Subscribe to the Non-Human & AI Identity Journal

Who is accountable when crypto custody fails?

Accountability should sit with the team that owns the key lifecycle, transaction policy, and monitoring model, not only with the people who move funds. In practice, that means compliance, security, and operations must share clearly documented responsibility for authority, review, and escalation.

Why This Matters for Security Teams

Crypto custody failures are rarely just a technical incident. They usually expose unclear ownership across key generation, wallet policy, approvals, recovery, and monitoring. When accountability is vague, teams struggle to prove whether a loss came from a control failure, an insider action, or an operational gap. The question is not only who can sign, but who is responsible for the full control environment.

For security teams, this matters because custody combines access control, transaction governance, incident response, and auditability. A clean answer requires separating operational execution from control ownership. NIST SP 800-53 Rev. 5 Security and Privacy Controls is useful here because it frames accountability around control responsibility, evidence, and review rather than informal trust. That distinction becomes critical when digital assets move across exchanges, wallets, custodians, or internal treasury functions.

Current guidance suggests that effective accountability should be documented before assets are at risk, including who approves policy changes, who monitors anomalous transfers, and who can trigger containment. In practice, many security teams encounter custody failures only after a transfer dispute, key compromise, or recovery failure has already exposed gaps in ownership.

How It Works in Practice

Accountability for crypto custody should be assigned at the control level, not just the job-title level. The team that owns the key lifecycle should be responsible for generation, storage, rotation, backup, destruction, and recovery testing. The team that owns transaction policy should define approval thresholds, address allowlists, segregation rules, and exception handling. Security should validate that monitoring and alerting cover unusual signing behavior, policy bypass, and anomalous destination patterns. Compliance should ensure the control design meets recordkeeping, audit, and legal obligations.

In a mature operating model, this often means three layers of responsibility:

  • Business ownership for the asset and the custody outcome.
  • Control ownership for keys, approvals, monitoring, and recovery.
  • Operational execution for day-to-day signing, reconciliation, and escalation.

That structure helps avoid a common failure mode where the people moving funds assume someone else is reviewing policy, while security assumes operations is handling exception management. The best practice is evolving, but the accountability record should include named owners, backup approvers, escalation paths, and evidence of periodic control testing.

For environments that use multi-party signing or delegated wallet access, the same principle applies. Each signer may have a limited role, but accountability still sits with the function that designed the control and accepted the residual risk. The operational question is whether the process can prove who authorized what, when, under which policy, and with what review trail. That is also where identity governance intersects with custody: strong wallet controls are only as reliable as the identities, entitlements, and approval workflows behind them.

These controls tend to break down when treasury operations are informal, approval paths are shared through chat, or recovery credentials are held outside a tested custody process because evidence and decision rights become impossible to reconstruct after an incident.

Common Variations and Edge Cases

Tighter custody controls often increase operational overhead, requiring organisations to balance transaction speed against assurance, especially when market activity is time-sensitive. That tradeoff is real, and there is no universal standard for this yet across all crypto operating models.

In self-custody, accountability usually remains internal even if the organization uses external signers, hardware security modules, or managed infrastructure. In third-party custody, the provider may execute controls, but the client organization still retains accountability for governance, vendor oversight, and risk acceptance. In regulated environments, legal and compliance teams may need to define whether fiduciary duty, operational control, and incident notification responsibilities are split or shared.

Edge cases matter when custody is embedded in DeFi protocols, cross-chain bridges, or autonomous agent workflows. If an AI agent can initiate or route transactions, the organization must define whether that agent is treated as an execution tool or as a privileged actor requiring explicit NHI-style governance. That distinction is still an emerging practice, so current guidance suggests treating agent access as a high-risk control boundary until stronger consensus emerges.

Useful references for control design include the NIST SP 800-53 Rev 5 Security and Privacy Controls and the CISA Zero Trust Maturity Model, especially where custody decisions depend on strong identity verification, segregation of duties, and monitoring. For asset owners handling transaction abuse patterns, mapping controls to MITRE ATT&CK can also help structure detection and response.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.1 Governance clarifies who owns custody risk and control decisions.
NIST SP 800-63 Identity assurance matters when approvers and signers are high-risk actors.

Assign a named control owner and document custody risk acceptance and review cadence.