Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a remote device exposes organisational data?

Accountability should sit with the teams that own identity, endpoint governance, and data control, not with the user alone. If a device is unmanaged, the organisation has a governance failure. If a device is managed but exceptions are not logged, the organisation has an evidence failure. Both need named ownership.

Why This Matters for Security Teams

When a remote device exposes organisational data, accountability is not just a policy question. It determines whether the event is treated as a user error, a device-control failure, or a data-governance gap. Security teams need named ownership across identity, endpoint management, and information protection so that response actions, audit evidence, and remediation all point to the right control owner. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls is a useful reference point because it ties accountability to control implementation, not just policy statements.

The practical risk is that organisations assume remote work shifts responsibility to the device user, while the real issue is often weak governance over managed endpoints, missing conditional access, or incomplete logging around exceptions. That creates ambiguity during incident response and makes it harder to prove whether access was authorised, restricted, or misused. In practice, many security teams encounter accountability disputes only after data has already left the device, rather than through intentional control ownership.

How It Works in Practice

Accountability should be distributed across the control stack, with clear ownership for identity, device posture, and data handling. The identity team typically owns authentication strength, access policy, and session assurance. Endpoint governance owns device compliance, encryption, patch state, and whether a device is actually managed. Data control owners define what can be accessed, downloaded, synchronised, or copied, and under which exceptions. If those duties are not written into policy and operating procedures, it becomes difficult to decide who must act when a remote device exposes data.

A workable operating model usually includes the following:

  • Named ownership for conditional access, device compliance, and data loss controls.
  • Logging for exception approvals, policy bypasses, and unmanaged device access.
  • Evidence retention that shows who approved access, when, and under what conditions.
  • Escalation paths for unmanaged, jailbroken, rooted, or otherwise non-compliant devices.

This is where identity and endpoint governance meet data security. If access decisions rely on device trust, the organisation must be able to show how that trust was established and maintained. If the data is sensitive, the control owner should be able to explain whether the exposure came from inadequate access restrictions, missing encryption, weak session controls, or an approved business exception. AI-enabled detection and response can help, but it does not replace accountability; it only improves speed and correlation, as reflected in the recent Anthropic — first AI-orchestrated cyber espionage campaign report, which underscores how fast-moving abuse can outpace manual review.

These controls tend to break down when BYOD, contractor access, and cloud sync are all allowed in the same environment because ownership boundaries blur and exception tracking becomes inconsistent.

Common Variations and Edge Cases

Tighter remote-access control often increases operational overhead, requiring organisations to balance user flexibility against evidential clarity and reduction of exposure. That tradeoff becomes visible in environments where staff use personal devices, emergency access is allowed, or offline work must be supported. Current guidance suggests that these cases should not remove accountability; they should make it more explicit through exception workflows, compensating controls, and documented approval chains.

There is no universal standard for this yet, but best practice is to treat unmanaged-device access as a higher-risk pathway, even when it is temporarily allowed. The question is not only whether the device was personal or corporate-owned. It is whether the organisation can prove the access decision was authorised, the device state was acceptable for the data involved, and the logs are sufficient for later review. In highly regulated environments, this also affects legal discovery, incident reporting, and internal investigation quality.

Where the answer changes most is in shared-device, contractor, and emergency-break-glass scenarios. Those environments need stronger logging, shorter session lifetimes, and tighter approval rules, because accountability can otherwise be diluted across multiple teams. The most common failure is assuming a policy exists when, in practice, no one can show who approved the exception or who owns the follow-up after exposure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC Access control and device trust determine who can reach data from remote devices.
NIST SP 800-53 Rev 5 AC-2 Accountability depends on managed accounts with named ownership and review.
MITRE ATT&CK T1078 Valid accounts and approved access paths are common ways remote device exposure is abused.

Define and enforce access conditions so only compliant identities and devices can reach sensitive data.