Subscribe to the Non-Human & AI Identity Journal

Who should own governance when crypto risk spans compliance, fraud, and IAM?

Ownership should be shared, but accountability must be explicit. Compliance should define due diligence and regulatory thresholds, IAM should govern account assurance and privilege, and fraud teams should watch for behavioural abuse. The best programmes use one risk model and separate control owners, so escalation paths stay clear when counterparties change behaviour.

Why This Matters for Security Teams

When crypto risk spans compliance, fraud, and IAM, the main failure is not a missing control, but a missing owner for the decision to act. Compliance typically defines the regulatory threshold, IAM controls who can access wallets, keys, and administrative consoles, and fraud teams watch for behavioural anomalies that suggest abuse. If those responsibilities are not aligned, incidents are escalated too late, or to the wrong team, and containment slows down.

This is especially true where digital assets, exchange accounts, or custodial platforms depend on both identity assurance and transaction monitoring. NHI Management Group has documented how weak lifecycle governance and over-privileged access drive risk in practice; see Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives. The control picture also maps to NIST Cybersecurity Framework 2.0 and the access control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls.

In practice, many security teams encounter unclear ownership only after suspicious transfers, account takeovers, or audit findings have already turned a governance gap into a response problem.

How It Works in Practice

Effective governance uses one shared risk model and separate control owners. Compliance owns the rulebook: customer due diligence, AML thresholds, sanctions-related escalation, recordkeeping, and whether a situation must be reported. IAM owns assurance around human and non-human accounts, including strong authentication, privileged access, secret rotation, and JIT elevation for operational tasks. Fraud owns behavioural detection, account abuse patterns, abnormal transaction sequences, and counterparty change signals that may indicate mule activity or credential compromise.

That split works only if the programme defines a single decision path. The triage step should answer three questions fast: is this a compliance breach, a fraud signal, or an access-control issue, and which team has authority to pause activity? The operational model should include explicit handoffs, named escalation owners, and a shared evidence set. For crypto environments, that evidence often includes wallet provenance, privileged session logs, device or geo anomalies, API token usage, and changes to beneficiary details. The NHIMG lifecycle guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same discipline that governs NHI onboarding, rotation, and deprovisioning also reduces uncontrolled access to trading, custody, and automation tools.

  • Compliance sets the policy threshold and approves regulatory escalation.
  • IAM enforces identity proofing, least privilege, and privileged access review.
  • Fraud monitors abuse patterns and triggers behavioural investigations.
  • Security operations correlates alerts so the right owner acts first.

Where crypto platforms use automated agents, bots, or service accounts, the question becomes an NHI governance issue as well as a fraud issue. The most effective programmes treat secrets, wallets, and admin APIs as high-value identities and align them to the same assurance model used for privileged access. Current guidance suggests that this breaks down in decentralised operating models where trading, compliance, and engineering each believe the other team owns the final stop-the-line decision.

Common Variations and Edge Cases

Tighter governance often increases operational friction, requiring organisations to balance faster fraud containment against the risk of blocking legitimate activity. That tradeoff is most visible in high-volume exchanges, OTC desks, and fintechs with multiple legal entities, where one global rule set rarely fits every jurisdiction.

There is no universal standard for this yet. Some firms place final accountability in compliance because regulatory exposure is the biggest downside. Others put it under a security or risk committee when the dominant concern is credential abuse or compromised automation. The more robust pattern is to keep one accountable executive and separate control owners underneath, then document when compliance can override, when IAM can disable access, and when fraud can freeze activity pending review.

For broader identity and financial control alignment, FATF Recommendations help define the compliance side of KYC and AML, while ISO/IEC 27001:2022 Information Security Management supports formal ownership, risk treatment, and auditability. If the environment includes third-party wallets, custodians, or programmatic access, the risk model should also account for NHI-style credential governance, because shared service accounts and API keys often become the weakest link in mixed fraud-and-IAM programmes.