Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a GCC High control is present but not operating as intended?

The customer is accountable for configuration, monitoring, and documentation, even when Microsoft provides the underlying cloud capability. That means responsibility sits with the organisation’s control owners, evidence owners, and process owners, not with the presence of the feature alone. Assessors care about operating effectiveness, not feature availability.

Why This Matters for Security Teams

When a gcc high control exists but is not operating as intended, the risk is not theoretical. Audit findings, contractual exposure, and incident response gaps all become harder to defend because the organisation cannot rely on feature presence as proof of control effectiveness. The practical question is whether the control is configured, monitored, and evidenced in a way that matches the stated security objective, which is why assessors focus on operating effectiveness rather than licensing or availability alone. That distinction is especially important in environments with privileged automation and non-human identities, where weak ownership and stale access often hide inside routine admin workflows. NIST control guidance reinforces this by tying accountability to implemented safeguards, evidence, and continuous monitoring, not simply to the existence of a platform capability, as reflected in NIST SP 800-53 Rev 5 Security and Privacy Controls. In practice, many security teams discover broken control operation only after an assessor, incident, or customer review exposes the gap, rather than through intentional validation.

How It Works in Practice

Accountability usually sits with the customer organisation because GCC High is part of a shared-responsibility model. Microsoft may provide the cloud service and some baseline protections, but the organisation owns how the control is configured, what telemetry is monitored, and how evidence is retained. For controls tied to identity, logging, encryption, data handling, or privileged access, this means the control owner must prove that the setting is active, the process owner must prove it is followed, and the evidence owner must prove it is recorded consistently. Current guidance suggests that a control should be tested at three levels: configuration, operational use, and exception handling.

A practical validation workflow often includes:

  • confirming the intended control setting in tenant, policy, or workload configuration;
  • verifying that monitoring alerts, logs, and review cadences are actually enabled;
  • checking whether exceptions are approved, time-bound, and revisited;
  • mapping evidence to the stated control objective and audit period.

This is particularly important where privileged access or service accounts are involved. NHIMG research notes that only 5.7% of organisations have full visibility into their service accounts, and the Schneider Electric credentials breach illustrates how credential and access weaknesses can become operational failures even when formal controls appear to exist. For identity and access controls, NIST SP 800-53 Rev 5 remains the clearest operational baseline, especially for access enforcement, audit logging, and continuous assessment. These controls tend to break down when organisations assume platform inheritance equals compliance, because inherited capability is not the same as customer-operated assurance.

Common Variations and Edge Cases

Tighter control ownership often increases administrative overhead, requiring organisations to balance audit readiness against operational speed. That tradeoff becomes sharper in GCC High when multiple teams share responsibility for security configuration, evidence collection, and change approval. There is no universal standard for this yet across every contractual and regulatory context, so the accountability model should be documented explicitly rather than inferred from the cloud service description.

One common edge case is a control that is technically available but partially disabled due to migration, legacy compatibility, or a change in policy scope. In those situations, the control may still exist on paper while failing in a specific tenant, subscription, or application boundary. Another common issue is inherited responsibility across internal teams: security may define the control, IT may implement it, and operations may monitor it, but none of those handoffs removes accountability from the organisation. For NHI-heavy environments, the risk is even more pronounced because secret rotation, service account governance, and offboarding are often overlooked until an incident forces a review. NHIMG’s Ultimate Guide to NHIs — Standards is useful here because it frames governance as a lifecycle issue, not a one-time configuration event. The safest operating assumption is simple: if the control does not work in production and cannot be evidenced, it is the customer’s accountability gap, even if the feature is present.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Ownership and accountability for control operation fit governance and risk management.
NIST SP 800-53 Rev 5 CA-7 Continuous monitoring is central when a control exists but may not be effective.
NIST Zero Trust (SP 800-207) SCALABLE Zero trust assumes verification of control operation, not trust in platform presence.

Assign a named control owner and verify the control works, is monitored, and is evidenced.