Subscribe to the Non-Human & AI Identity Journal

Who is accountable when MFA does not meet U.S. requirements?

Accountability usually sits with the identity, security, and compliance owners who approved the control design and the business teams that accepted weak exceptions. In regulated environments, the question is not only who deployed the system, but who allowed an authentication model that could not withstand phishing or prove assurance under review.

Why This Matters for Security Teams

When MFA falls short of U.S. requirements, the issue is rarely just the login method. It becomes a governance failure across assurance, phishing resistance, exception handling, and auditability. In regulated environments, teams are expected to show that the control design meets the intent of the requirement, not merely that some form of second factor exists. NIST SP 800-53 Rev 5 Security and Privacy Controls makes that distinction operationally important, especially where authentication must be resilient and reviewable.

Accountability therefore extends beyond the IAM team. Security leadership, compliance owners, application owners, and business approvers all share responsibility when a weaker MFA pattern is accepted, inherited, or left in place after risk was identified. That is especially true when legacy authentication, SMS-based flows, or exception-driven access paths remain active after a better option is available. NHIMG research shows how often identity weaknesses become systemic, with the Ultimate Guide to NHIs noting that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In practice, many security teams encounter accountability questions only after an audit finding, incident, or failed recertification has already exposed the control gap.

How It Works in Practice

Determining accountability starts with the control owner, then traces outward to the people who approved the design, accepted the residual risk, and signed off on any exception. For U.S. requirements, that means looking at whether the MFA method was actually phishing-resistant, whether it was enforced consistently, and whether the evidence package could survive review. A control that exists on paper but is bypassed for privileged users, third parties, or legacy workflows is usually a shared failure rather than a single technical miss.

Practitioners typically map this in four layers:

  • Identity and access teams own the technical enforcement and factor lifecycle.
  • Security architecture owns the standard for acceptable assurance and exceptions.
  • Compliance and risk owners validate that the control meets regulatory intent.
  • Application or business owners approve any operational tradeoff when the standard cannot yet be met.

That model aligns with how NIST treats control implementation evidence in NIST SP 800-53 Rev 5 Security and Privacy Controls, where accountability depends on whether the safeguard is implemented, monitored, and reviewed, not merely documented. NHIMG incident analysis also shows the operational cost of weak identity discipline in cases such as the Microsoft Midnight Blizzard breach, where identity trust and control execution were central concerns. The practical test is simple: if the organisation cannot prove who approved the weaker MFA pattern and why, accountability remains unresolved. These controls tend to break down in hybrid environments with local exceptions, shadow IT, and shared admin accounts because ownership becomes fragmented across teams and tools.

Common Variations and Edge Cases

Tighter authentication controls often increase user friction and support overhead, requiring organisations to balance assurance against operational continuity. There is no universal standard for this yet, so current guidance suggests documenting the exact reason a weaker MFA path exists, the expiration date for the exception, and the person accountable for removing it.

Some environments create legitimate exceptions for break-glass access, plant-floor systems, service desks, or third-party integrations. Those cases do not remove accountability; they make it more explicit. The risk owner should be named, the compensating control should be defined, and the exception should be time-bound with periodic review. If a control is accepted because a vendor or legacy platform cannot support stronger MFA, the business owner still owns the decision to continue operating that way.

The cleanest way to avoid ambiguity is to treat MFA failures like any other control deficiency: assign a named control owner, record the approval chain, and tie remediation to a due date. In practical terms, that means an auditor should be able to trace the gap from design choice to business acceptance without guessing. The Schneider Electric credentials breach is a reminder that weak credential and authentication choices can become enterprise incidents, not isolated IAM issues. Accountability is clearest when the exception is temporary, the compensating control is measurable, and the risk acceptance is signed by someone with actual authority.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-7 Authentication assurance and access enforcement are central to this MFA accountability question.
NIST SP 800-63 Digital identity guidance defines assurance expectations for MFA methods and exceptions.
OWASP Non-Human Identity Top 10 NHI-03 Weak authentication and unmanaged secrets often drive the same accountability gaps as MFA failures.
NIST AI RMF Accountability and governance are required when identity controls affect regulated AI or automation.

Establish governance, review, and escalation for any identity control that fails assurance checks.