Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a service provider helps sanctions evasion?

Accountability sits with the organisation that approves, monitors, and continues the relationship with the provider, not just with the service itself. When intermediaries route suspicious flows, governance should include onboarding due diligence, continuous reassessment, and documented offboarding. That is especially important where the provider can change labels without changing capability.

Why This Matters for Security Teams

Sanctions evasion through a service provider is not just a compliance failure, it is a governance failure. The accountable party is usually the organisation that selected the provider, defined the permitted use, and allowed the relationship to continue after warning signs emerged. That means procurement, legal, compliance, security, and business owners all have a role in control design. NIST SP 800-53 Rev 5 Security and Privacy Controls is a useful baseline because it treats third-party risk, access control, auditability, and monitoring as enforceable controls rather than paper assurances.

The hard part is that provider relationships often look legitimate until transaction patterns, routing behaviour, or counterparties reveal a mismatch with policy. Sanctions programmes fail when due diligence is treated as a one-time event and when exception handling becomes a silent approval path. A service provider may claim neutrality, but the customer still owns the decision to engage, retain, and supervise that channel. In practice, many security teams encounter sanctions exposure only after regulators, banks, or downstream partners have already flagged the relationship, rather than through intentional monitoring.

How It Works in Practice

Operational accountability starts with ownership. The business sponsor should define what the provider is allowed to do, compliance should define the prohibited jurisdictions and entities, and security should verify the control evidence behind those claims. For higher-risk providers, current guidance suggests using documented risk tiers, contract clauses for sanctions compliance, audit rights, and event-driven reassessment. Where the provider touches payments, logistics, hosting, identity, or account provisioning, the control set should also cover data visibility and abuse detection.

Practically, teams should connect screening, monitoring, and escalation into one workflow. That includes:

  • Pre-contract due diligence on ownership, geography, beneficial control, and subprocessor chains.
  • Continuous monitoring for route changes, shell entities, shared infrastructure, or sudden label changes.
  • Clear triggers for escalation when counterparties, destinations, or usage patterns shift.
  • Documented offboarding steps so risk owners cannot delay action after a control breach.

Where identity is involved, the intersection is especially important. If a provider issues credentials, API keys, or delegated access, then entitlement governance becomes part of sanctions control. NIST CSF 2.0 supports this kind of operational ownership by tying governance and supply-chain risk together, while CISA supply chain risk management guidance reinforces the need to understand who is actually controlling the service path. These controls tend to break down when the provider operates through layered resellers or opaque subcontractors because attribution, evidence collection, and enforcement become too slow for meaningful intervention.

Common Variations and Edge Cases

Tighter provider oversight often increases legal review, monitoring effort, and commercial friction, requiring organisations to balance speed of onboarding against enforcement depth. That tradeoff becomes more pronounced when the provider is embedded in a critical workflow, because stopping the service may affect customers, payment flows, or operational continuity. Best practice is evolving on how much automated detection is sufficient, and there is no universal standard for this yet.

Edge cases matter. A provider that merely transmits data is not the same as one that can route, transform, or repackage activity in ways that mask origin or destination. Similarly, a sanctioned party may not appear directly on a screening list if an intermediary, reseller, or affiliate is used. In those cases, accountability still sits with the organisation that chose to rely on the channel and failed to test whether the intermediary could be used as a concealment layer. The strongest programmes combine contract controls, attestations, log review, and periodic adverse media checks, supported by formal governance and IOSCO expectations on third-party risk management.

For identity-heavy services, the key question is whether the provider can create, delegate, or preserve access in a way that undermines sanctions controls. If so, that provider should be treated as part of the control boundary, not as an external excuse.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 provides the primary governance reference for this topic.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.SC-01 Third-party risk governance fits sanctions exposure from providers.

Assign a named owner to each provider and review sanctions risk on a defined cadence.