Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when access logs or policy…
Governance, Ownership & Risk

Who is accountable when access logs or policy decisions are missing during assessment?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Accountability sits with the organisation that claims the control, because the inability to reconstruct access decisions weakens audit and incident-response evidence. For CPCSC, missing logs mean missing proof that identity, access, and monitoring controls actually operated as designed.

Why This Matters for Security Teams

When access logs or policy decisions are missing, the issue is not just operational inconvenience. It means the organisation cannot prove who accessed what, when access was approved, or whether enforcement happened as designed. That weakens audit evidence, incident response, and post-incident reconstruction at the exact moment scrutiny is highest. NIST’s Cybersecurity Framework 2.0 treats visibility, governance, and traceability as core outcomes, not optional extras.

For NHI-heavy environments, missing logs are especially damaging because service accounts, API keys, and agent credentials often operate at machine speed across multiple systems. NHIMG notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs, which explains why many assessments fail on evidence quality rather than policy wording. If the control cannot be demonstrated, assessors usually treat it as not operating effectively. In practice, many security teams discover the gap only after an audit request or incident, rather than through deliberate control testing.

How It Works in Practice

Accountability sits with the organisation that claims the control, even when the missing evidence came from a logging platform, policy engine, or upstream identity service. The practical test is whether the organisation can reconstruct the decision path: authenticated identity, requested action, policy evaluation, approval or denial, and resulting access event. The OWASP Non-Human Identity Top 10 is useful here because it frames NHI failure modes around credential misuse, weak lifecycle controls, and poor observability.

For assessors, the question is usually not “did a tool exist?” but “did the control operate with enough fidelity to produce reliable evidence?” A defensible program typically includes:

  • Immutable or tamper-evident access logs for NHI and agent activity
  • Policy decision records that show allow, deny, and exception outcomes
  • Time synchronisation across identity, application, and infrastructure layers
  • Retention settings that match audit and investigation needs
  • Separation between log generation, log storage, and log review

NHIMG’s Regulatory and Audit Perspectives section emphasises that NHI governance must be demonstrable, not merely documented. That aligns with NIST SP 800-53 Rev. 5, where audit and accountability controls require evidence that events were captured and reviewed. These controls tend to break down in distributed environments where multiple cloud accounts, CI/CD pipelines, and third-party services each produce partial logs without a single trusted chain of custody.

Common Variations and Edge Cases

Tighter logging and policy tracing often increases storage, engineering, and operational overhead, so organisations need to balance evidence quality against system performance and retention cost. There is no universal standard for how much telemetry is “enough” across every environment, but current guidance suggests that the answer should be driven by risk, criticality, and the ability to investigate abuse.

Edge cases matter. If logs exist but cannot be correlated because clocks drift, account names are reused, or policy engines do not record evaluation context, the evidence may still be considered insufficient. The same applies when a managed service or external platform makes the access decision but provides only partial records. In that case, the organisation remains accountable for compensating controls, vendor oversight, and documented exceptions. NHIMG’s Top 10 NHI Issues is a practical reminder that lifecycle gaps and visibility gaps often travel together, creating the exact conditions where assessments fail.

For CPCSC-style reviews, the safest approach is to treat missing access logs as a control design and operating-effectiveness problem until proven otherwise. If reconstruction depends on human memory, ad hoc tickets, or screenshots instead of durable records, the organisation has already lost the evidence case.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RMRisk management requires evidence that controls operated and can be verified.
OWASP Non-Human Identity Top 10NHI-05Poor logging and visibility are central NHI weaknesses that undermine accountability.
NIST AI RMFGOVERNAI governance requires accountability and traceability for system decisions.

Instrument NHI systems so each credentialed action generates durable, attributable evidence.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org