Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when a customer disputes a…
Governance, Ownership & Risk

Who is accountable when a customer disputes a digitally authorised action?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Accountability rests with the organisation operating the IAM and transaction controls, because it must be able to prove identity, authorisation, and evidence integrity. In regulated sectors, that means combining access governance with retention, logging, and investigation readiness. If the evidence chain is weak, accountability remains ambiguous.

Why This Matters for Security Teams

When a customer disputes a digitally authorised action, the dispute is rarely about a single log line. It becomes a test of whether the organisation can prove who acted, what was authorised, and whether the evidence chain stayed intact from request to execution. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls is clear that auditability, integrity, and accountability are control objectives, not afterthoughts. NHIMG’s Ultimate Guide to NHIs shows why this is hard in practice: 97% of NHIs carry excessive privileges, and 79% of organisations have experienced secrets leaks, which makes disputed actions much harder to reconstruct cleanly.

The operational risk is bigger than fraud response. If IAM, transaction controls, logging, and retention are split across teams, accountability becomes fragmented and evidence becomes contestable. The organisation operating the system is still accountable, even when the action was initiated by a human, service account, API key, or autonomous workflow. In practice, many security teams discover weak accountability only after a customer challenges a transaction, rather than through intentional evidence testing.

How It Works in Practice

Accountability depends on whether the organisation can produce a coherent chain of evidence. That chain should connect identity proof, authorisation decision, transaction context, and immutable logs. For NHI-driven or agent-assisted actions, the identity primitive is often the workload itself, not a person. That means the system must record which service account, token, certificate, or agent performed the action, what policy allowed it, and what data or system state was in scope.

Practitioner controls usually include:

  • Strong authentication and workload identity for the actor, including short-lived credentials where possible.
  • Request-time authorisation, so the decision reflects current context rather than a stale role assignment.
  • Tamper-evident logging for authentication, approval, transaction execution, and post-action changes.
  • Retention and legal hold rules that preserve evidence long enough for dispute windows and investigations.
  • Separate ownership of IAM, transaction systems, and evidence management so no single gap breaks the chain.

This is also where NHI hygiene becomes decisive. NHIMG’s CI/CD pipeline exploitation case study illustrates how secret sprawl and pipeline trust can create actions that are technically authorised but operationally impossible to explain later. For broader context on why secret exposure expands dispute risk, see Millions of Misconfigured Git Servers Leaking Secrets. These controls tend to break down when authorisation happens in one platform, execution in another, and logs are neither synchronised nor integrity-protected, because the evidence chain cannot be reconstructed end to end.

Common Variations and Edge Cases

Tighter evidence controls often increase operational overhead, requiring organisations to balance stronger non-repudiation against faster customer response times. That tradeoff becomes visible in high-volume environments where every transaction cannot receive manual review.

There is no universal standard for this yet across all sectors, but current guidance suggests a few important distinctions. If the disputed action was performed by a human with delegated authority, accountability usually sits with the organisation and the delegated decision process. If it was executed by an NHI or agent, accountability still sits with the organisation, but the evidence must show the workload identity, the runtime policy decision, and the exact inputs that triggered execution.

Edge cases often involve shared accounts, break-glass access, or partially automated approval workflows. Those patterns can obscure who made the effective decision unless the system records approval provenance and step-up authentication. Disputes also become harder when logs are retained but not normalized, or when teams rely on application traces without matching IAM and infrastructure records. In regulated environments, the safest position is to treat accountability as an organisational obligation and evidence integrity as a control requirement, not a forensic convenience.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-04Disputed actions often hinge on provable workload identity and traceability.
CSA MAESTROMAESTRO-3Agent and workflow accountability depends on runtime governance and auditability.
NIST AI RMFAI RMF emphasizes governance, accountability, and traceability for automated decisions.
NIST CSF 2.0PR.AC-1Identity proof and access governance are central to disputed transaction accountability.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous verification and explicit evidence of each request.

Ensure identities are authenticated, authorised, and logged before any sensitive action executes.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org