Accountability should sit with the operational owner of the shared fleet, the identity team that governs access, and the clinical manager responsible for shift usage. The control question is whether the organisation can identify the last authenticated user and enforce return and wipe procedures.
Why This Matters for Security Teams
Shared devices create an accountability problem that is both operational and security-critical: the same terminal, tablet, or workstation may be used by multiple staff members across a shift, but the risk lands on the organisation when a device is lost, stolen, or left signed in. The real question is whether access can be traced to the last authenticated user, whether sessions can be terminated quickly, and whether wipe or return procedures are actually enforced. The NIST Cybersecurity Framework 2.0 emphasises governance, access control, and recovery, which is why shared-device accountability cannot be treated as a purely local IT issue.
For NHI-heavy environments, the same weakness appears when shared endpoints hold tokens, certificates, or cached sessions tied to non-human identities. The Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is a useful warning sign for any team assuming it can always reconstruct who had access and when. In practice, many security teams encounter disputed ownership only after a device is missing or a session has already been abused, rather than through intentional operational handoff.
How It Works in Practice
Accountability should be assigned in layers. The operational owner of the shared fleet is responsible for the device estate, the identity team governs sign-in controls and session revocation, and the business or clinical manager owns shift-level usage discipline. That division matters because the control failure is usually not one event but a chain: a user signs in, forgets to log out, the device stays unlocked or retains a valid token, and the next person or an attacker inherits that access.
Practically, strong shared-device governance depends on three things: traceability, rapid revocation, and enforceable process. Traceability means each session is tied to an identifiable user, not a generic kiosk account used by everyone. Rapid revocation means the organisation can disable a session, token, or device binding as soon as the loss is reported. Enforceable process means return, lock, and wipe steps are built into shift change, not left to memory.
- Use named-user sign-in where possible, even on shared devices, so the last authenticated user is auditable.
- Prefer short-lived sessions and automatic timeout rather than long-lived logins that survive across shifts.
- Require remote wipe, token revocation, or device lock as part of the incident response runbook.
- Log device custody events so ownership can be reconstructed after a loss or handoff failure.
From an identity perspective, the same discipline should apply to NHI sessions and cached secrets. If a shared workstation can access API keys, certificates, or admin portals, then loss of that endpoint becomes an identity compromise event as much as a hardware event. Guidance from NHI Mgmt Group is clear that visibility and revocation are foundational, while the NIST Cybersecurity Framework 2.0 reinforces that recovery and response must be planned before the device disappears. These controls tend to break down in fast-paced environments with rotating shifts and shared accounts because users often inherit a prior session faster than support teams can close it.
Common Variations and Edge Cases
Tighter shared-device control often increases workflow friction, so organisations have to balance auditability against throughput, especially in clinical, retail, manufacturing, or field-service settings. The operational tradeoff is that stronger identity binding can slow down handoffs unless the device experience is designed for quick re-authentication and clean session termination.
Current guidance suggests that generic shared accounts should be avoided where accountability matters, but there is no universal standard for every environment. Kiosk-style devices, break-glass access, and emergency care workflows may require exceptions, provided those exceptions are tightly logged and reviewed. The key is to distinguish convenience from accountability: a shared login may be tolerated for speed, but it should never remove the ability to identify who was last responsible for the device.
One useful benchmark from the Ultimate Guide to NHIs is that 80% of identity breaches involve compromised non-human identities, which matters when shared devices are used to access administrative tools or secrets. In those cases, the lost device is not merely an endpoint issue; it may expose service accounts, tokens, or privileged sessions. The practical exception is any environment where offline operation is required, because delayed revocation and delayed wipe can leave a window where accountability exists on paper but not in control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared-device sign-in and session traceability are access control concerns. |
| NIST CSF 2.0 | RS.MI-3 | Lost or left-signed-in devices require rapid containment and wipe actions. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Cached secrets and shared sessions on devices expand NHI exposure. |
Bind each shared-device session to a named user and revoke access immediately on loss or misuse.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
