Accountability is shared, but it is not diffuse. The vendor is accountable for its own security failures, while the customer remains responsible for the trust it extends, the data it exposes, and the controls it enforces around third-party access. Frameworks such as the NIST Cybersecurity Framework 2.0 support that shared-responsibility view.
Why This Matters for Security Teams
Supplier breaches are rarely cleanly bounded events. Once a vendor is compromised, downstream customers have to decide whether the issue is an external incident, an access-control failure, or a trust failure in their own control plane. That matters because customer impact often depends less on the supplier’s breach volume than on what access, data, and privileges were delegated in the first place. NHI risk becomes especially visible here, since machine credentials and service accounts can move laterally faster than human responders can contain them.
NHIMG research shows this is not a theoretical concern: in the 2024 ESG Report: Managing Non-Human Identities, 72% of organisations said they have experienced or suspect a breach of non-human identities. Once a supplier credential, token, or API key is exposed, downstream exposure can begin in minutes, not days, as shown in the LLMjacking research on rapid AWS credential abuse. In practice, many security teams discover the accountability gap only after customer data has already crossed the supplier boundary, rather than through intentional third-party testing or contract review.
How It Works in Practice
Accountability should be treated as layered rather than shared in the abstract. The supplier is accountable for securing its environment, hardening its NHIs, and preventing unsafe exposure of customer-connected assets. The downstream customer remains accountable for vendor selection, access scoping, monitoring, and the controls that govern what the supplier can reach once trust is extended. That distinction is consistent with the shared-responsibility model in NIST Cybersecurity Framework 2.0, which expects organisations to manage third-party risk instead of outsourcing it.
Operationally, strong programmes separate the question of fault from the question of control. A practical response usually includes:
- contractual security obligations, audit rights, and breach-notification timelines
- vendor access minimisation through least privilege and just-in-time access
- explicit inventory of supplier-issued secrets, tokens, certificates, and service accounts
- continuous monitoring of third-party access paths and anomalous behaviour
- revocation procedures that can disable supplier access quickly when trust changes
For breach analysis, teams should ask whether the supplier had standing access, whether customer-side segmentation limited blast radius, and whether credentials were rotated fast enough to matter. The 52 NHI Breaches Report is useful here because it reinforces a recurring pattern: compromised machine identities often become the bridge from one organisation’s failure into another’s environment. Guidance from the CISA supply chain risk management materials also points to the same operational reality, namely that supplier risk must be continuously governed, not only reviewed at procurement time. These controls tend to break down when suppliers integrate through long-lived API keys and broad service-account permissions because revocation and attribution become too slow to contain the blast radius.
Common Variations and Edge Cases
Tighter supplier control often increases procurement friction, integration effort, and incident-response overhead, requiring organisations to balance resilience against speed of delivery. That tradeoff is most visible in high-trust partnerships, managed service providers, and embedded SaaS integrations where business teams want broad access but security teams need narrow, auditable delegation.
There is no universal standard for liability allocation across every jurisdiction or contract model, so current guidance suggests separating legal responsibility from operational accountability. A supplier may be contractually liable for a control failure, while the customer still owns the decision to expose data or accept the risk. This becomes more complex when subcontractors, resellers, or cloud marketplaces are involved, because the real access path may sit several layers away from the named vendor.
Practitioners should also watch for exceptions where the supplier is merely hosting customer-managed credentials versus issuing its own. If the customer owns the secret, the customer may also own the weak point. If the supplier issues and stores the credential, supplier governance becomes central. The most effective control language is explicit about ownership, rotation, revocation, and notification timing, rather than assuming “shared responsibility” resolves the question. Current best practice is evolving, but the customer is rarely absolved just because the breach originated upstream.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.SC-2 | Third-party risk governance maps directly to supplier breach accountability. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Supplier-issued secrets and token handling are central to breach propagation. |
| NIST AI RMF | Governance and accountability apply when suppliers support AI-enabled services. |
Map vendors, rate their access paths, and require controls before permitting downstream connections.
Related resources from NHI Mgmt Group
- Why does a breach of an integration platform create downstream risk for customers?
- Who is accountable when a vendor breach exposes downstream client data?
- Who is accountable when a browser extension is repurposed for content injection?
- Who is accountable when SOX remediation keeps recurring every quarter?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
