Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when a fraud guarantee shifts…
Governance, Ownership & Risk

Who is accountable when a fraud guarantee shifts liability away from the merchant?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Accountability still sits with the merchant for selecting the control model, defining review thresholds, and setting escalation rules. A guarantee changes who pays for fraud losses, but it does not remove the merchant’s responsibility to understand what evidence supports approval and where the residual risk now lives.

Why This Matters for Security Teams

Fraud guarantees can change the cost of an incident, but they do not change the operational burden of proving that a transaction was legitimate or worthy of approval. Security, fraud, and payments teams still need clear ownership for policy design, evidence retention, and exception handling. That matters because guarantees often create a false sense of closure when the real risk is shifted, not eliminated.

For merchants, the issue is not only who absorbs the loss. It is also who defines the control model, who reviews edge cases, and who can explain why a transaction was accepted under the relevant policy. That is why the governance question remains internal even when external liability moves elsewhere. As Ultimate Guide to NHIs notes, 97% of NHIs carry excessive privileges, which is a reminder that weak control design tends to compound rather than disappear under commercial arrangements.

Current guidance suggests using formal control ownership and escalation paths, not informal assumptions about a vendor guarantee. In practice, many security teams encounter the accountability gap only after a fraud dispute exposes that no one can defend the original approval decision.

How It Works in Practice

When a fraud guarantee shifts liability, the commercial contract typically changes who reimburses the loss, but not who operates the control environment. The merchant still has to decide what “good enough” evidence looks like, how much manual review is acceptable, and which signals should trigger step-up checks or rejection. That operating model should be documented and mapped to the relevant control framework, including NIST SP 800-53 Rev 5 Security and Privacy Controls where access, auditability, and risk response are concerned.

In practice, accountability usually breaks into four areas:

  • Policy ownership: who defines approval thresholds and exception criteria.
  • Evidence ownership: who preserves logs, device signals, KYC artifacts, and review notes.
  • Escalation ownership: who can override an automated decision and under what conditions.
  • Residual risk ownership: who accepts the risk left after the guarantee is applied.

This is especially important in fraud workflows that rely on automation, because model outputs, device reputation, and behavioural signals can be persuasive without being sufficient. A guarantee may protect the balance sheet, but it does not prove the merchant’s controls were proportionate, documented, or consistently applied. That is where governance should connect commercial terms to identity and access hygiene, as discussed in Ultimate Guide to NHIs and in the control emphasis of NIST.

These controls tend to break down when responsibility is split across payments, risk, and engineering teams because no single owner can defend the decision trail end to end.

Common Variations and Edge Cases

Tighter fraud controls often increase review friction, so organisations have to balance approval speed against dispute defensibility. That tradeoff becomes sharper when the guarantee only applies if specific procedures are followed, because the merchant can lose coverage even while believing the vendor “owns” the fraud outcome.

There is no universal standard for this yet. Current guidance suggests treating guarantees as contract-risk transfer, not control-risk transfer. In some programs, the provider sets detection thresholds while the merchant retains responsibility for escalation and exception handling. In others, the merchant owns the final approval decision even when the provider absorbs losses. Either way, accountability should stay with the party that can explain and evidence the control choice.

Edge cases include delegated fraud models, shared decisioning, and agent-assisted review. Those arrangements can blur responsibility unless the contract, policy, and audit trail all say the same thing. If the review threshold is changed without updating the escalation rule, or if approvals are accepted without retained evidence, the guarantee may cover the monetary loss while leaving the merchant exposed to compliance, customer trust, or repeat-attack risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OV-01Governance requires clear ownership for fraud-control decisions and residual risk.
NIST SP 800-63Identity assurance informs how much trust a merchant can place in a transaction signal.
OWASP Non-Human Identity Top 10NHI-01Compromised non-human identities can undermine fraud controls and approval integrity.
NIST AI RMFGOVERNAI-assisted fraud decisions still need accountable governance and human oversight.

Define accountability, oversight, and escalation for any AI-supported fraud approval flow.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org