Accountability sits with the service owner, the certificate governance team, and the issuing authority under its policy rules. If the organisation cannot show who approved the identity proofing, who owns renewal, and who can revoke the certificate, the trust model is incomplete.
Why This Matters for Security Teams
Misissued or misused non-human identities are not just certificate hygiene failures. They are ownership failures that can turn a technical trust issue into an operational and legal one. For .onion services, the certificate is part of the trust boundary: if the wrong entity is vouched for, or if a valid certificate is used outside its intended scope, the organisation has to show who approved it, who monitored it, and who could revoke it. That aligns with the governance emphasis in the NIST Cybersecurity Framework 2.0, which expects clear accountability for identity-related risk.
NHI Management Group’s research shows how often this breaks down in practice: only 5.7% of organisations have full visibility into their service accounts, and 59% say machine identities are harder to audit because ownership is unclear. Those patterns matter here because a .onion certificate is only as defensible as the surrounding governance. In practice, many security teams encounter accountability gaps only after a certificate has already been misused, rather than through intentional review.
How It Works in Practice
Accountability for a .onion certificate usually spans three roles: the service owner, the certificate governance function, and the issuing authority operating under its own policy rules. The service owner is responsible for the service that the certificate represents and for ensuring the certificate is requested for a legitimate purpose. The governance team is responsible for approval workflow, renewal oversight, inventory, and revocation readiness. The issuer is responsible for validating the request against its issuance policy and for revoking or refusing issuance when policy conditions are not met.
For practitioners, the key question is not only “who caused the issue?” but “who had control at each control point?” A defensible process should record:
- Who approved identity proofing and why
- Who owns the certificate throughout its lifecycle
- Who can request renewal, reissuance, or revocation
- What evidence links the certificate to the service and its operator
- What monitoring detects misuse, drift, or unauthorised replacement
This is where machine identity governance becomes practical. The absence of an inventory, or reliance on spreadsheets, creates an audit gap that makes attribution difficult even when the technical certificate chain is intact. NHI Management Group’s Sisense breach analysis is a useful reminder that identity misuse often becomes visible only after an attacker has already used the trusted path. The better control is not post-event blame assignment; it is a documented lifecycle with ownership mapped to every issuance and revocation action. These controls tend to break down in environments where certificate issuance is outsourced but operational ownership remains internal, because no single team can prove end-to-end authority.
Common Variations and Edge Cases
Tighter certificate governance often increases operational overhead, requiring organisations to balance stronger assurance against speed and availability. That tradeoff becomes sharper for .onion services because service continuity, anonymity properties, and revocation timing can all matter at once.
Current guidance suggests a few edge cases deserve explicit handling. If a certificate is issued by a third party, the issuer remains accountable for following its policy, but the service operator still owns the risk of deploying and protecting it. If a certificate is misused by an insider or automation pipeline, accountability usually shifts toward the control owner of that pipeline, not just the security team that approved the request. If the organisation cannot prove who controlled the private key, the trust story is incomplete even if issuance was legitimate. Best practice is evolving here, but the safest pattern is to treat certificate ownership, key custody, and revocation authority as separate, documented responsibilities.
For broader NHI governance context, the Ultimate Guide to NHIs highlights how often organisations struggle with rotation, revocation, and visibility across non-human identities. That same weakness appears in .onion environments when certificate lifecycle controls are assumed rather than evidenced. The result is a trust model that looks compliant on paper but cannot assign responsibility cleanly when misuse occurs.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle ownership and revocation are central to NHI credential control. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential governance require clear access and ownership accountability. |
| NIST AI RMF | Governance and accountability are core to managing automated identity decisions and misuse risk. |
Define human accountability for automated issuance workflows and review exceptions before release.
Related resources from NHI Mgmt Group
- Who is accountable for certificate and key lifecycle failures in modern identity programmes?
- Who is accountable when certificate transparency monitoring misses a retired log?
- Who is accountable when an EV certificate no longer shows the expected trust signal in Chrome?
- Who is accountable when a federated exchange certificate no longer meets trust requirements?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
