Subscribe to the Non-Human & AI Identity Journal

Who is accountable when account takeover or BEC leads to loss?

Accountability usually spans security, identity, fraud, and business operations because the failure often occurs at the boundary between communication trust and authorisation. Organisations should assign ownership for verification, approval, and revocation controls so that no single team can assume the other has closed the gap.

Why This Matters for Security Teams

account takeover and business email compromise create a governance problem before they become a technical incident. The real failure is often not a missing alert, but a missing owner for decisions such as who can approve a payment, who can reset access, and who can confirm a request came from a trusted party. NIST SP 800-53 Rev 5 Security and Privacy Controls links accountability to explicit control ownership, review, and enforcement, which is why these events need joint handling across identity, fraud, security operations, and business process owners.

When accountability is unclear, teams tend to optimise their own control layer while leaving the handoff unprotected. Security may monitor login anomalies, identity may manage credentials, finance may trust email approvals, and operations may rely on informal exceptions. That split leaves attackers room to exploit the gap between authentication and authorisation, especially when the compromise is paired with social engineering or mailbox control. In practice, many organisations discover the ownership gap only after a fraudulent transfer or privileged mailbox abuse has already occurred, rather than through intentional control design.

How It Works in Practice

Effective accountability starts with assigning named control owners for the full chain of trust, not just for a single system. For account takeover, that means ownership for identity proofing, authentication strength, recovery flows, session monitoring, and revocation. For BEC, it means ownership for message verification, out-of-band approval, payment validation, and exception handling. Current guidance suggests that these responsibilities should be mapped to business impact, because the party best able to detect a suspicious login is not always the party best able to stop a fraudulent transfer.

A practical operating model usually includes the following:

  • Identity teams own authentication policy, recovery safeguards, and lifecycle controls for privileged and standard accounts.
  • Security operations own detection, triage, and escalation for anomalous access, impossible travel, and mailbox rule abuse.
  • Fraud or finance teams own validation of high-risk payment requests and changes to beneficiary details.
  • Business leaders own approval thresholds, callback requirements, and exception acceptance for urgent transactions.

This should be backed by evidence, not verbal assurance. Logging, case management, and approval records need to show who approved what, when the control was bypassed, and whether the bypass was sanctioned. For email-driven fraud, guidance from CISA on business email compromise is useful because it reinforces the need for process controls alongside technical controls. Where organisations use stronger identity assurance, the relevant baseline is often NIST SP 800-63 Digital Identity Guidelines for assurance and recovery decisions.

These controls tend to break down when finance systems, collaboration tools, and identity platforms are managed separately because no single team sees the full attack path.

Common Variations and Edge Cases

Tighter verification often increases friction for legitimate users, requiring organisations to balance speed against fraud resistance. That tradeoff becomes sharper in high-volume environments, where urgent approvals, delegated authority, and cross-border transactions are routine. Best practice is evolving, and there is no universal standard for exactly which team must own every step, but the accountability model should still be explicit and testable.

Edge cases usually appear when the takeover is partial rather than complete. A compromised inbox may be enough to redirect invoices, change payroll details, or harvest internal approvals without triggering classic identity alerts. In those situations, responsibility is shared across the team that controlled the compromised account, the team that accepted the request, and the team that failed to challenge the anomaly. That does not mean blame is shared equally; it means the control gap is shared and must be mapped clearly.

Higher-risk environments also need stronger separation of duties and independent confirmation channels. For regulated sectors, this often means aligning with NIST Cybersecurity Framework 2.0 outcomes for governance, protection, and response, while using organisation-specific playbooks to define who can freeze accounts, cancel transfers, or escalate to law enforcement. Where customer identity and financial workflows overlap, NIST SP 800-53 Rev 5 Security and Privacy Controls remains a practical reference for accountability, access enforcement, and incident handling. The model is strongest when every exception path has a named approver and an audit trail.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Governance and oversight are central when multiple teams share accountability.
NIST SP 800-63 Identity proofing and recovery assurance affect takeover accountability.
PCI DSS v4.0 7.2.1 Least-privilege and approval control matter when payments are redirected.

Assign named owners for identity, fraud, and response decisions, then review outcomes through governance meetings.