Accountability sits with the organisation using the tenant, not with the platform provider. Microsoft may supply identity capabilities, but the tenant owner must configure policies, manage exceptions, retain evidence, and demonstrate that the controls operate as described in the SSP and assessment boundary.
Why This Matters for Security Teams
When gcc high identity controls fail an assessment, the issue is rarely whether the cloud platform offers the feature set. The real question is whether the tenant owner can prove the control was configured, enforced, and operating inside the assessment boundary. That distinction matters because assessors evaluate evidence, exceptions, and operational consistency, not product marketing claims. NIST’s control catalog, especially NIST SP 800-53 Rev 5 Security and Privacy Controls, frames this as a shared responsibility problem with clear accountability at the system owner level.
For NHI programs, the same pattern shows up in service principals, API keys, and other non-human identities. NHIMG’s Ultimate Guide to NHIs shows how often organisations lose visibility, overgrant privileges, or fail to rotate secrets, which becomes an assessment failure when evidence cannot show control effectiveness. In practice, many security teams encounter accountability gaps only after an assessor requests proof that the tenant owner, not the platform provider, enforced the control.
How It Works in Practice
Accountability is established by control ownership, not by who operates the infrastructure. In a GCC High environment, Microsoft provides the platform boundary and native identity capabilities, but the organisation using the tenant must define the SSP, decide which settings are in scope, document exceptions, and retain artefacts that show the control operates as intended. That includes conditional access rules, privileged role assignments, MFA enforcement, break-glass procedures, and evidence of review cycles.
Operationally, assessors usually look for three things: who approved the control design, who can change it, and who can demonstrate its ongoing function. If the tenant owner delegates administration, the owner still remains accountable for oversight. This is especially important where identities are non-human. A service account or automation identity can be compliant on paper and still fail in practice if its privileges are stale, its secret is not rotated, or its logs do not prove use and revocation. NHIMG’s Top 10 NHI Issues highlights how excessive privilege and poor visibility commonly undermine assurance.
- Assign a named internal control owner for each identity requirement in the SSP.
- Map tenant settings to evidence items, not just policy statements.
- Track exceptions with expiry dates, approvals, and compensating controls.
- Retain screenshots, exports, audit logs, and review attestations in the assessment boundary.
For control validation, align identity governance to NIST SP 800-53 Rev 5 families such as AC, IA, and AU, then tie each one back to the tenant owner’s operational process. These controls tend to break down when administration is outsourced but evidence collection is not formally assigned, because no one can prove who actually enforced the control.
Common Variations and Edge Cases
Tighter identity governance often increases operational overhead, requiring organisations to balance assurance against administrative burden. That tradeoff becomes sharper in GCC High because tenant boundaries, approvals, and evidence retention are typically more formal than in commercial cloud environments. Best practice is evolving, but current guidance still treats the organisation as accountable even when managed service providers, resellers, or implementation partners help operate the tenant.
Edge cases appear when a control failure is caused by misconfiguration in a delegated administration model, an inherited default, or a change made outside the approved change process. In those cases, the tenant owner remains accountable unless the contract and evidence clearly transfer a specific operational duty and the assessor accepts that boundary. Organisations should also be careful with NHI-related controls that depend on secrets handling and rotation. NHIMG’s Ultimate Guide to NHIs for Standards is a useful reference point when mapping lifecycle controls to evidence expectations.
There is no universal standard for this yet across every audit regime, but the practical rule is consistent: if the tenant owner cannot show who owns the control, who changed it, and how it is verified, the failure belongs to the organisation. That is where assessment findings usually land, especially when identity evidence is partial or fragmented across multiple admins and tools.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Defines governance ownership, which determines who is accountable for failed tenant controls. |
| NIST SP 800-53 Rev 5 | AC-2 | Accountability hinges on account lifecycle control and documented administrative responsibility. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses mismanaged NHI credentials that often cause assessment failures. |
| OWASP Agentic AI Top 10 | A-04 | Autonomous identities need runtime control and traceability, not just static access rules. |
Assign explicit control ownership and evidence duties for each GCC High identity requirement.
Related resources from NHI Mgmt Group
- Why do SC controls in GCC High depend so heavily on identity policy?
- What breaks when personnel actions are not tied to identity lifecycle controls in GCC High?
- Who is accountable when machine identity controls fail an assessment?
- Who is accountable when shared cryptographic responsibilities are unclear in GCC High?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org