Accountability sits with the team that owns the pipeline identity, the secret lifecycle, and the runtime controls around it. If build jobs can access production systems, that access model must be formally governed and reviewed. Frameworks such as OWASP NHI Top 10 and NIST CSF are relevant because the issue is privileged non-human access, not just software supply chain hygiene.
Why This Matters for Security Teams
When stolen pipeline credentials are reused across cloud systems, the incident is not just a supply chain problem. It becomes a non-human identity governance failure because the pipeline identity already had standing authority, and that authority was not constrained at runtime. The accountability question matters because cloud systems often trust the same credential across build, deploy, and admin paths, which turns one compromise into cross-environment access.
That is why NHI governance has to focus on ownership of the identity, the secret lifecycle, and the controls that limit where the credential can be used. The CI/CD pipeline exploitation case study shows how quickly pipeline trust can become broad cloud reach, while the OWASP Non-Human Identity Top 10 frames this as privileged machine access, not ordinary application risk. NHIMG’s 2024 Non-Human Identity Security Report found that 88.5% of organisations say their non-human IAM practices lag behind or merely match human IAM, which explains why accountability is so often unclear in practice.
In practice, many security teams discover the control gap only after the same pipeline secret has already been used to touch multiple cloud accounts and downstream services.
How It Works in Practice
Accountability should be assigned to the team that can actually prevent recurrence: the owner of the pipeline identity, the team operating the secret store or token issuer, and the platform team enforcing runtime guardrails. If those responsibilities are split, the organisation needs a named control owner and a clear escalation path, because stolen credentials often move faster than ticket queues.
Practically, the right model is to reduce what the pipeline can do, shorten how long it can do it, and make each request provable. Current guidance suggests combining workload identity, just-in-time access, and policy checks at runtime rather than relying on long-lived secrets embedded in CI/CD. For example, workload identity patterns such as SPIFFE and short-lived OIDC tokens help prove what the pipeline is, while policy engines evaluate what it is trying to do at that moment. That aligns with the spirit of the Guide to the Secret Sprawl Challenge, which is that distributed secrets create distributed blame unless ownership is explicit.
A workable operating model usually includes:
- One named owner for the pipeline identity and its approved use cases.
- Short TTL secrets that are issued per job, not reused across environments.
- Runtime policy enforcement for cloud calls, rather than pre-approved broad roles.
- Automatic revocation and rotation after job completion or anomaly detection.
- Logging that ties each cloud action back to the pipeline run, repo, and approver.
For implementation depth, the NIST digital identity guidance is useful for identity assurance principles, while the Anthropic report on the first AI-orchestrated cyber espionage campaign shows how quickly autonomous or scripted actors can chain access when controls are weak. These controls tend to break down when a single CI runner can reach multiple cloud tenants because one identity then inherits too much trust by default.
Common Variations and Edge Cases
Tighter pipeline controls often increase delivery friction, so organisations have to balance release speed against the cost of re-issuing credentials, reauthorising jobs, and maintaining more precise policy rules. There is no universal standard for this yet, but best practice is evolving toward context-aware authorisation rather than static RBAC alone.
Edge cases matter. Shared build runners, cross-account deployment roles, and emergency break-glass paths all complicate accountability because the credential may be used legitimately in one environment and maliciously in another. In those environments, a single team should still be accountable for the identity lifecycle, but the platform and cloud security teams must co-own the enforcement layer. That distinction is important when stolen credentials are reused across federated clouds, because the original owner may not control every downstream trust boundary.
NHIMG’s 52 NHI Breaches Analysis is a useful reminder that credential misuse rarely stays isolated to one system, and organisations still need to decide whether the accountable party is the product team, the platform team, or the central identity function. The answer is often all three, but with one named control owner. Where the pipeline identity can self-provision access into multiple clouds without a fresh approval step, accountability breaks down fastest.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses secret lifecycle failures behind stolen pipeline credentials. |
| NIST CSF 2.0 | PR.AC-4 | Maps to managing access permissions for non-human identities across systems. |
| NIST AI RMF | Supports governance and accountability for autonomous or semi-autonomous system actions. |
Assign ownership for runtime decisions, logging, and escalation when machine identity actions cross boundaries.
Related resources from NHI Mgmt Group
- Who is accountable when stolen credentials are used to drain customer accounts?
- Who is accountable when contractor-held credentials expose cloud and internal systems?
- Who is accountable when shared credentials are used across teams?
- Who is accountable when stolen tokens are used to change cloud settings?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org