Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when authentication satisfies policy but…
Governance, Ownership & Risk

Who is accountable when authentication satisfies policy but proxy betting still occurs?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 12, 2026 Domain: Governance, Ownership & Risk

Accountability usually sits with the operator’s identity, fraud, and compliance owners together, because the failure is in the control design, not just the user journey. The programme has to prove that authentication, session integrity, and jurisdiction checks work as one control chain.

Why This Matters for Security Teams

When authentication satisfies policy but proxy betting still occurs, the problem is not whether the login passed. The problem is that the control chain failed after login. Identity, fraud, compliance, and platform teams may each see a clean signal in their own layer, yet the combined workflow still allows account abuse, jurisdiction hopping, or proxy activity. That makes accountability a governance issue, not a single-team defect.

This is exactly the kind of gap NHI Management Group highlights in its Top 10 NHI Issues and in the Regulatory and Audit Perspectives guidance: a control that looks sound in isolation can still fail at the point where identity, session, and policy enforcement intersect. Standards bodies frame this as continuous risk management rather than one-time authentication. The NIST Cybersecurity Framework 2.0 also pushes ownership toward coordinated governance across protect, detect, and respond functions.

In practice, many security teams encounter proxy betting only after fraud losses, chargebacks, or regulator questions have already exposed the gap.

How It Works in Practice

Accountability should be assigned to the operator’s control owners collectively, but the evidence must be specific: who owns authentication policy, who owns session integrity, who owns geolocation or jurisdiction checks, and who owns the fraud decisioning layer. A passed authentication step does not prove the session is trustworthy. It only proves the initial identity proofing or credential check met the rule at that moment.

Good practice is to treat proxy betting as a control-chain failure. That means moving beyond static approval logic and into continuous verification. Session binding, device reputation, IP intelligence, velocity checks, and anomaly detection should be evaluated together. The NIST SP 800-53 Rev 5 Security and Privacy Controls supports this kind of layered control design, while the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful for understanding why identity lifecycle and access context must stay visible after the initial login.

  • Assign one named owner for authN, one for session control, and one for fraud/compliance decisioning.
  • Log the full control path, not just the successful login event.
  • Use step-up verification when location, device, or behaviour changes materially.
  • Re-evaluate policy during the session, especially where jurisdiction rules apply.
  • Escalate to manual review when signals conflict instead of assuming authentication is sufficient.

Where this guidance breaks down is in high-volume consumer platforms with weak device signals and shared networks, because proxy use can look indistinguishable from normal travel or NAT-based traffic.

Common Variations and Edge Cases

Tighter session and fraud controls often increase friction and operational overhead, so organisations must balance abuse prevention against conversion loss and support burden. There is no universal standard for proxy betting detection yet; current guidance suggests combining identity, behavioural, and jurisdictional signals rather than relying on a single blocker.

One common edge case is delegated or shared access, where a legitimate account is used by multiple people in a household or business setting. Another is mobile carrier routing, where geolocation may be unreliable even when the user is legitimate. In both cases, the question is not whether authentication succeeded, but whether the organisation can prove the session remained within policy after authentication. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives reinforces that auditors care about control evidence, not assumptions, and the ISO/IEC 27001:2022 Information Security Management lens is helpful when mapping ownership and exceptions.

When investigations show that an authenticated session later used a VPN, proxy, or remote control tool to mask location, the accountability usually shifts from the end user to whoever failed to enforce session-level policy. That distinction matters because the control owner must prove not just that authentication occurred, but that misuse triggers were detected and acted on quickly.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity and access enforcement must extend beyond login to session control.
NIST SP 800-63Digital identity assurance ends at authentication; session risk still needs governance.
OWASP Non-Human Identity Top 10NHI-07Excess privilege and weak lifecycle control can enable post-authentication abuse.
OWASP Agentic AI Top 10AGENT-05Dynamic, context-aware authorization is needed when behaviour changes after initial trust.
NIST AI RMFGovernance and accountability are central when controls fail across multiple decision layers.

Review identity lifecycle and privilege boundaries so authenticated sessions cannot drift into misuse.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org