Subscribe to the Non-Human & AI Identity Journal

Who is accountable when an intrusion becomes a service outage and data theft event?

Accountability usually spans security, identity governance, infrastructure operations, and business continuity leadership, because the failure crosses detection, privilege control, and recovery. Frameworks such as NIST CSF and NIST SP 800-53 place responsibility on access control, monitoring, and recovery planning, which means the incident cannot be treated as a security team problem alone.

Why This Matters for Security Teams

An intrusion that turns into both a service outage and a data theft event is rarely owned by a single function. The accountability chain usually spans identity governance, infrastructure operations, detection and response, backup and recovery, and executive business continuity because each group controls a different failure point. NIST’s Security and Privacy Controls makes that shared responsibility model explicit across access control, monitoring, incident response, and recovery.

NHI Management Group research shows how often the root cause sits in identity plumbing rather than perimeter tools: 80% of identity breaches involved compromised non-human identities such as service account and API keys, and 97% of NHIs carry excessive privileges. That means a “security-only” postmortem often misses the operational decisions that let the intrusion spread, the outage deepen, and the data exfiltration persist. The hardest question is not who noticed first, but who had authority to prevent blast-radius expansion before the business impact became visible. In practice, many security teams encounter accountability debates only after customer-facing systems have gone offline and data has already left the environment.

How It Works in Practice

Accountability should be mapped to the control that failed, not just the team that declared the incident. If the breach began with a stolen service account, identity governance owns credential lifecycle, operations owns system hardening and segmentation, security owns detection and containment, and continuity leadership owns service restoration priorities. If the same event caused data theft, privacy and legal functions also become accountable for notification, preservation, and regulatory response.

A useful way to assign responsibility is to break the incident into four stages:

  • Initial access: identity or application owners are accountable for weak secrets, excessive privilege, or missing rotation.
  • Lateral movement: infrastructure and platform teams are accountable for segmentation, trust boundaries, and access paths.
  • Detection and containment: security operations is accountable for monitoring coverage, triage, and isolation decisions.
  • Recovery and reporting: business continuity, operations, and legal/privacy leaders are accountable for service restoration, evidence retention, and notification timing.

This model aligns with Ultimate Guide to NHIs — Key Research and Survey Results, which shows how often weak identity hygiene creates the conditions for both compromise and operational disruption. It also reflects the control intent in NIST SP 800-53 Rev 5 Security and Privacy Controls, where access control, audit logging, incident response, and recovery planning are separate but connected obligations.

For practitioners, the practical step is to pre-assign accountable owners in the incident runbook before an event happens. That means defining who can revoke credentials, who can shut down affected services, who can authorize failover, and who can approve disclosure actions. These controls tend to break down in multi-cloud environments where platform ownership is fragmented and no single team has end-to-end authority over identities, workloads, and recovery paths.

Common Variations and Edge Cases

Tighter accountability often increases coordination overhead, requiring organisations to balance faster decision-making against clearer ownership boundaries. In cloud and SaaS-heavy environments, the hardest edge case is shared control, where a provider manages infrastructure uptime but the customer still owns identity misuse, data exposure, and many recovery decisions. Current guidance suggests that this split should be documented explicitly, because “shared responsibility” is not the same as shared accountability.

Another common exception is when the outage is caused by deliberate containment. If security disables a compromised account or isolates a workload, the service may fail by design, but the resulting outage is still part of a successful response. In that case, accountability should not be assigned as a failure to operations alone. The relevant question is whether the compromise was detected early enough and whether the response preserved both availability and evidentiary integrity.

This is also where NHI-specific risk matters. If an attacker used stolen API keys or service account tokens, the operational owner of the workload, the identity owner of the secret lifecycle, and the responder who approved containment all have partial accountability. The distinction matters because remediation is often delayed: NHI Mgmt Group research shows 91.6% of secrets remain valid five days after notification, which means accountability must include follow-through, not just incident declaration. In mixed service and data events, the question is less about a single guilty team and more about whether the organisation had enforceable ownership across access, uptime, and recovery.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 RS.RP-1 Incident response planning defines who acts when outages and theft overlap.
OWASP Non-Human Identity Top 10 NHI-03 Secret lifecycle failures often underpin the intrusion that triggers both outage and theft.

Assign response owners and decision rights before incidents so containment, recovery, and notification are coordinated.