Subscribe to the Non-Human & AI Identity Journal

Who is accountable when lateral movement controls are missing?

Accountability should sit with both security leadership and the teams that own identity, platform, and network policy, because lateral movement is a shared control problem. Frameworks such as NIST CSF and OWASP NHI make it clear that internal access, visibility, and containment are governance responsibilities, not optional hardening tasks. Ownership must be explicit before an incident forces the issue.

Why This Matters for Security Teams

When lateral movement controls are missing, accountability is not just a reporting question, it becomes a governance failure. Security leadership is expected to define the control objective, but identity, platform, and network owners must implement the safeguards that limit east-west movement, preserve visibility, and reduce blast radius. NIST control families for access control, audit logging, and system monitoring make that shared responsibility explicit in practice, especially when linked to NIST SP 800-53 Rev 5 Security and Privacy Controls.

The mistake many organisations make is treating lateral movement as a purely technical intrusion problem after an attacker has already expanded access. In reality, missing segmentation, overbroad privileges, weak service account governance, and sparse telemetry are usually the result of unclear ownership. That gap matters because it delays remediation, blurs escalation paths, and weakens post-incident accountability. In practice, many security teams encounter lateral movement only after an incident review reveals that no single owner had authority to prevent it.

How It Works in Practice

Accountability works best when it is assigned by control domain rather than by vague department labels. Security leadership should own the policy standard and risk acceptance thresholds. Identity teams should own account hygiene, privileged access boundaries, and service-to-service trust. Platform teams should own host hardening, segmentation, and local administrative restrictions. Network teams should own east-west filtering, detection points, and choke controls. This model avoids the common failure where everyone agrees lateral movement is important, but no one is responsible for the specific control that would have stopped it.

Operationally, teams should map the threat paths first and then assign control owners to each layer of containment. The MITRE ATT&CK Enterprise Matrix is useful here because it helps teams translate “lateral movement” into actual techniques such as remote services, stolen credentials, and valid accounts abuse. That mapping supports a clearer answer to who owns prevention, who owns detection, and who owns response.

  • Identity owners should reduce standing privilege, rotate secrets, and limit reusable credentials.
  • Platform owners should restrict local admin paths and isolate management interfaces.
  • Network owners should segment sensitive zones and alert on unusual east-west flows.
  • Security operations should correlate identity, endpoint, and network telemetry for faster containment.
  • Leadership should track exceptions, approve risk acceptance, and verify remediation timelines.

In mature environments, the accountability chain is documented in control matrices, incident playbooks, and quarterly access reviews. That makes it possible to answer not only who fixes the gap, but who had the obligation to prevent it. These controls tend to break down in hybrid environments with legacy systems, shared admin accounts, and unmanaged service credentials because ownership is split across tooling that does not share a common control plane.

Common Variations and Edge Cases

Tighter containment often increases operational overhead, requiring organisations to balance reduced blast radius against admin friction and service reliability. That tradeoff is real, especially where teams rely on legacy applications, third-party managed services, or flat network designs that cannot be segmented quickly.

Current guidance suggests that accountability should still remain explicit even when controls are partially compensating rather than fully preventive. For example, if a legacy environment cannot support strong segmentation, the owner of that risk should be named, the compensating monitoring should be documented, and the remediation plan should have a deadline. Best practice is evolving for cloud and hybrid estates where identity policy, endpoint posture, and network boundaries overlap, so there is no universal standard for this yet. The practical test is whether the organisation can prove who owns the control, who accepted the exception, and who will verify closure.

For NHI and agentic systems, the same logic applies to non-human accounts, API keys, and autonomous workflows that can move laterally across tools and environments. When those identities are not covered by the same ownership model as human access, accountability becomes fragmented and auditability weakens. Security teams should treat that as a control gap, not a tooling gap, and align the exception to the business service that depends on it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Least-privilege access limits how far an intruder can move laterally.
OWASP Non-Human Identity Top 10 NHI-06 Service accounts and secrets governance are central to lateral movement risk.
MITRE ATT&CK T1021 Remote services are a common lateral movement path and need explicit ownership.
NIST Zero Trust (SP 800-207) SC-7 Segmentation and boundary enforcement are core to preventing internal spread.

Map remote-service paths to containment controls and verify detection on internal administration channels.