Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when mobile access fails or…
Governance, Ownership & Risk

Who is accountable when mobile access fails or a device is lost?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Accountability should sit with the identity and access owners who define issuance, revocation, and assurance policy, not with the end user or the device itself. For human identity programmes, that means IAM, security operations, and business owners must share a documented recovery path and offboarding process.

Why This Matters for Security Teams

When mobile access fails or a device is lost, the real question is not whether the handset is missing, but which identity controls still allow access, reset, or re-enrollment. Lost device events often expose gaps in authentication recovery, session revocation, and help desk approval paths. NHI Management Group’s research on the 52 NHI Breaches Analysis shows that identity failures are often operational failures first, not purely technical ones.

For practitioners, accountability must be assigned before an incident occurs. Identity and access owners define issuance, revocation, and assurance policy, while security operations enforce rapid containment and business owners approve the recovery model. That separation matters because mobile access often spans device posture, MFA, SSO, conditional access, and downstream app sessions. The NIST SP 800-53 Rev 5 Security and Privacy Controls reinforces that access control and incident response need defined ownership, not informal escalation habits.

In practice, many security teams encounter the weakness only after a lost device, failed push approval, or delayed offboarding has already exposed a recovery gap.

How It Works in Practice

Accountability starts with a documented control chain. The identity owner sets the policy for enrollment, step-up authentication, session lifetime, and device trust. Security operations executes containment when a device is lost, stolen, or no longer trustworthy. The business owner confirms whether access should be restored, reissued, or removed based on job function and risk. This model is consistent with the access governance principles described in the OWASP Non-Human Identity Top 10, even though mobile access is usually a human identity scenario, because the same operational problem appears: access outlives the context that justified it.

Operationally, strong programmes separate the device from the identity. A lost phone should not automatically mean lost account control, but it should trigger rapid revocation of active sessions, a check on device trust, and re-verification before reissue. Teams typically need:

  • Clear ownership for issuance and recovery decisions
  • JIT or time-bound re-enrollment for replacement devices
  • Immediate token and session revocation for suspected compromise
  • Help desk scripts that require identity proofing, not informal exceptions
  • Audit trails that show who approved restoration and why

This is especially important where mobile access is tied to privileged functions, shared devices, or high-value workflows. NHI Management Group’s Ultimate Guide to NHIs and the Meta AI Instagram Account Takeover case both illustrate how access failures become account-control failures when recovery paths are weak. These controls tend to break down in organisations that let service desk staff override policy without identity proofing because convenience starts to outrank assurance.

Common Variations and Edge Cases

Tighter recovery controls often increase user friction, requiring organisations to balance faster restore times against stronger assurance checks. That tradeoff is real, especially when executives, field workers, or frontline staff depend on mobile access for daily operations. Current guidance suggests that recovery should be risk-based, but there is no universal standard for this yet.

Some environments need stricter handling than others. For regulated data, privileged apps, or shared fleet devices, accountability should shift toward security operations for containment and toward business owners for exception approval. For low-risk productivity access, a simpler workflow may be acceptable if revocation is immediate and re-enrollment is strongly verified. The key is that the device owner is not the accountability endpoint. The endpoint is the process owner who can prove access was issued, checked, and removed correctly.

Where teams often fail is in treating device loss as a support ticket instead of a security event. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it frames identity lifecycle risk as a governance problem, not just a tooling problem. That distinction matters most when mobile access depends on conditional access, push MFA, or cached sessions that remain valid after the device itself is gone.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Defines who can access resources and how access is granted or removed.
OWASP Non-Human Identity Top 10NHI-03Covers lifecycle control and revocation discipline for identities and credentials.
OWASP Agentic AI Top 10Runtime authorization and ownership discipline are relevant to dynamic access decisions.
CSA MAESTROHighlights governance, containment, and operational accountability for autonomous access.
NIST AI RMFGOVERNGovernance requires accountable roles and documented decision paths for risk events.

Separate policy ownership, operational containment, and business approval in recovery.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org