Subscribe to the Non-Human & AI Identity Journal
Home FAQ What do organisations get wrong about crypto market…

What do organisations get wrong about crypto market recovery?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

They often assume recovery is mainly a market or finance issue, when it is also a security and compliance issue. As activity increases, weak identity checks, over-trusted counterparties, and poor segregation of duties become more consequential. Recovery exposes control debt that was easier to ignore in a quieter market.

Why This Matters for Security Teams

Crypto market recovery changes the risk profile faster than many governance programs can absorb. More counterparties, faster onboarding, and a rush to capture volume often push controls into the background. That is when weak identity assurance, informal approvals, and inconsistent segregation of duties become exploitable. The issue is not just fraud loss, but exposure to sanctions, AML failures, account takeover, and custody risk during a period of heightened operational pressure.

For security and compliance leaders, the practical mistake is assuming expansion can be managed with the same shortcuts that were tolerated during a downturn. In recovery, transaction volume rises, integration sprawl grows, and privileged access decisions are made under time pressure. NIST Cybersecurity Framework 2.0 emphasizes governance and risk management as core functions, not postscript tasks, which is especially relevant when business teams want to move faster than control design allows. See also the NIST Cybersecurity Framework 2.0 and NHIMG’s Ultimate Guide to NHIs — The NHI Market for the operational consequences of rapid ecosystem growth.

NHI Management Group notes that 92% of organisations expose NHIs to third parties, which is a direct reminder that recovery is also a third-party trust problem, not just a trading or treasury problem. In practice, many security teams encounter control failures only after new market activity has already expanded the blast radius.

How It Works in Practice

In a recovering crypto environment, the control plane usually stretches in three places: identity verification, access governance, and transaction oversight. New customers, counterparties, vendors, custodians, and bots often arrive faster than review workflows can validate them. That creates an opening for synthetic identities, mule activity, over-privileged service accounts, and stale approvals to persist inside production systems. Recovery also increases the number of API integrations, wallets, and automated workflows that depend on secrets and machine identities.

The right response is to treat recovery as a control re-baselining exercise. Teams should re-check who can create accounts, approve withdrawals, rotate keys, modify limits, and onboard counterparties. They should also verify that machine-to-machine access is scoped tightly and that privileged actions require stronger assurance than normal user activity. This aligns with the identity assurance principles in NIST SP 800-63 Digital Identity Guidelines, while the broader governance model should be mapped to the NIST Cybersecurity Framework 2.0.

  • Reassess onboarding controls for exchanges, brokers, market makers, custodians, and high-risk clients.
  • Review segregation of duties for trading, treasury, withdrawals, refunds, and admin overrides.
  • Inventory non-human identities, API keys, and automation accounts used by market operations.
  • Require step-up verification for changes to limits, payout destinations, and privileged entitlements.
  • Monitor for abnormal velocity, reused credentials, and approval chains that bypass intended review.

This is where NHI governance becomes relevant: service accounts and API keys often become the fastest path from a business need to a security incident. NHIMG’s research shows that only 5.7% of organisations have full visibility into their service accounts, and the same visibility gap can hide risk in recovery-era integrations. These controls tend to break down when market growth is driven by temporary staffing, rushed vendor integration, and manually managed exceptions because review ownership becomes diffuse.

Common Variations and Edge Cases

Tighter controls often increase friction and can slow onboarding, so organisations have to balance growth objectives against verification depth and access restriction. That tradeoff is real, especially when leaders want to capture liquidity quickly after a market downturn.

There is no universal standard for recovery-stage crypto operations, but current guidance suggests that higher-volume environments should apply stronger monitoring to high-risk flows rather than relaxing controls. For regulated firms, that means differentiating retail onboarding from institutional accounts, and differentiating ordinary staff access from sensitive treasury or custody privileges. The NIST Cybersecurity Framework 2.0 is useful here because it keeps governance, detection, and response connected instead of treating them as separate workstreams.

Edge cases matter. Some firms rely heavily on outsourced liquidity providers or wallet infrastructure, which means third-party compromise can look like normal business activity until funds move. Others use a large number of bots and programmatic controls, where the real control failure is not human negligence but untracked machine authority. That is why NHIMG’s Ultimate Guide to NHIs — The NHI Market is especially relevant when automation scales alongside recovery. In practice, recovery failures are often introduced by exception handling and legacy access patterns rather than by a single dramatic breach.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-63 set the technical controls, and NIS2 and PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Recovery needs explicit risk prioritisation as access and counterparties expand.
NIST SP 800-63IAL/AAL/FALStronger identity assurance is central when onboarding accelerates during recovery.
OWASP Non-Human Identity Top 10NHI-03Service accounts and API keys often become over-privileged during rapid expansion.
NIS2Article 21Operational resilience and access control obligations apply as critical services scale.
PCI DSS v4.07Where payments or card data are involved, privilege boundaries must stay tight.

Inventory and least-privilege all non-human identities before onboarding new integrations.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org