Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response Who is accountable when a malicious script is…
Threats, Abuse & Incident Response

Who is accountable when a malicious script is executed by a user through a fake verification page?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

Accountability is shared across security, endpoint, and user-awareness controls because the failure sits at the boundary between social engineering and local execution. Organisations must be able to show that they constrained unsafe script paths, monitored for suspicious browser-to-shell behavior, and responded by invalidating exposed credentials and sessions.

Why This Matters for Security Teams

Fake verification pages matter because they convert a social-engineering event into local code execution, which moves the incident from browser risk into endpoint control, identity exposure, and potential NHI misuse. That shift is why accountability cannot be assigned to a single team in isolation. NHI Management Group notes in the Ultimate Guide to NHIs that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage. In parallel, NIST SP 800-53 Rev 5 Security and Privacy Controls expects organisations to enforce access control, monitoring, and incident response as linked responsibilities, not separate silos.

The practical question is not just who clicked, but whether the environment allowed a script path that could launch shells, access tokens, or inherit privileged browser state. If a fake verification page triggered a malicious script, the organisation also has to prove containment: browser hardening, execution restrictions, credential revocation, and detection for follow-on activity. In practice, many security teams encounter the real accountability gap only after exposed sessions or API keys are already being abused, rather than through intentional preventive design.

How It Works in Practice

Accountability is usually distributed across three control layers. First, endpoint and browser teams reduce the chance that a script can execute beyond the browser boundary. Second, identity and NHI owners limit the blast radius if the script steals tokens, cookies, or API keys. Third, SOC and incident response teams validate whether the event was contained, and whether exposed secrets or sessions were revoked quickly enough.

  • Browser hardening should block unsafe downloads, script launchers, and suspicious child-process creation.
  • Endpoint controls should log browser-to-shell transitions, unusual PowerShell or terminal spawning, and script execution from user-writable paths.
  • Identity controls should invalidate sessions, rotate exposed secrets, and review service account usage after compromise.
  • Detection engineering should correlate phishing indicators with post-click execution, token use, and lateral movement.

This is where the NHI lens becomes important. If the fake page caused credential theft, the issue is no longer only human awareness. It is also whether long-lived secrets were available, whether privileged service accounts were overexposed, and whether the organisation had offboarding or rotation discipline. The same pattern appears in the Ultimate Guide to NHIs, which highlights how weak visibility and poor rotation create persistent exposure. Current guidance suggests treating any browser-driven script execution as a trust boundary failure, then verifying whether identity protections, logging, and revocation were strong enough to stop reuse. These controls tend to break down when endpoints are unmanaged or when scripts inherit cloud credentials cached in the browser profile.

Common Variations and Edge Cases

Tighter browser and execution controls often increase operational overhead, requiring organisations to balance user flexibility against containment and investigation depth. That tradeoff becomes more visible in environments where developers, administrators, or contractors routinely run scripts from web content, because normal work can resemble malicious post-click activity.

There is no universal standard for assigning accountability in every scenario. In a managed enterprise, the security team may be accountable for hardening and monitoring, IT for endpoint policy, and the user for bypassing warnings if they deliberately approve a risky action. In a BYOD or contractor environment, responsibility may shift because enforcement is weaker and telemetry is incomplete. The key issue is evidence: who controlled the browser path, who could revoke the credentials, and who verified that exposed access was actually invalidated.

For practitioners, the safest framing is shared accountability with clear control ownership. One team owns prevention, another owns detection, and identity owners own remediation of secrets and sessions. That model aligns with NIST SP 800-53 Rev 5 Security and Privacy Controls and the NHI lifecycle emphasis in Ultimate Guide to NHIs, especially where a single click can expose more than one identity type at once.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-06Covers secret exposure and reuse after browser-driven compromise.
OWASP Agentic AI Top 10Relevant where scripts or automation behave like autonomous tool-using agents.
CSA MAESTROApplies to runtime control of autonomous or semi-autonomous actions after initial user execution.
NIST AI RMFSupports governance, mapping, and incident accountability for AI-assisted or automated workflows.
NIST CSF 2.0PR.AC-3Access enforcement is central when malicious scripts try to use captured sessions or tokens.

Map exposed secrets to NHI-06 and revoke, rotate, and monitor them immediately after suspicious execution.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org