST’s control catalog is clear that access authorization, audit logging, and authentication need explicit enforcement, not implied trust (NIST SP 800-53 Rev 5 Security and Privacy Controls).
For NHI and agentic environments, the same pattern appears when service accounts, support bots, or delegated admin paths are over-permissioned or poorly supervised. NHIMG research shows that 92% of organisations expose NHIs to third parties, which turns a support relationship into an access-path risk unless ownership, logging, and revocation are tightly governed (Ultimate Guide to NHIs — The NHI Market). In practice, many security teams encounter the abuse only after a reset, vendor session, or automation token has already been used to move laterally, rather than through intentional review of the workflow.
How It Works in Practice
Accountability follows control ownership. If the help desk can reset MFA, unlock accounts, or issue temporary access, then the organisation must prove who approved the workflow, how identity was verified, what was logged, and how the access expired. If a vendor connects through remote support, the same logic applies: the security team should require named approvers, session recording where feasible, step-up verification for high-risk actions, and periodic review of vendor entitlements.
This is also where NHI governance becomes relevant. Support workflows often create or depend on machine credentials, shared API keys, jump-host sessions, and delegated service accounts. If those identities are not inventoried, rotated, and bound to a clear owner, the workflow becomes an accountability gap. NHIMG’s guidance on NHIs highlights how often organisations lack visibility into service accounts, and the risk becomes sharper when a support process can trigger credential changes or bypass normal approval paths (Ultimate Guide to NHIs — The NHI Market).
- Define the control owner for each workflow, not just the vendor relationship.
- Require identity proofing or call-back verification for privileged resets and overrides.
- Log the request, approver, support operator, target identity, and resulting change.
- Tie vendor sessions and support tokens to time-bound access with revocation triggers.
- Review exceptions after incidents to confirm whether policy, process, or tooling failed.
Attackers frequently abuse trusted workflows rather than break technical controls, which is why support-path abuse shows up in cases like the GitHub Action tj-actions Supply Chain Attack, where credentials and automation pathways became the route to compromise. These controls tend to break down when identity proofing is manual, approval is informal, and the vendor or help desk can make irreversible changes without independent verification.
Common Variations and Edge Cases
Tighter workflow control often increases operational friction, so organisations have to balance support speed against abuse resistance. That tradeoff is especially visible in 24/7 service desks, outsourced support, and emergency break-glass access, where the urge to reduce user wait time can weaken verification and logging.
There is no universal standard for every vendor-support model, so current guidance suggests matching the control strength to the blast radius of the action. A password reset for a low-risk account is not the same as approving access to production infrastructure, payment systems, or privileged NHI credentials. In higher-risk paths, dual approval, stronger proofing, and shorter-lived access are justified. In lower-risk paths, the key is still traceability and revocation. The same logic applies when a vendor manages an automation platform or agentic toolchain: the more authority the workflow has, the more the organisation needs explicit ownership and continuous review.
For regulated environments, the accountability question also extends to evidence retention and incident response. If a third party can alter access, then the organisation must be able to reconstruct who authorized the change and whether the support action exceeded policy. That is why security teams should align these workflows with identity lifecycle controls, privileged access reviews, and incident playbooks rather than treating them as service operations alone. Shared responsibility may divide tasks, but it does not divide accountability for the control outcome.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity and access workflows must be authorized and traceable. |
| OWASP Non-Human Identity Top 10 | Vendor and help desk workflows often create or expose non-human identities. | |
| NIST SP 800-63 | IAL2 | Privileged resets and overrides depend on stronger identity proofing. |
| NIST Zero Trust (SP 800-207) | SA-4 | Zero trust requires validating every access path, including vendors and support tools. |
Inventory machine identities behind support paths and enforce ownership, rotation, and revocation.
Related resources from NHI Mgmt Group
- Who is accountable when a help-desk reset is abused in an identity attack?
- Who is accountable if a certificate is misused in an approval workflow?
- Who is accountable when an embedded AI feature changes a vendor risk profile?
- How does the consumer-secret-entitlement model help with governance at scale?