Accountability sits with the covered entity, not with the convenience of the login architecture. If an organisation allows accounts to remain accessible without MFA, or fails to inventory the systems that should be protected, regulators can treat that as a governance failure regardless of whether the breach came through an internal, cloud, or third-party path.
Why This Matters for Security Teams
Missing MFA is rarely treated as a technical nuisance once a breach is investigated. It becomes an accountability issue because the organisation chose, tolerated, or failed to enforce an access model that left sensitive systems reachable. In practice, regulators and incident reviewers look at control ownership, inventory coverage, and whether authentication requirements were applied consistently across internal apps, cloud services, and third-party paths. That is why the question is not only who signed in, but who owned the decision to leave the path open.
NHIMG’s analysis of The 52 NHI breaches Report shows how often identity control gaps become breach enablers, especially when credentials or access paths are not governed as a complete surface. The same pattern appears in broader research on AI-enabled intrusion: the Anthropic report on the first AI-orchestrated cyber espionage campaign shows how quickly attackers operationalise whatever authentication gap is available.
In practice, many security teams encounter MFA exceptions only after an exposed account has already been used to move laterally or extract data.
How It Works in Practice
Accountability usually follows control ownership, not the path the attacker used. If MFA was missing, weak, bypassed, or inconsistently enforced, the investigation typically asks which team owned identity policy, which system owner approved the exception, and whether the organisation had a current inventory of assets that should have been protected. That matters because a breach through a cloud console, VPN, SaaS app, or partner portal still traces back to the same governance question: was multifactor authentication required for that access path, and was it actually enforced?
For non-human identities and autonomous workloads, the failure mode is often broader than a single login. A missing MFA control may sit alongside stale secrets, over-privileged service accounts, or unmanaged API access. NHIMG’s 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which shows how governance gaps compound when identity sprawl is left untracked. In a mature program, MFA policy is paired with inventory, ownership, exception handling, and periodic validation that the control still applies.
Practitioners usually map this to a few operational steps:
- Identify the system owner, identity owner, and control owner for every access path.
- Confirm whether MFA was required by policy, waived by exception, or simply absent.
- Check whether the account was human, non-human, or a shared access pattern.
- Review logs for privilege escalation, token theft, or reuse after initial access.
- Document whether the control gap was a design failure, a configuration failure, or a monitoring failure.
Current guidance suggests that accountability should remain with the covered entity even when a third party administers the login stack, because delegated administration does not delegate the duty to secure access. These controls tend to break down in legacy SSO estates and partner-integrated environments because MFA policy is fragmented across systems and no single owner can prove enforcement end to end.
Common Variations and Edge Cases
Tighter MFA enforcement often increases operational friction, requiring organisations to balance breach reduction against support burden and exception management. That tradeoff is real, but it does not remove accountability when a breach occurs.
There is no universal standard for every authentication scenario yet, especially where service accounts, API clients, or machine-to-machine access are involved. In those cases, MFA may not be the right control at all, and the better question is whether workload identity, short-lived credentials, and conditional authorisation were used instead. For agentic or autonomous systems, current guidance suggests that static login assumptions are the wrong model because tool-using systems do not behave like human users.
That distinction matters for incident review. A human account missing MFA can indicate a governance failure; a non-human identity exposed through long-lived secrets can indicate a lifecycle failure; an AI agent with excess tool access can indicate a design failure. NHIMG’s Microsoft Midnight Blizzard breach is a useful reminder that once one identity control fails, attackers often chain the failure into broader access. The practical takeaway is that accountability should be traced to the team that owned the control decision, not to whichever system happened to be compromised first.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity inventory and ownership are central when MFA is missing. |
| NIST CSF 2.0 | PR.AC-1 | Access control governance determines who is accountable for missing MFA. |
| NIST AI RMF | AI RMF governance helps assign accountability for autonomous access decisions. |
Establish governance for access decisions, exceptions, and monitoring before autonomous systems are deployed.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
