Subscribe to the Non-Human & AI Identity Journal

What breaks when custody and payout controls are not separated?

When custody and payout controls are not separated, the same account or role can both authorise and redirect value. That creates a weak approval model, makes fraud easier to conceal, and reduces the ability to prove who changed a destination address. Separation of duties and immutable audit trails are the key compensating controls.

Why This Matters for Security Teams

When custody and payout controls live in the same role or system path, the organisation loses a basic fraud barrier: the person or service that can approve a value transfer can also redirect it. That is especially dangerous in payment platforms, treasury tooling, crypto workflows, and any automation that handles beneficiary changes. NHI Management Group’s Ultimate Guide to NHIs — Standards treats this as a governance problem as much as a technical one, because the control failure is usually privilege design, not a single malicious act.

Security teams also need to distinguish custody from operational convenience. A workflow that is easy to run is not necessarily safe to trust. The NIST Cybersecurity Framework 2.0 emphasizes governance, access control, and auditability, which are the minimum requirements for separating decision rights from execution rights. In NHI-heavy environments, this matters because service accounts, API keys, and automation agents often become the real custodians of value, even when the business thinks a human is still “in charge.” The practical consequence is that one compromised identity can both authorize and move funds, leaving no effective second check. In practice, many security teams only discover the flaw after a payout diversion, not through a planned control review.

How It Works in Practice

Effective separation means no single identity, workflow, or approval chain should be able to both approve a payout and alter its destination. In a mature design, custody controls govern who can hold signing authority, keys, or privileged tokens, while payout controls govern who can request, validate, and release a transfer. The two paths should intersect only through independent review and logged approval. That is the same logic used in financial control design and in NHI governance, where an automation account may need access to payment APIs but should not be able to change its own permissions or settlement target.

Practitioners usually implement this with layered checks:

  • Separate roles for request, approval, execution, and reconciliation.
  • Step-up approval for beneficiary changes, high-value transfers, and first-time payees.
  • Immutable logs that record who approved, which identity executed, and what destination was used.
  • Time-bound access and scoped tokens so custodial authority is not persistent.
  • Out-of-band verification for exceptional payouts or address changes.

For NHI-driven payout systems, identity governance becomes a control point rather than an afterthought. If an API key can sign a payment and also update the payee mapping, the system has effectively collapsed custody and payout into one trust boundary. That creates a blind spot where fraud can look like routine automation. NHIMG’s research on the Schneider Electric credentials breach is a reminder that privileged credentials and service identities are often the easiest route to abuse when control boundaries are too broad. These controls tend to break down in fast-moving DevOps and finance automation environments because one service account is often reused across approval, signing, and reconciliation pipelines.

Common Variations and Edge Cases

Tighter separation often increases friction, audit overhead, and exception handling, so organisations must balance fraud resistance against operational speed. That tradeoff is most visible in treasury, payroll, contractor payments, and crypto custody, where legitimate urgency can tempt teams to merge approvals for convenience. Current guidance suggests that convenience should never eliminate an independent control, but there is no universal standard for exactly how many approvers or how much evidence is enough in every context.

Some environments need stronger measures than others. High-value payment rails may require dual control, cryptographic signing, and reconciliation by a separate system of record. Lower-risk workflows may rely on scoped approvals plus immutable logging, but the separation principle still applies. The biggest edge case is automation: an AI agent or service account may be trusted to prepare a payout, yet it should not be trusted to finalise or redirect it without a separate human or independent system check. That is where NHI governance and payout governance converge. If the same identity can mint access, approve exceptions, and move value, the control model has already failed. For practitioners building policy baselines, the Ultimate Guide to NHIs — Standards is useful for mapping lifecycle and privilege controls to real operational boundaries.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the technical controls, and PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Separating custody and payout depends on least-privilege access design.
OWASP Non-Human Identity Top 10 NHI governance covers over-privileged service accounts that can move value.
NIST SP 800-63 Strong identity assurance supports trusted approval and change workflows.
NIST Zero Trust (SP 800-207) Zero trust requires continuous verification before high-risk financial actions.
PCI DSS v4.0 7.2.1 Role separation is essential where payment data or value movement is involved.

Inventory non-human identities and split signing, approval, and destination-update authority.