Accountability sits with the organisation because the access model allowed an identity boundary to remain open after use. Security, IAM, and clinical operations all share responsibility for session termination, device handoff policy, and authentication design, because this is a governance failure, not just a user mistake.
Why This Matters for Security Teams
Shared devices are a governance problem because the risk is created when an authenticated session outlives the person or task that started it. In regulated environments, the exposure is not limited to the last user: cached tokens, open browser sessions, and local app sessions can turn a simple handoff failure into unauthorised access to patient records, admin consoles, or internal systems. That is why accountability cannot be treated as a single-user discipline.
NHI Management Group research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which illustrates how quickly a lingering identity boundary can become a breach. The same pattern appears in breach analysis and incident response lessons captured in 52 NHI Breaches Analysis and in the Ultimate Guide to NHIs — Why NHI Security Matters Now, where lingering access and weak offboarding repeatedly appear as root causes.
For security teams, the practical question is not whether a user forgot to sign out. It is whether the organisation designed session expiry, device trust, and authentication reset so that a forgotten login cannot become shared access. In practice, many teams discover this only after records have already been viewed, copied, or exported, rather than through intentional session governance.
How It Works in Practice
Accountability should be mapped across the control chain, not pushed onto the last person who touched the device. Security defines the session policy, IAM enforces authentication and reauthentication, and operations own the device handoff process. In a well-designed environment, a signed-in session is not presumed safe simply because the user is trusted. It is revalidated based on context, inactivity, step-up requirements, and whether the device is still in a controlled state.
Current guidance from Zero Trust and identity governance bodies suggests treating every session as a bounded access event. That means short-lived sessions, device lock enforcement, automatic logout, and reauthentication before high-risk actions. For web and cloud applications, session termination should invalidate server-side tokens, not just close the browser window. For clinical or frontline workflows, handoff procedures need to include clear responsibility for logout, device return, and post-use verification.
Practitioners should also distinguish between human error and control failure. If a role routinely requires shared workstations, then RBAC alone is not enough to prevent exposure. The stronger pattern is context-aware access, strong session binding, and logging that records when a session was left active, when it was used after handoff, and whether the application allowed privileged actions without fresh authentication. The issue is especially visible in hybrid environments where mobile apps, VDI, and browser-based portals each handle session state differently.
This is consistent with the broader NHI governance lesson documented in Ultimate Guide to NHIs — Key Research and Survey Results: identity boundaries fail when lifecycle controls are weak. It also aligns with the direction of travel in Anthropic — first AI-orchestrated cyber espionage campaign report, where autonomous misuse depends on access that remains available longer than intended. These controls tend to break down when shared devices are used across shift changes because local session state, application timeouts, and physical custody do not always move in sync.
Common Variations and Edge Cases
Tighter session controls often increase friction, requiring organisations to balance usability against the risk of accidental exposure. That tradeoff is real in wards, factories, call centres, and emergency response settings where rapid handoff is operationally necessary. Best practice is evolving, but there is no universal standard for every shared-device workflow yet.
The main edge case is a legitimately shared terminal where multiple staff members use the same device within minutes. In that scenario, the answer is not simply “log out faster,” because that can disrupt care or operations. Instead, organisations should use proximity-aware lock policies, badge reauthentication, or application-level timeouts that expire sensitive screens without forcing a full device reset every time. Where those controls are unavailable, the risk acceptance decision should be explicit and documented.
Another common exception involves third-party or contractor access on managed kiosks. Here, accountability extends to the organisation that provided the access path, even if the user credentials belong to an external party. The practical standard is to review whether the identity session could still reach confidential data after the expected work was done. If yes, the control design failed, even if the individual user also made a mistake.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Shared-device exposure is an access control and session management issue. |
| NIST SP 800-63 | IAL/AAL/FAL | Session lifetime and reauth assurance determine whether a stale login remains trusted. |
| NIST AI RMF | AI RMF governance applies where access decisions and accountability must be explicit. |
Raise assurance for sensitive actions with step-up authentication and bounded session lifetimes.
Related resources from NHI Mgmt Group
- Who is accountable for how device fingerprinting data is collected and used?
- Who is accountable when a shared clinical device exposes patient data?
- Who is accountable when cloud data is exposed through a shared account or snapshot?
- Who is accountable when a compromised non-human identity causes major outage or data loss?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
