The application owner is accountable because tenant switching is an authorisation decision, not a user preference. Security, IAM, and engineering teams should define who owns token scoping, who owns query enforcement, and who signs off on tenant-specific timeout and revocation policy.
Why This Matters for Security Teams
A tenant switch that reveals the wrong workspace is not a harmless UI defect. It is an authorisation failure that can expose sensitive records, cross-customer metadata, and privileged actions to the wrong tenant. In NHI programs, that usually means the token, session, or query layer is carrying more trust than the business intended. Current guidance from the Ultimate Guide to NHIs — Why NHI Security Matters Now is clear that weak visibility and excessive privilege are still widespread, and that problem becomes acute when identity context changes at runtime. The practical question is not who clicked the switch, but who owns the policy that decides what the switch can reveal, which is why accountability sits with the application owner, with IAM and security defining the guardrails. The same pattern shows up in autonomous systems: Anthropic’s first AI-orchestrated cyber espionage campaign report shows how quickly tool-enabled actors can move once identity boundaries are weak. In practice, many security teams only discover the blast radius after a cross-tenant exposure has already occurred, rather than through intentional authorisation testing.How It Works in Practice
The accountability model should be split by control plane, not by organisational convenience. The application owner owns the business decision: what a tenant switch is allowed to do, what data can be shown, and what must be rechecked on every context change. IAM owns token scope, session binding, and revocation mechanics. Engineering owns enforcement in the query layer, API gateway, and service-to-service calls. Security validates that the control design matches the risk, especially where The 52 NHI breaches Report shows identity mistakes turning into operational incidents. For AI agents and other autonomous workloads, the same issue becomes more severe because the identity is not static. Best practice is evolving toward intent-based or context-aware authorisation, where a request is evaluated at runtime against the agent’s purpose, current tenant, tool target, and data sensitivity. That means:- issue JIT credentials that expire at task completion, not at the end of a shift;
- bind workload identity to the agent or service, so a token proves what is acting, not just who logged in;
- re-evaluate policy on each tenant change, query, or tool call;
- revoke session state immediately if the agent crosses tenant boundaries.
Common Variations and Edge Cases
Tighter tenant controls often increase friction, requiring organisations to balance user experience against the cost of stronger containment. That tradeoff is real, especially in B2B SaaS, partner portals, and agentic workflows where users legitimately move between tenants during a single session. There is no universal standard for this yet, but current guidance suggests the safer path is to treat every tenant change as a fresh authorisation event, not a display preference. That means session re-validation, claim re-checking, and often an explicit re-fetch of tenant-scoped entitlements. Edge cases include impersonation features, admin consoles, support tooling, and multi-agent orchestration. In these environments, role-based access alone often fails because the access pattern is dynamic and goal-driven. The better pattern is short-lived secrets, per-request policy evaluation, and clear separation between the tenant selector and the data plane. NHI governance literature from 52 NHI Breaches Analysis reinforces that identity incidents usually spread where privilege and visibility are both weak. For agentic systems, OWASP-AGENTIC, CSA-MAESTRO, and NIST-AIRMF all point in the same direction: define ownership before release, and make the application owner accountable for tenant isolation even when the failure is triggered by IAM or session logic. In practice, the failure usually appears first as a harmless workspace mismatch and only later as cross-tenant data exposure.Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Tenant switching exposes scope and revocation weaknesses. |
| OWASP Agentic AI Top 10 | Autonomous agents need runtime authorisation, not static roles. | |
| NIST AI RMF | AI governance requires clear accountability for dynamic behaviour. |
Assign ownership for agent decisions, then monitor and review cross-tenant actions continuously.
Related resources from NHI Mgmt Group
- Who is accountable when an identity platform falls out of support or drifts from policy?
- Who is accountable when an autonomous agent misuses access or exposes data?
- Who is accountable when internal automation exposes customer credentials?
- Who is accountable when a Docker API policy bypass exposes host secrets?
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on June 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
