Accountability usually spans the tax authority, the filing platform, and the organisation processing the data, because the failure can sit in identity proofing, email authentication, portal validation, or user guidance. The practical question is which trust control failed first and which team owns remediation before the next filing cycle.
Why This Matters for Security Teams
Fraudulent tax submissions are not just a finance problem. They are an identity and control problem that can expose weak points in authentication, approval workflows, filing integrations, and user guidance. When a submission succeeds, the accountable parties are usually the organisation operating the process, the platform that accepted it, and the authority that validated it. That makes the first failure point crucial to identify.
For teams managing credentials, the same pattern appears in NHI incidents: a single trusted identity can be abused long before anyone notices. NHI Mgmt Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which helps explain how small control gaps become large downstream failures. NIST also emphasises accountable control ownership in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where validation, logging, and access governance intersect.
In practice, many security teams discover the accountability issue only after a fraudulent filing has already been accepted, rather than through intentional control testing before the filing cycle.
How It Works in Practice
Accountability follows the control boundary, not just the business outcome. If a submission was filed using stolen credentials, the organisation that issued, protected, or failed to revoke those credentials owns part of the remediation. If the tax portal accepted a weakly validated filing, the platform owner must explain what assurance was missing. If an intermediary or payroll provider prepared the submission, its review and authentication controls are also in scope.
In a practical investigation, teams usually trace the failure across four questions:
- Was the filer identity strongly verified at login and at submission?
- Were email or account recovery paths abused to reset access?
- Did the portal validate the submission beyond basic form checks?
- Did the organisation have logging, alerting, and escalation for unusual filing activity?
That is why control frameworks matter. The NHI Mgmt Group’s Ultimate Guide to NHIs highlights how long-lived access and excessive privilege accelerate abuse, while NIST SP 800-53 Rev 5 Security and Privacy Controls supports the need for auditable access review, event logging, and incident response ownership. The practical control owner should be able to show who approved access, what evidence supported the filing, and how anomalies were detected.
Where organisations get this wrong is treating tax filing as a one-time business transaction rather than a controlled identity event. These controls tend to break down when third-party payroll processors, shared service accounts, or delegated filing portals are involved because ownership, evidence, and revocation duties become fragmented.
Common Variations and Edge Cases
Tighter filing controls often increase operational overhead, requiring organisations to balance assurance against speed, seasonal workload, and delegated administration. That tradeoff is especially visible in year-end tax processing, where many teams rely on shared access, temporary vendors, or emergency overrides.
There is no universal standard for assigning legal accountability across every jurisdiction. In some cases, the tax authority may bear responsibility for portal defects; in others, the filing agent or employer is accountable for the submission itself; and in regulated outsourcing models, a provider may carry contractual responsibility without absorbing the full regulatory burden. Current guidance suggests documenting these boundaries before the filing season begins, not after a dispute.
Edge cases also matter when non-human identities are used in the filing chain. For example, an RPA bot or API integration may submit returns without direct human review. In those environments, the question becomes whether the workload identity, secret rotation, and approval workflow were designed for that level of autonomy. Stronger evidence comes from policy logs, submission receipts, and revoked credentials than from after-the-fact statements of intent. One useful anchor is the NHIMG finding that 91.6% of secrets remain valid five days after notification, which shows how slow revocation can prolong exposure if filing access is compromised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RR-01 | Clarifies who owns risk, response, and remediation after a fraudulent filing. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Relevant when filing access depends on long-lived or poorly revoked non-human credentials. |
| NIST SP 800-63 | IAL2 | Identity proofing strength affects whether a fraudulent filer can impersonate a legitimate one. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust helps limit lateral misuse once a filing identity is compromised. |
| NIST AI RMF | AI RMF helps govern automated filing and anomaly detection used in tax workflows. |
Require identity proofing proportionate to filing risk and verify recovery paths are resistant to abuse.
Related resources from NHI Mgmt Group
- Who is accountable when fraudulent SIM registrations slip through?
- Who is accountable when privileged access is misused in a public service environment?
- Who is accountable when outbound traffic controls are too weak to contain an intrusion?
- Who is accountable when automated compliance evidence is wrong?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org