Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a zero trust programme protects compliance goals but not mission continuity?

Accountability sits with security leadership, architecture owners, and mission owners together, because zero trust is a shared operational design decision. Frameworks such as NIST CSF 2.0 and NIST SP 800-53 expect controls to support ongoing protection and recovery, not only audit readiness.

Why This Matters for Security Teams

A zero trust programme can be technically “successful” on paper while still creating operational fragility if it slows recovery, blocks legitimate workflows, or prevents mission owners from completing critical tasks. That is why accountability cannot sit only with the security function. It must include architecture owners who define the trust model, and business or mission owners who understand the service impact of each control decision. NIST’s NIST Cybersecurity Framework 2.0 treats governance, protection, detection, response, and recovery as connected outcomes, not separate scorecards.

The common mistake is to measure zero trust by policy coverage, MFA rollout, or access denial rates, then assume compliance has been achieved. In reality, compliance goals and mission continuity can diverge when controls are designed without operational exception paths, resilience testing, or clear ownership for break-glass access and recovery decisions. Zero trust is not meant to eliminate trust in the organisation; it is meant to make trust explicit, conditional, and reviewable.

In practice, many security teams discover this only after a critical service is delayed or a recovery process stalls, rather than through intentional design review.

How It Works in Practice

Accountability works best when zero trust is managed as a shared operating model rather than a pure technology deployment. NIST SP 800-207 describes zero trust as a strategy built around continuous verification, strong policy decisions, and dynamic enforcement, which means the programme must be owned across policy, architecture, operations, and service leadership. The security team typically owns control design and monitoring, architecture owns the target state, and mission owners accept the residual business impact of stricter access paths. See NIST SP 800-207 Zero Trust Architecture for the baseline model.

In operational terms, the programme should define:

  • who approves control exceptions when a workflow breaks;
  • who can authorise emergency access during an outage;
  • which services are classified as mission critical;
  • how control failures are escalated into incident, risk, or continuity processes;
  • how changes are tested against recovery objectives before production release.

This is where control frameworks matter. NIST SP 800-53 Rev. 5 helps teams map access control, contingency, and incident response expectations into enforceable safeguards, while ISO/IEC 27001:2022 and ISO/IEC 27002:2022 support governance, risk treatment, and documented control ownership. The practical test is simple: if the programme can prevent unauthorised access but cannot support a legitimate operator restoring a service, then the accountability model is incomplete. A strong zero trust design also needs evidence capture so that decisions are auditable without forcing every exception through a manual bottleneck.

These controls tend to break down in highly regulated, time-sensitive environments such as trading, healthcare, or emergency response when approvals are too centralised and recovery paths are not pre-approved.

Common Variations and Edge Cases

Tighter zero trust enforcement often increases friction and operational overhead, requiring organisations to balance assurance against continuity. That tradeoff becomes sharper when compliance stakeholders and mission stakeholders use different success criteria, because one side may prioritise strong preventive controls while the other needs uninterrupted service delivery.

Best practice is evolving around how much autonomy to give control owners during exceptional events. In mature environments, mission continuity is protected by documented break-glass access, tested failover paths, and predefined risk acceptance thresholds. In less mature programmes, exceptions are handled ad hoc, which creates both audit exposure and continuity risk. There is no universal standard for this yet, but current guidance suggests accountability should be explicit in governance charters, service ownership models, and incident playbooks rather than assumed from the security org chart.

Where identity and privilege are involved, the intersection with PAM and just-in-time access becomes important: the programme should still allow bounded emergency elevation without creating standing privilege. For regulated sectors, continuity objectives may also need to align with sector rules such as ISO/IEC 27001:2022 Information Security Management and, where financial crime controls are relevant, the FATF Recommendations on AML and KYC governance. The right answer is rarely “security alone” or “business alone”; it is a defined decision chain with named accountable owners for normal operations, exceptions, and recovery.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and ISO/IEC 27001:2022 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV Governance and oversight define who owns security outcomes versus mission impact.
NIST Zero Trust (SP 800-207) Zero trust requires continuous policy decisions and operational ownership.
NIST SP 800-53 Rev 5 CP-2 Contingency planning ensures controls do not block restoration and recovery.
ISO/IEC 27001:2022 A.5.2 Security roles and responsibilities must be formally assigned for governance clarity.

Set ownership for security decisions, continuity exceptions, and control exceptions in policy.