Subscribe to the Non-Human & AI Identity Journal

Custody Privilege Drift

The gradual expansion of authority in an asset-handling workflow until the same identity can observe, recover, and move value. This is a governance failure because access that begins as operational support can silently become transfer authority if it is not tightly scoped and reviewed.

Expanded Definition

Custody privilege drift describes a governance pattern where an identity assigned to handle an asset gradually acquires more power than the original business need justified. In practice, this often starts with narrow support access, then expands through exceptions, emergency approvals, inherited permissions, or workflow convenience until the same identity can view, recover, release, and transfer value. The risk is not a single over-permissioned role so much as permission creep across the full custody lifecycle.

This term matters most in identity-heavy environments such as treasury operations, key management, recovery processes, and NHI administration, where one workflow may bridge operational handling and irreversible action. It overlaps with least privilege, separation of duties, and privilege lifecycle control, but it is more specific than generic access creep because the authority shift follows custody itself. Guidance is still evolving across vendors and security teams, so the safest interpretation is to treat any custody path as a high-risk privilege boundary rather than a routine admin function. NHI Management Group aligns this concept with the wider governance concerns reflected in the OWASP Non-Human Identity Top 10, especially where service identities gain expanded operational reach over time. The most common misapplication is assuming a custody role remains benign after it gains recovery or transfer capability, which occurs when exception access is never re-scoped after the original task changes.

Examples and Use Cases

Implementing custody controls rigorously often introduces friction in incident response and recovery, requiring organisations to weigh operational continuity against the cost of tighter approval paths.

  • A digital asset operations account is created to monitor deposits, but later receives permission to approve withdrawals during staffing shortages.
  • A key recovery workflow allows one operator to retrieve secrets and also rotate or export them, collapsing two distinct custody steps into one identity path.
  • A support engineer with temporary access to restore customer access retains that privilege after the ticket closes, creating an unreviewed transfer channel.
  • An NHI used by automation to reconcile transactions also gains release authority when teams reuse the same service account across multiple systems.
  • A privileged admin role for vault operations accumulates emergency bypass rights over time, even though the original design assumed human dual control.

These patterns are closely related to policy failures described in OWASP Non-Human Identity Top 10, where machine and service identities can become over-trusted through operational reuse. They also echo the intent of NIST Zero Trust Architecture, which assumes access must be continuously evaluated rather than implicitly extended. In custody-heavy workflows, the control question is not whether an identity can do the job once, but whether it should still be able to do it after the job changes.

Why It Matters for Security Teams

Security teams need to understand custody privilege drift because it undermines both prevention and accountability. Once operational support identities can also move value, separation of duties becomes difficult to prove, audit trails become less meaningful, and recovery paths can be abused as transfer paths. That creates exposure across IAM, PAM, NHI governance, and high-trust automation, especially where the same identity is reused across monitoring, remediation, and execution.

The consequence is often silent until an exception is exercised, at which point the organisation discovers that a supposedly limited workflow can already perform irreversible actions. For that reason, custody paths should be reviewed as privilege boundaries, not just business processes. Frameworks such as NIST SP 800-53 reinforce the need for least privilege, access review, and separation-of-duty controls, while NIST SP 800-63 helps security teams think clearly about assurance when identities are delegated authority. Organisations typically encounter the real cost only after a transfer, recovery abuse, or audit failure, at which point custody privilege drift becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Least-privilege access and permission management address custody role expansion.
NIST SP 800-53 Rev 5 AC-6 Least privilege control applies when custody accounts gain unnecessary transfer authority.
NIST SP 800-63 Digital identity assurance matters when delegated custody authority depends on trustworthy identity proofing.
OWASP Non-Human Identity Top 10 NHI governance covers service identities that accumulate sensitive operational and transfer rights.
NIST Zero Trust (SP 800-207) Zero Trust rejects implicit trust in identities that have expanded custody capabilities.

Review custody identities regularly and remove any authority not needed for the current workflow.