Subscribe to the Non-Human & AI Identity Journal

Who is accountable if a significant change is not reported?

The Affirming Official carries the legal responsibility for the annual affirmation, even if the change originated in IT, facilities, or a third-party provider. C3PAOs can advise on whether a change appears significant, but they do not own the affirmation. Accountability sits with the organisation that signs.

Why This Matters for Security Teams

When a significant change is missed, the problem is rarely just a documentation gap. It can mean an unreviewed credential rotation, a new cloud service path, a control bypass, or an unassessed vendor dependency that changes the organisation’s security posture. Under most assurance models, accountability follows the signer, not the team that implemented the change, so the legal and operational exposure sits with the organisation that affirmed the state of control.

This is especially important in environments that depend on non-human identities, where one overlooked service account, API key, or certificate can scale into a broad compromise. NHIMG’s research notes that only 5.7% of organisations have full visibility into their service accounts, which makes change recognition and escalation even harder. Security teams should treat change reporting as part of control integrity, not as a clerical follow-up. The operational risk is not just that a change occurred, but that it was not surfaced to the person or function responsible for affirmation.

In practice, many security teams discover unreported changes only after an audit exception, incident, or failed assurance review has already exposed the gap.

How It Works in Practice

The accountability model usually has three layers: the team that makes the change, the control owner who should recognise its impact, and the Affirming Official who signs the annual statement or equivalent attestation. The first two groups may contribute evidence, but they do not absorb the final accountability unless the governance model explicitly says so. That is why change management, asset inventory, and attestation workflows need to be joined up rather than treated as separate processes.

In practice, an organisation should define what counts as significant before the review cycle starts. Common triggers include changes to authentication flows, privilege boundaries, logging, encryption, hosting location, third-party dependencies, or identity components such as service accounts and automation tokens. Mapping those triggers to control families in NIST SP 800-53 Rev. 5 Security and Privacy Controls helps formalise review duties, evidence expectations, and escalation paths. For organisations with NHIs, this should also include secret rotation, ownership changes, and orphaned credentials.

  • Assign a named owner for detecting and escalating significant changes.
  • Define thresholds for when a change becomes reportable.
  • Require evidence from IT, facilities, cloud, and third parties before sign-off.
  • Track non-human identities as part of the control scope, not as an afterthought.

NHIMG’s Schneider Electric credentials breach illustrates how credential exposure and weak visibility can turn an operational change into a wider security problem. These controls tend to break down when change ownership is split across outsourced operations, because the organisation signing the affirmation no longer has timely evidence from the actual system operators.

Common Variations and Edge Cases

Tighter change reporting often increases governance overhead, requiring organisations to balance faster operational delivery against stronger assurance and evidence collection. Current guidance suggests the best approach is not to report every minor adjustment, but to set clear materiality thresholds so that meaningful changes are escalated consistently. There is no universal standard for this yet, so organisations should document their own decision rules and review them annually.

Edge cases appear when changes are made by a managed service provider, when the affected system is owned by facilities rather than IT, or when a third-party SaaS platform silently alters authentication or logging behaviour. In those situations, the change still matters if it alters the control environment that the organisation is affirming. The accountable party remains the signing organisation, even if the change originated elsewhere. This is also where NHI governance becomes critical, because secret exposure, stale API keys, and service account drift can look operational until they become attestable control failures.

Practitioners should also be careful with delegated sign-off models. Delegation can help review workload, but it does not remove final responsibility unless the governance document explicitly transfers authority. The practical test is simple: if the change would affect the truthfulness of the affirmation, it should be reported before the signature, not after the audit finds it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 provides the primary governance reference for this topic.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-1 Significant-change reporting affects who owns the control environment and its outcomes.

Assign clear accountability for changes that alter the organisation’s security posture.