Accountability sits with the organisation’s identity and access owners, not only with the application team that exposed the weakness. Customer IAM is a shared governance domain, so security, digital product, and compliance leaders all need defined responsibilities for exceptions, logging, and policy enforcement across customer channels.
Why This Matters for Security Teams
A weaker customer login portal is not just an application defect. It is an identity control failure that can turn into account takeover, session theft, or privilege abuse across the customer journey. Accountability therefore sits with the organisation that sets identity policy, exception handling, logging, and recovery controls, not only with the team that shipped the vulnerable portal. The practical risk is that customer IAM is often split across product, security, fraud, and compliance, which creates gaps in ownership exactly where attackers look for them. NHI Management Group’s 52 NHI Breaches Analysis shows how quickly identity weaknesses become operational incidents, and NIST’s Cybersecurity Framework 2.0 reinforces that governance and access control are enterprise responsibilities, not isolated technical tasks. When a portal is weaker than the rest of the estate, it usually means the same login trust was extended into an environment that never received the same review depth or monitoring threshold. In practice, many security teams discover this only after customer fraud, support escalation, or breach notification has already forced a post-incident ownership review.
How It Works in Practice
In practice, accountability should be mapped to the controls that decide who may authenticate, what proof is required, and how failures are detected and contained. The application team may own the code, but identity and access owners should own the login policy, step-up authentication rules, session lifetimes, and the conditions for bypasses or exception approvals. That distinction matters because the breach path often begins with weak password reset logic, missing MFA enforcement, exposed recovery flows, or inconsistent logging across channels.
Operationally, teams should define three layers of responsibility:
- Policy ownership: identity leaders approve the authentication baseline, risk scoring, and exception criteria.
- Implementation ownership: product and engineering teams integrate those controls into the portal, APIs, and support tools.
- Detection ownership: security operations and fraud teams monitor anomalous login attempts, token replay, and account recovery abuse.
This is where CISA Zero Trust Maturity Model is useful: a weaker portal should never be treated as a standalone trust island. The same identity signals should flow into telemetry, risk decisions, and incident response. For NHI-heavy customer environments, NHI Management Group’s Ultimate Guide to NHIs is a reminder that breach paths often expand through shared service accounts, backend tokens, and automation attached to customer-facing workflows. Where governance is mature, incident runbooks identify a named decision owner for auth policy changes, a named approver for emergency relaxations, and a named reviewer for post-incident access recertification. These controls tend to break down when legacy portals, outsourced development, and separate customer support systems each enforce different login standards because attackers simply target the weakest enforcement point.
Common Variations and Edge Cases
Tighter login governance often increases friction for customers and support teams, so organisations must balance abuse prevention against conversion, usability, and exception handling. There is no universal standard for exactly how much risk can be delegated to a product team versus a central identity function, but current guidance suggests the accountability model should follow control ownership, not org chart convenience. That matters most when a breach starts in a portal that is older, externally hosted, or acquired as part of a merger, because the weakest link may sit outside the primary engineering backlog.
Two common edge cases complicate blame assignment. First, if the portal is managed by a vendor, accountability still remains with the customer organisation for oversight, assurance, and access policy approval. Second, if the breach involved machine-driven abuse such as credential stuffing or session farming, the issue is not only code quality but whether the authentication design anticipated automated attack volume. NHI Management Group’s 2024 ESG Report on Managing Non-Human Identities highlights how often organisations already believe their identities are insufficiently secured, which is a reminder that weak portals are usually symptoms of broader governance gaps rather than one-off mistakes. The right question is not who wrote the failing portal first, but who owned the decision to accept that level of identity risk across customer channels.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Defines governance ownership for identity risk and control accountability. |
| OWASP Non-Human Identity Top 10 | NHI-01 | A weak portal often exposes secrets, sessions, or service identities. |
| NIST SP 800-63 | AAL2 | Customer login assurance level determines how strong portal authentication must be. |
Set authentication assurance targets and enforce them consistently across customer portals.
Related resources from NHI Mgmt Group
- Who is accountable when configuration drift causes an access failure or breach?
- Who is accountable when a local door decision causes an access failure or breach?
- Who is accountable when healthcare portal consent fails GDPR tests?
- Who is accountable when a service account breach exposes customer data?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org