Accountability usually spans identity, endpoint, and application teams because zero trust depends on trustworthy authentication as well as policy enforcement. If the login factor is phishable, continuous verification cannot fully compensate. Governance teams should define ownership for authentication strength, certificate lifecycle, and exception handling so gaps do not linger between teams.
Why This Matters for Security Teams
When phishing succeeds in a zero-trust program, the failure is usually not “zero trust” itself but the chain of ownership behind authentication, device trust, and exception handling. Zero trust assumes continuous verification, yet that promise depends on phishable factors, resilient endpoints, and policy decisions that are actually enforced. The operational question is less about blame and more about which team owns the control gap after the initial compromise.
NHI Management Group’s Ultimate Guide to NHIs notes that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. That matters because phishing often reveals weak identity assurance long before a perimeter-style alert would have fired. For a useful baseline on zero-trust accountability, NIST SP 800-207 Zero Trust Architecture makes clear that policy decisions depend on trustworthy signals, not just a label that says “verified.” In practice, many security teams encounter ownership disputes only after a compromised session has already been used to move laterally, rather than through intentional control testing.
How It Works in Practice
Accountability in a phishing-driven zero-trust failure should follow the control chain, not the incident headline. Identity teams usually own authentication strength, phishing-resistant MFA choices, certificate and token lifecycle, and recovery workflows. Endpoint teams own device posture, browser hardening, and local token protection. Application and platform teams own whether sessions are revalidated at the right risk points, whether conditional access is enforced consistently, and whether high-risk actions trigger step-up checks.
That division matters because zero trust is not a single product. It is a set of runtime decisions. NIST SP 800-207 Zero Trust Architecture frames access as conditional and continuously evaluated, which means a phishable factor, weak session binding, or overbroad exception can undermine the whole model. The relevant NHI lesson from Ultimate Guide to NHIs — Standards is that trust has to be operationalised across lifecycle controls, not assumed at login.
- Assign an owner for authentication assurance, including MFA strength and recovery paths.
- Separate responsibility for endpoint health from responsibility for identity issuance.
- Require clear approval for exceptions, with expiry dates and review dates.
- Log who can approve step-up bypasses, token resets, and conditional access exclusions.
- Test phishing scenarios against real enforcement points, not just policy diagrams.
Current guidance suggests that phishing-resistant factors, short-lived sessions, and device-bound tokens reduce exposure, but there is no universal standard for exactly how much residual risk each team must absorb. These controls tend to break down in hybrid environments with legacy identity providers and shared admin consoles because enforcement is fragmented across multiple platforms.
Common Variations and Edge Cases
Tighter accountability often increases coordination overhead, requiring organisations to balance faster incident response against more formal ownership boundaries. That tradeoff becomes visible when a phished session involves contractors, shared service desks, or federated identity across subsidiaries.
One edge case is a technically sound zero-trust design with weak human recovery. If an attacker phishes the user and then abuses password reset, help desk workflow, or SIM swap recovery, the accountable team may be the one that approved an unsafe fallback rather than the team that configured conditional access. Another edge case is non-human identities used in phishing-adjacent chains, where a stolen token or API key bypasses human MFA entirely. In those cases, the control failure may sit with secrets handling, rotation, or workload identity governance rather than the login stack.
There is also a governance distinction between “who is responsible for the breach” and “who is accountable for the control gap.” Best practice is evolving toward named control owners, especially for verification, session assurance, and exception review. For broader NHI context, NHI Mgmt Group research remains clear that visibility and rotation failures often persist long after a phishing event is contained. Organisations that rely on a shared-security model without explicit ownership tend to discover the gap only after the attacker has already used the trusted session.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-2 | Authentication assurance is central when phishing bypasses zero-trust controls. |
| NIST Zero Trust (SP 800-207) | Zero trust depends on continuous policy decisions using trustworthy signals. | |
| OWASP Non-Human Identity Top 10 | NHI-05 | Stolen credentials and weak lifecycle controls are common post-phish failure paths. |
Verify that authentication strength and recovery workflows are owned, tested, and continuously improved.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
