Accountability sits with the teams that approve tenant access policy, because disabled Customer Lockbox can widen support access beyond the minimum necessary level. Security, IAM, and service owners should agree on who approves exceptions, who monitors support access, and who validates that privileged support pathways stay bounded.
Why This Matters for Security Teams
Leaving Customer Lockbox disabled is not just a configuration choice. It determines whether customer data access by support personnel stays inside an explicit approval path or expands into a broader support exception model. When that control is off, accountability shifts away from a technical toggle and onto the teams that own access governance, exception approval, and oversight. That is why this question matters: it exposes whether support access is treated as a controlled risk or an assumed convenience. Guidance in the NIST Cybersecurity Framework 2.0 emphasizes governance and access control as operational responsibilities, not after-the-fact reviews. NHI Management Group research also shows that privileged identity risk is often systemic, not isolated, with the Ultimate Guide to NHIs noting that 97% of NHIs carry excessive privileges. In practice, many security teams encounter support access overreach only after a customer asks for an audit trail or a post-incident review has already begun, rather than through intentional policy enforcement.How It Works in Practice
Customer Lockbox is typically part of a broader access governance model for vendor or support personnel. When it is disabled, support workflows may still function, but approvals, review points, and evidence capture become weaker unless another control compensates for that gap. The practical question is not simply who “owns” the setting. It is who can accept the risk, who can see when support access occurs, and who can prove the access stayed bounded to the minimum necessary scope. That usually requires shared accountability across security, IAM, compliance, and the service owner.- Security defines the policy baseline and decides whether exceptions are acceptable.
- IAM or platform teams implement the tenant-level control and maintain the approval workflow.
- Service owners justify business exceptions and accept residual risk when support access must remain available.
- Audit or compliance teams verify that support access is logged, reviewable, and time-bounded.
For operational depth, the governance pattern in the Ultimate Guide to NHIs is useful because it frames privileged access as a lifecycle issue, not a one-time entitlement. That aligns with the NIST Cybersecurity Framework 2.0 expectation that identity, access, and monitoring are managed continuously. In practice, teams should require named approvers, documented exception expiry, and evidence that support access is reviewed after use. These controls tend to break down when responsibility is split across multiple tenant administrators because no single owner is formally accountable for approving, monitoring, and revoking support access.
Common Variations and Edge Cases
Tighter access governance often increases operational friction, so organisations have to balance faster support resolution against stronger approval and review requirements. The right answer can vary by regulated industry, contractual obligations, and whether the tenant contains sensitive or production data. Current guidance suggests that the more sensitive the environment, the less acceptable it is to leave support pathways permanently open without documented justification. Where there is no universal standard for this yet, the safest practice is to treat disabled Customer Lockbox as an exception that must be explicitly owned, not a default that is simply tolerated.One common edge case is a shared SaaS tenancy where different business units expect different support access rules. Another is a managed service relationship where the vendor, the reseller, and the internal platform team each assume someone else owns the control. In those cases, accountability should be written into policy, ticketing, and review cadence, not left to informal practice. NHI Management Group data shows the scale of governance gaps can be large, and the Ultimate Guide to NHIs is a useful reminder that visibility and revocation discipline matter as much as initial approval. If the environment cannot produce an approver, an expiry date, and an audit trail, the control is effectively unowned.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Customer Lockbox ownership is a governance and accountability issue. |
| NIST CSF 2.0 | PR.AA-01 | Disabled lockbox widens support access, so access approval must be explicit. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Support access without lockbox can create excessive privileged access exposure. |
Review privileged support identities and remove standing access where customer approval is absent.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
