Subscribe to the Non-Human & AI Identity Journal

Who is accountable when crypto regulation expands across DeFi and stablecoins?

Accountability sits with the firm that chooses the control model, the evidence standard, and the escalation path for each activity it touches. In practice, legal, compliance, fraud, and security leaders share responsibility for proving that monitoring and reporting are working where the firm operates.

Why This Matters for Security Teams

As crypto regulation expands across DeFi and stablecoins, the accountability question becomes operational, not theoretical. Firms cannot rely on a single control owner when activity spans smart contracts, wallet operations, reserve management, transaction monitoring, and third-party integrations. The real issue is proving who owns each control, what evidence is acceptable, and how exceptions are escalated when activity crosses legal entities, jurisdictions, or product lines. That is where governance, compliance, fraud, and security must align around a common control model, as reinforced by the NIST Cybersecurity Framework 2.0 and NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives. In practice, accountability fails when firms assume blockchain transparency replaces accountable control ownership.

How It Works in Practice

Effective accountability starts by mapping each regulated activity to a named owner, a control objective, and a defensible evidence source. For DeFi-facing services, that may include monitoring smart contract changes, restricting deployer access, approving treasury movements, and documenting incident escalation for protocol risk. For stablecoins, the control model often extends to reserve attestations, issuance and redemption workflows, sanctions screening, and the integrity of custody arrangements. The practical question is not just “who is responsible,” but “who can prove the responsibility was exercised.” NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because it makes control assignment, auditing, and traceability explicit.

A workable operating model usually includes:

  • a control register that assigns every regulated activity to Legal, Compliance, Fraud, Security, or Operations
  • evidence standards for alerts, approvals, exceptions, and reconciliations
  • clear escalation triggers for suspicious flows, reserve discrepancies, or smart contract changes
  • incident ownership that spans on-chain activity and off-chain business records

This is also where NHI governance becomes relevant. Wallets, API keys, signing services, automation agents, and exchange integrations are all non-human identities that can trigger regulated actions. NHIMG’s Top 10 NHI Issues is directly relevant because weak visibility into these identities often breaks accountability before a regulator ever asks for proof. The controls tend to break down when DeFi activity is routed through multiple vendors and jurisdictions because ownership becomes fragmented and evidence trails stop at organisational boundaries.

Common Variations and Edge Cases

Tighter control mapping often increases operational overhead, requiring organisations to balance regulatory defensibility against execution speed. That tradeoff is especially visible when a firm touches both permissionless DeFi and regulated stablecoin operations, because the accountability model is not identical for every activity. Current guidance suggests that firms should not assume the same control owner or evidence package applies across all products; best practice is evolving, and there is no universal standard for this yet.

Edge cases usually involve shared infrastructure, outsourced custody, or protocol governance rights. A treasury multisig, for example, may have one owner for transaction approval, another for key custody, and another for anomaly monitoring. Similarly, if a firm contributes to governance of a DeFi protocol, accountability may extend beyond internal controls to documented risk acceptance and change approval. Where consumer harm or financial integrity is at stake, that accountability often intersects with identity governance, because signing authorities, service accounts, and automation credentials are the actual actors that move funds or change policy. The NHIMG Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is a practical reference for that lifecycle view. Teams that ignore these edge cases usually discover the accountability gap only after an exception, loss event, or supervisory request forces them to reconstruct ownership retrospectively.