Accountability should sit with the team that owns the access path, key custody, and monitoring controls, not just the storage platform owner. In practice, that means identity, security, and compliance teams need a shared governance model with clear ownership for residency, session control, and evidence retention across environments.
Why This Matters for Security Teams
When sensitive data moves between cloud services, on-prem systems, and managed integrations, accountability often becomes fragmented across infrastructure, application, identity, and compliance owners. That gap matters because the breach surface is not just where data sits, but where it is decrypted, accessed, copied, and logged. NIST’s Cybersecurity Framework 2.0 emphasises governance and control ownership, but in hybrid environments those responsibilities rarely map cleanly to a single platform team.
NHIMG research shows this is not a theoretical concern. In The 2026 Infrastructure Identity Survey, 35.6% of organisations cited consistent access across hybrid and multi-cloud environments as their top non-human identity challenge, which is a strong signal that boundary-crossing access remains hard to govern. The practical issue is that storage ownership does not equal access-path ownership, and monitoring ownership does not always include the systems that actually move or transform the data. In practice, many security teams discover this only after a cross-environment transfer has already bypassed the evidence trail they expected to rely on.
How It Works in Practice
Accountability should be assigned to the team that can actually enforce the control points: who can request access, who approves key use, who monitors session behaviour, and who retains evidence. In a well-structured hybrid model, that usually means shared responsibility rather than shared ambiguity. Identity teams govern the principal, security teams govern the policy and logging path, and the platform or application owner governs the workload and data flow. The important distinction is that ownership follows the control plane, not the storage location.
For cross-boundary data movement, the control model should include:
- Identity-bound access, so access is tied to a workload or human principal rather than a loose network trust zone.
- Key custody and secret lifecycle ownership, especially where encryption keys or tokens can unlock both cloud and on-prem repositories.
- Session-level monitoring, including who initiated the transfer, what data was accessed, and whether the action was expected.
- Evidence retention rules that preserve logs across both environments long enough for investigation and audit.
This is where hybrid governance often fails if teams treat cloud and on-prem as separate compliance silos. Guidance from NIST CSF 2.0 and the NHIMG 2024 Non-Human Identity Security Report both point toward stronger identity-centric accountability, and the report’s Aembit data shows 88.5% of organisations say non-human IAM still lags human IAM. That matters because non-human access is often the mechanism that crosses boundaries faster than policy review cycles can keep up. These controls tend to break down when data moves through ad hoc service accounts, unmanaged API keys, or integration tools that span both environments without a single owner for the full access path.
Common Variations and Edge Cases
Tighter ownership models often increase coordination overhead, requiring organisations to balance fast data movement against clear evidence and control boundaries. That tradeoff becomes visible in environments with shared service accounts, third-party managed platforms, or legacy middleware that was never designed for modern identity controls. Current guidance suggests the accountable party should still be the team that can enforce the highest-risk step in the flow, even if another team owns the storage system itself.
Edge cases are common. If data is encrypted end-to-end and keys never leave a dedicated security boundary, key custody may matter more than the application layer. If an on-prem system forwards data into a SaaS analytics service, accountability may split across the source system owner, the integration owner, and the security team that governs token issuance. If agents or automation are involved, the question becomes even sharper because the access path may be executed autonomously, which can make post hoc blame assignment useless unless runtime approvals and logs already exist.
NHIMG research on Snowflake breach and 230M AWS environment compromise shows why boundary-spanning access deserves explicit governance rather than implied responsibility. There is no universal standard for this yet, but best practice is evolving toward named accountability for the full data path, not just the system of record.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Clarifies who is accountable for governance outcomes across hybrid data paths. |
| NIST CSF 2.0 | PR.AC-04 | Access control must follow the path that moves sensitive data between environments. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Cross-boundary movement often depends on overlong secrets and weak custody. |
Inventory non-human secrets and shorten their lifetime wherever they can cross trust boundaries.
Related resources from NHI Mgmt Group
- Who is accountable when privileged access crosses IT, cloud and OT boundaries?
- Who should be accountable for sensitive retail systems and audit trails?
- Who is accountable when stolen identities are used to exfiltrate data through SaaS?
- Who is accountable for authentication control in on-prem banking environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org