Accountability usually sits with the service owner that accepted the token without validating audience, plus the platform team that allowed inconsistent JWT policies across APIs. In regulated environments, this also becomes a governance issue because a missing recipient check is a preventable trust-control failure, not an unavoidable user action.
Why This Matters for Security Teams
When a JWT replay succeeds across services, the failure is usually not the token itself but the trust boundary around it. A token that is validly signed can still be abused if the recipient service does not enforce audience, issuer, nonce, expiry, or context checks. That means accountability extends beyond the immediate incident responder to the service owner, the platform team, and the governance function that allowed divergent JWT validation rules. This is the same pattern seen in broader NHI incidents documented in The 52 NHI breaches Report, where weak lifecycle controls turn a single credential into a cross-system blast radius.
Security teams often miss that replay is a systems failure, not just an authentication bug. In regulated environments, the accountability question matters because it determines whether the issue is handled as a patchable defect, a control deficiency, or a reportable governance lapse. Current guidance aligns with zero trust thinking, which treats every service hop as a fresh decision point rather than a one-time trust grant. In practice, many security teams encounter this only after the token has already been reused across multiple APIs and audit logs show inconsistent validation behaviour.
How It Works in Practice
Proper accountability starts with assigning ownership for the full token path: issuance, transport, validation, and revocation. The service owner is accountable for rejecting any JWT that does not match the expected audience, scope, expiry, and signing authority. The platform team is accountable for standardising validation libraries, policy baselines, and observability so that one API does not accept what another rejects. Governance is accountable for making those expectations mandatory through control design, review, and exception handling.
Operationally, the controls should look like this:
- Validate aud, iss, exp, and signing keys on every request, not just at login.
- Use short-lived tokens and rotate keys under a defined policy, then test revocation paths.
- Bind tokens to the intended workload or channel where possible, especially for high-value APIs.
- Instrument services so replay attempts are visible before they become lateral movement.
This is where OWASP NHI Top 10 is useful, because it frames identity failures as architectural issues rather than isolated coding mistakes. For implementation detail, CISA cyber threat advisories repeatedly emphasise reducing trust assumptions and tightening authentication pathways. The scale of exposure also matters: The 2025 State of NHIs and Secrets in Cybersecurity found that 44% of NHI tokens are exposed in the wild, which shows how often weak handling turns a bearer credential into a reusable asset.
These controls tend to break down in microservice estates with inconsistent gateway policies, because one permissive service can silently become the replay destination for every other API.
Common Variations and Edge Cases
Tighter JWT controls often increase operational overhead, so organisations have to balance replay resistance against service agility and integration cost. That tradeoff is real, especially in legacy environments where not every API can enforce the same claims, key sets, or token exchange pattern. Current guidance suggests that exceptions should be temporary and risk-owned, not treated as a permanent architecture.
There is also no universal standard for every cross-service replay scenario yet. Some teams use token binding, some rely on mTLS plus audience pinning, and others adopt workload identity to reduce reliance on bearer tokens altogether. For autonomous or machine-driven workflows, the bar is higher because a compromised token may be used by a system that can chain tools and move faster than human review cycles. The Anthropic — first AI-orchestrated cyber espionage campaign report is a reminder that automated behaviour can amplify the impact of a single credential failure. For identity governance, Top 10 NHI Issues highlights why lifecycle consistency matters as much as initial issuance.
In edge cases involving third-party APIs, shared tokens, or gateway transformations, accountability may be jointly assigned, but the owning service still carries the obligation to prove it enforced the right recipient checks. Best practice is evolving toward explicit policy ownership, with MITRE ATLAS adversarial AI threat matrix and zero trust principles reinforcing the same lesson: if a token can be replayed, the control failed somewhere before the attack did.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers token misuse and missing validation across NHI flows. |
| NIST CSF 2.0 | PR.AC-3 | Directly relates to authenticated access and access enforcement at services. |
| NIST Zero Trust (SP 800-207) | Zero trust requires continuous verification at each hop, not one-time trust. |
Standardise service-side auth checks and log every denied or accepted token decision.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- How should security teams make NHI best practices usable across the business?
- Who is accountable when a prompt bombing attack succeeds?
- Who is accountable when a man-in-the-middle attack succeeds through weak authentication?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
