The controller remains accountable for lawful processing, vendor oversight, and many breach obligations, even when the processor performs the work. Processor failures can create shared legal and operational exposure, but the controller still needs evidence that access, retention, and deletion were governed.
Why This Matters for Security Teams
Accountability does not disappear when a SaaS processor mishandles personal data. In most operating models, the controller still owns lawful processing, due diligence, and oversight, while the processor’s failure becomes an operational and contractual exposure that can quickly turn into a regulatory one. That means evidence matters: who approved access, how retention was enforced, whether deletion actually happened, and whether the vendor’s controls were monitored over time. The pattern is familiar in incidents such as the Snowflake breach and the BeyondTrust API key breach, where third-party compromise still forced the customer to answer hard questions about governance. NIST’s Cybersecurity Framework 2.0 reinforces that third-party risk belongs in the core security program, not as a side contract review.
NHI Management Group’s research shows why this is rarely a narrow legal issue: 92% of organisations expose NHIs to third parties, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In practice, many security teams encounter processor failure only after personal data has already been accessed, retained too long, or copied into a system they did not expect.
How It Works in Practice
The practical answer starts with role separation. The controller decides the purposes and essential means of processing, so it remains accountable for vendor selection, instructions, and ongoing oversight. The processor is expected to act only on documented instructions, maintain appropriate safeguards, and notify the controller when something goes wrong. That is why the contract, security review, and operational controls need to line up. If the processor can still see data after offboarding, or if deletion requests are not enforced in practice, the controller may still be accountable even if the processor was the immediate cause.
Security teams should treat processor governance as an evidence problem, not a policy statement. Useful evidence includes:
- data processing terms that specify scope, retention, subprocessor use, and deletion obligations
- access logs showing who accessed data and when
- documented approvals for privileged or support access
- retention and deletion attestations tied to actual system records
- incident notification timelines and escalation paths
This is also where Lifecycle Processes for Managing NHIs becomes relevant. Processors frequently rely on service accounts, API keys, and other NHIs to move data, sync records, or automate support tasks. If those identities are overprivileged, long-lived, or poorly revoked, the controller inherits the operational fallout even when the processor owns the tooling. The broader research summary in Ultimate Guide to NHIs — Key Research and Survey Results shows why this is so often missed: 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into service accounts. These controls tend to break down when the processor chains multiple subcontractors or uses support access that is not centrally logged, because the controller cannot prove who touched the data or whether deletion actually occurred.
Common Variations and Edge Cases
Tighter processor oversight often increases procurement and monitoring overhead, so organisations need to balance speed against provable control. There is no universal standard for how far a controller must verify a processor’s internal security measures, but current guidance suggests that the higher the sensitivity of the personal data, the stronger the evidence burden should be.
Edge cases usually arise in shared responsibility models. For example, a SaaS provider may host the platform while a separate implementation partner configures integrations, or a parent company may rely on a regional subprocesser chain. In those cases, accountability can fragment operationally even if legal accountability remains with the controller. This is where processor access to NHIs matters again: support tokens, OAuth grants, and automated sync credentials can persist after the original business need ends, creating hidden processing paths. The Salesloft OAuth token breach is a strong reminder that vendor tools and integrations can become the route through which downstream data is exposed.
Practitioners should also distinguish between breach notification duty and underlying accountability. A processor may be the first party to detect the issue, but the controller often still has to assess impact, notify regulators or affected individuals where required, and document its vendor oversight. Best practice is evolving around continuous third-party assurance, but contract language alone is not enough when the real control gap is poor identity hygiene inside the processor’s environment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.SC-01 | Third-party governance is central when a processor mishandles personal data. |
| NIST AI RMF | GOVERN | Accountability for delegated processing needs explicit governance and roles. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Processor breaches often involve unmanaged service accounts and API keys. |
Assign ownership, decision rights, and review cadence for processor processing risks.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
