Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when an organisation leaves SMS…
Governance, Ownership & Risk

Who is accountable when an organisation leaves SMS OTP in place for high-risk accounts?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Accountability sits with the identity, fraud, and security owners who approved the control baseline. If the organisation knowingly keeps a weak second factor in a high-risk flow, auditors will treat that as a governance choice, not a technical limitation.

Why This Matters for Security Teams

Leaving SMS OTP in place for high-risk accounts is not a minor exception. It is a deliberate risk decision that affects fraud exposure, incident response, and audit defensibility. Security owners often treat SMS as “good enough” because it is familiar and easy to deploy, but current guidance consistently places stronger authentication expectations on privileged, recovery, and financially sensitive flows. NIST’s NIST Cybersecurity Framework 2.0 frames this as a governance and risk issue, not just a control-selection issue.

For NHI Management Group, the pattern is clear: organisations that retain weak factors on sensitive accounts usually also struggle with control ownership, exception tracking, and timely remediation. The problem is compounded when attackers can intercept SMS, reuse OTPs, or exploit account recovery paths. The same weak assurance logic appears across broader identity programmes documented in the Ultimate Guide to NHIs — Why NHI Security Matters Now and the Top 10 NHI Issues, where weak identity controls persist because they are embedded in legacy workflows rather than actively governed.

In practice, many security teams discover the accountability gap only after a fraud event, a privileged account takeover, or an audit finding has already forced the exception into the open.

How It Works in Practice

Accountability usually lands with the identity owner, the fraud lead, and the security leader who approved the control baseline or exception. If an organisation knowingly keeps SMS OTP for high-risk accounts, that choice should be documented as an accepted risk with an owner, an expiry date, and a review trigger. Without that, it becomes difficult to show that the control was consciously assessed rather than left in place by default. The NIST SP 800-53 Rev 5 Security and Privacy Controls is helpful here because it ties identity assurance, access control, and continuous monitoring to accountable control operation.

In operational terms, a mature review should answer four questions:

  • Which accounts are considered high-risk, and why?
  • Who approved SMS OTP as the second factor for that scope?
  • What compensating controls reduce the residual risk, such as device binding, step-up verification, or transaction monitoring?
  • When does the exception expire, and who must re-approve it?

That governance should be backed by evidence: policy exceptions, ticket history, risk acceptances, and periodic access reviews. Where the account can trigger payments, admin changes, customer data export, or recovery resets, many organisations are moving away from SMS and toward phishing-resistant methods. Current guidance suggests that authentication strength should match the sensitivity of the action, not just the account label.

This approach aligns with broader NHI thinking as well, because identity risk is best managed when ownership, lifecycle, and assurance level are explicit, as described in OWASP NHI Top 10 and the Ultimate Guide to NHIs — Key Challenges and Risks.

These controls tend to break down when SMS is still embedded in recovery flows or call-center overrides because attackers target the weakest path, not the intended one.

Common Variations and Edge Cases

Tighter authentication often increases user friction and support load, so organisations must balance fraud reduction against operational continuity. That tradeoff is real, especially for customer-facing systems, workforce environments with limited device enrollment, or regions where mobile coverage is inconsistent.

There is no universal standard for this yet, but current guidance suggests treating SMS OTP as a lower-assurance factor and avoiding it for the highest-risk actions whenever a stronger option is feasible. A common edge case is temporary migration: some teams keep SMS while enrolling users into app-based or hardware-backed factors. In that case, the exception should be time-bound and monitored, not normalised.

Another edge case is recovery. Even if primary login uses stronger methods, SMS recovery can reintroduce the same weakness at the exact point attackers target. That is why ownership must include the full identity journey, not only the sign-in page. Stronger programmes document these exceptions in the same way they track other identity debt, using control reviews, risk registers, and executive sign-off. Organisations that skip that discipline often find the issue after a takeover, rather than during design or annual review.

For teams building a more defensible baseline, NHI governance research and breach patterns in the 2024 ESG Report: Managing Non-Human Identities show how quickly weak identity choices become material when the account is already under active attack.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-1Addresses identity proofing and access assurance for high-risk accounts.
NIST SP 800-63AAL2SMS OTP is typically below phishing-resistant expectations for high-risk use.
OWASP Non-Human Identity Top 10NHI-03Highlights weak credential and factor governance across identity lifecycles.
CSA MAESTROIAM-01Applies governance to identity controls used in agentic or automated environments.
NIST AI RMFGOVERNSupports accountability for risk decisions and control exceptions.

Set assurance levels by account risk and replace weak factors where the action is sensitive.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org