Subscribe to the Non-Human & AI Identity Journal
Home FAQ What do security and IAM teams get wrong…

What do security and IAM teams get wrong about custody concentration?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

They often treat liquidity concentration as a market issue rather than a governance issue. In practice, concentration creates hidden trust dependencies, because a failure at one exchange or custodian can cascade into withdrawal freezes, pricing stress, and confidence loss. The control response is dependency mapping, not just incident response.

Why This Matters for Security Teams

Custody concentration is not just an operational resilience problem; it is a governance and trust dependency problem. When a small number of custodians, exchanges, or service providers hold most of the exposure, the organisation inherits a single point of failure for availability, pricing, access, and recovery. Security teams often focus on perimeter controls and incident response, but concentrated custody can fail upstream of those controls, where decision rights, withdrawal paths, and approval chains are actually controlled.

That is especially relevant when custody touches privileged access, secrets, or automated settlement workflows. The same pattern appears in non-human identity risk: if one dependency can authorise or move assets broadly, compromise becomes systemic rather than local. NIST’s Security and Privacy Controls treats resilience and access governance as core controls, not afterthoughts, and NHIMG research shows why teams underestimate this category of risk. In the State of Non-Human Identity Security, only 1.5 out of 10 organisations said they were highly confident in securing NHIs, underscoring how often hidden dependencies outpace control maturity. In practice, many teams only discover custody concentration after a freeze, failure, or compromise has already forced a crisis response.

How It Works in Practice

Effective response starts with dependency mapping, not just control hardening. Security and IAM teams need to identify where custody is concentrated across exchanges, prime brokers, wallets, signing services, cloud key stores, approval workflows, and the non-human identities that can move value or alter authority. The key question is not only who can access the asset, but who can disable, reroute, or delay access when a provider fails.

Practitioners should model custody concentration across four layers:

  • Access concentration: one admin path, one service account, or one token issuer controls too much.
  • Operational concentration: one vendor or custodian handles all withdrawals, reconciliations, or approvals.
  • Technical concentration: one key vault, signing system, or API integration becomes the brittle core.
  • Decision concentration: one team or control point can block recovery, rotate credentials, or release funds.

This is where identity governance matters. If an automated process holds privileged access, treat it like a high-risk NHI: define ownership, scope, rotation, monitoring, and break-glass procedures. NHIMG’s TruffleNet BEC Attack illustrates how stolen cloud credentials can turn a single trust path into broad operational impact, while Azure Key Vault privilege escalation exposure shows how mis-scoped access can collapse assumed separation. For control design, NIST SP 800-53 Rev. 5 supports access restriction, contingency, and monitoring controls, while OWASP guidance on agentic and model-driven systems is a useful parallel where automated actors can initiate or approve actions.

These controls tend to break down when custody is embedded in vendor-managed workflows with limited telemetry, because teams cannot see privilege sprawl or enforce independent recovery paths.

Common Variations and Edge Cases

Tighter custody controls often increase friction, so organisations have to balance resilience against liquidity, speed, and user experience. That tradeoff is real, and current guidance suggests there is no universal standard for how much concentration is too much in every environment. The right threshold depends on whether the asset is customer-facing, treasury-held, algorithmically controlled, or tied to regulated funds.

Edge cases matter. A centralised custodian may be acceptable when it is paired with independent auditability, redundant withdrawal paths, and documented recovery ownership. By contrast, concentration becomes more dangerous when the same provider also manages secrets, signers, and approval logic, because compromise or outage can eliminate both access and evidence. Security teams should also distinguish between temporary operational concentration and structural concentration. Temporary concentration can be managed with enhanced monitoring and time-bounded approvals. Structural concentration requires redesign, such as segregation of duties, alternate custody routes, and tested break-glass procedures.

Where non-human identities are used to trigger custody actions, IAM and security teams should treat those identities as first-class control points rather than implementation detail. That means reviewing scopes, token lifetimes, credential rotation, and logging before an event forces the issue. The practical failure mode is usually not a dramatic breach at the point of custody itself, but an inability to move, verify, or restore assets when the concentrated dependency fails.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Custody concentration is fundamentally a risk ownership and dependency problem.
NIST SP 800-53 Rev 5AC-6Over-privileged custodial paths create excessive authority across money-moving workflows.
NIST Zero Trust (SP 800-207)SC-7Distributed trust paths need segmented recovery and restricted control channels.
OWASP Non-Human Identity Top 10Automated custody workflows often rely on non-human identities and secrets.
NIST AI RMFWhere automation drives custody decisions, governance must cover model and agentic risk.

Map concentrated custody dependencies and assign formal risk owners before failure forces emergency decisions.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org