Subscribe to the Non-Human & AI Identity Journal

Duty-Of-Care Governance

The organisational responsibility to reduce harm when identity-related information exposes people to safety, legal, or reputational risk. It connects security, privacy, and operational response so that containment and protection actions happen together.

Expanded Definition

Duty-of-care governance is the decision framework that tells an organisation when identity-related data, credentials, and access conditions create a credible risk to people, not just systems. In NHI security, that means handling service accounts, API keys, tokens, certificates, and agent permissions with the same care used for sensitive operational or personal data. The concept is broader than standard access control because it links technical containment to human impact, including safety, legal exposure, customer trust, and executive accountability.

Definitions vary across vendors and governance programs, but the practical test is consistent: if an identity compromise could trigger harmful real-world outcomes, the organisation needs defined response obligations, escalation thresholds, and ownership. That makes duty-of-care governance a close companion to NIST Cybersecurity Framework 2.0, especially where governance and response functions must work together. It also aligns with the lifecycle and audit perspectives described in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs. The most common misapplication is treating duty-of-care as a privacy-only concern, which occurs when teams ignore operational harm from compromised machine identities or autonomous agents.

Examples and Use Cases

Implementing duty-of-care governance rigorously often introduces slower escalation and broader review requirements, requiring organisations to weigh faster automation against the cost of overlooking harm to people or business operations.

  • Revoking an exposed cloud API key before a production outage spreads to customer-facing services, then coordinating incident response with legal and communications teams.
  • Disabling an over-privileged agent identity after it begins accessing regulated records outside its intended workflow, even if the access technically succeeded.
  • Quarantining a third-party OAuth integration when its token scope is broader than documented, a pattern consistent with visibility gaps highlighted in The State of Non-Human Identity Security.
  • Applying review gates to machine-to-machine credentials that can affect medical, financial, or industrial systems where a compromise has real-world safety implications.
  • Using the audit lens in Ultimate Guide to NHIs — Regulatory and Audit Perspectives to document why containment decisions were made and who approved them.

In practice, duty-of-care governance shows up whenever an NHI incident cannot be treated as a routine IT event and must be managed as a cross-functional risk decision.

Why It Matters in NHI Security

When duty-of-care governance is weak, organisations tend to optimise for uptime or convenience while missing the downstream harm caused by compromised identities. That can leave tokens unrotated, service accounts over-privileged, and agent actions unreviewed until an incident becomes public or regulated. NHIMG research shows the scale of the problem: 72% of organisations have experienced or suspect a breach of non-human identities, including 46% confirmed and 26% suspected. That is not just a technical exposure rate, it is a governance warning that harm is already plausible inside the environment.

This is why duty-of-care belongs beside identity governance, incident response, and board-level risk oversight. It forces explicit ownership for containment, notification, and remediation when an identity can affect customer data, operational continuity, or safety outcomes. It also helps teams avoid the common failure mode of delaying action because the identity is “only a service account.” Organisations typically encounter the need for duty-of-care governance only after a compromised identity produces visible harm, at which point coordinated response becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM, RS.CO Governance and coordinated response map directly to NIST CSF risk and communications outcomes.
NIST AI RMF AI risk management addresses human impact, accountability, and lifecycle harms from automated systems.
OWASP Agentic AI Top 10 Agentic systems create execution risks that require governance beyond simple access control.
OWASP Non-Human Identity Top 10 NHI-09 NHI governance must address over-privilege, secret exposure, and incident containment.
NIST Zero Trust (SP 800-207) PL-TRUST, SA-3 Zero trust requires continuous verification and explicit trust decisions for identities and sessions.

Define harm thresholds, assign owners, and coordinate containment with business and legal response paths.