Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable for access evidence when CIP-015-2…
Governance, Ownership & Risk

Who is accountable for access evidence when CIP-015-2 audits occur?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Accountability sits with the utility’s security, IAM, and operational technology teams together, because access evidence depends on how entitlements are designed and how sessions are logged. If the access model is broad or the logs are incomplete, the organisation owns that gap. Framework alignment typically maps to NIST Cybersecurity Framework 2.0 and, where specific controls are in scope, NIST SP 800-53 Rev 5 Security and Privacy Controls.

Why This Matters for Security Teams

CIP-015-2 audits do not just ask whether access exists. They ask who can prove that access was designed, approved, reviewed, logged, and retained in a way that stands up to inspection. For utilities, that evidence usually spans IAM, security operations, and operational technology owners because no single team controls entitlements, session records, and exception handling end to end.

The practical risk is that audit failure often comes from evidence gaps rather than from a single technical misconfiguration. A broad role model, stale service account permissions, or incomplete session logging can all leave the organisation unable to demonstrate control intent. NHIs make this harder because their privileges are often persistent and under-observed; NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs. Current guidance from the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 points toward stronger ownership, traceability, and least privilege, but there is no universal standard for audit evidence packaging yet.

In practice, many security teams discover missing access evidence only after an audit request arrives, rather than through deliberate control testing.

How It Works in Practice

Accountability for access evidence should be assigned at two levels: control ownership and evidence custody. Control ownership sits with the team that defines the access model, while evidence custody sits with the team that can produce records showing what happened in production. In a utility environment, that usually means IAM owns entitlement design, OT owners validate plant or system access, and security operations retains logs, alerts, and investigative records. The evidence set should show who approved access, when it was granted, when it was reviewed, and whether it was still justified at the time of the audit.

For non-human identities, the evidence chain should also include service account inventories, secret rotation records, JIT or exception approvals where applicable, and immutable session logs for privileged activity. That aligns with the control intent in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where access review, audit logging, and privilege management are in scope. It also matches the practical governance themes in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.

  • Define one accountable owner for each access domain, even if evidence is gathered by multiple teams.
  • Keep a current inventory of human and non-human access, including shared and break-glass accounts.
  • Retain approval, review, and session artefacts in a way that is searchable and time-bound.
  • Reconcile entitlements against actual use so dormant access does not become audit exposure.

These controls tend to break down in hybrid IT and OT estates where legacy systems cannot generate consistent logs or where vendors hold administrative access outside the utility’s normal review cycle.

Common Variations and Edge Cases

Tighter evidence requirements often increase operational overhead, so utilities must balance audit readiness against the friction of collecting records from multiple platforms. That tradeoff becomes more visible when legacy OT systems, third-party maintenance access, or emergency operations override normal workflows.

Best practice is evolving for vendor-managed access and shared service accounts. There is no universal standard for this yet, but current guidance suggests treating those identities as high-risk, requiring named accountability, documented approval, and shorter review intervals than ordinary user access. Where access is highly dynamic, teams should prefer time-bounded approvals and immutable logging over standing permissions, because standing access is difficult to evidence cleanly after the fact.

The strongest evidence sets usually combine policy, configuration, and telemetry. A mature program can show the rule, show the approval, and show the execution record. That is the standard auditors tend to trust, especially when the underlying access path crosses security, IAM, and OT boundaries. For broader NHI risk context, NHI Mgmt Group’s Top 10 NHI Issues is useful for framing why privileged non-human access deserves the same rigor as human admin access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access governance and review ownership directly support audit evidence.
NIST SP 800-53 Rev 5AU-2Audit events must be defined so evidence can be produced consistently.
OWASP Non-Human Identity Top 10NHI-04Non-human identity visibility is essential to prove who had access and why.
NIST AI RMFGovernance requires clear accountability for automated or tool-using systems.

Assign one owner for each access domain and retain proof of approval, review, and revocation.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org