Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response Who is accountable when cybercrime evidence is shared…
Threats, Abuse & Incident Response

Who is accountable when cybercrime evidence is shared across borders?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

Accountability should sit with the organisation that holds the data, even when another state requests it. Security, legal, and privacy functions need a joint decision model that covers necessity, proportionality, and retention. If identity records or NHI logs are involved, the approval path should be explicit and auditable.

Why This Matters for Security Teams

Cross-border sharing of cybercrime evidence is not just a legal handoff. It is a control decision that can expose identity records, investigative logs, and secrets if the receiving authority or intermediary is not governed properly. The accountable organisation is usually the data holder, because it controls collection, minimisation, retention, and disclosure. That matters even more when evidence contains service account traces or other NHI artefacts, where misuse can turn an investigation trail into an access path.

Current guidance suggests that security, legal, and privacy teams should treat evidence sharing as a documented approval workflow, not an informal request-response exchange. That workflow should define necessity, proportionality, chain of custody, and deletion triggers. This is especially important because NHI environments often have poor visibility and weak lifecycle hygiene; NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs. In practice, many security teams only discover the evidentiary risk after logs, tokens, or account metadata have already been shared.

How It Works in Practice

Accountability starts with the organisation that collected the evidence, because that organisation is best placed to verify what is being shared, why it is necessary, and whether any personal data or NHI data needs masking. The legal basis may come from domestic law, a treaty request, mutual legal assistance, or a regulator inquiry, but the internal control obligation does not disappear. Teams should separate three questions: who requested the data, who approved the disclosure, and who remains responsible for safeguarding retained copies.

A workable process usually includes:

  • Data classification before release, including whether logs contain credentials, API keys, certificates, or service account identifiers.
  • Minimum necessary disclosure, with redaction of fields that are not needed to support the investigation.
  • Named approvers from security, legal, and privacy, with a documented reason for the transfer.
  • Retention limits and deletion verification for both the sender and the recipient, where the agreement allows it.
  • Chain-of-custody records that show what changed, who touched it, and when it was transmitted.

This is where NHI-specific hygiene becomes critical. The 52 NHI Breaches Analysis shows how identity artefacts and secrets can amplify downstream damage when governance is weak. The operational lesson aligns with NIST SP 800-53 Rev 5 Security and Privacy Controls, which expects controlled dissemination, auditability, and retention management. These controls tend to break down when evidence is exported through ad hoc legal channels without a technical review, because logs, packet captures, and identity records often contain more sensitive material than the request initially states.

Common Variations and Edge Cases

Tighter disclosure controls often increase response time, requiring organisations to balance investigative urgency against privacy, sovereignty, and chain-of-custody risk. That tradeoff is real in multi-jurisdiction cases, where the requesting authority may expect rapid delivery while the data holder must still validate scope and lawful basis.

There is no universal standard for this yet. Best practice is evolving, especially when evidence must be shared with multiple foreign authorities or private-sector responders in parallel. In those cases, the accountable organisation should maintain a decision log that records which items were shared, under what authority, and whether the package included NHI logs or secrets-related telemetry. If the evidence is linked to active compromise indicators, guidance from CISA cyber threat advisories supports rapid coordination, but not at the expense of uncontrolled disclosure.

Edge cases include third-party processors, cloud providers, and joint investigations where the evidentiary chain spans several controllers. In those situations, the accountable party should still be the entity that can enforce retention and minimisation. If the record set includes compromised NHI activity, refer to Top 10 NHI Issues for the governance patterns that reduce overexposure. Where authorities disagree on deletion or onward transfer, organisations should treat the safest documented position as the default until counsel resolves the conflict.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OV-01Governance oversight is central to accountable cross-border evidence sharing.
NIST AI RMFAI RMF applies when automated systems help classify or route evidence across borders.
OWASP Non-Human Identity Top 10NHI-03Shared logs can expose non-human identities and credentials if retention is unmanaged.
CSA MAESTROMAESTRO covers governance for distributed, multi-party agent and data flows.

Use AI RMF GOVERN and MAP practices to define accountability, scope, and review for automated evidence handling.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org