Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security Who is accountable when ZTNA routing violates residency…
Cyber Security

Who is accountable when ZTNA routing violates residency requirements?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

Accountability usually sits across security, networking, privacy, and legal teams, because the failure is architectural and regulatory at the same time. Security owns the access design, networking owns the routing model, and privacy or legal owns the residency interpretation. Organisations need a clear control owner before deploying brokered access at scale.

Why This Matters for Security Teams

Residency breaches through ZTNA are not just a network issue. They can create regulatory exposure, contractual breach, and evidence gaps at the same time, especially when traffic is brokered through inspection points that are not aligned to data location commitments. That makes accountability a governance question as much as an engineering one. NIST frames Zero Trust as an architecture for continuous verification and policy enforcement, but it does not remove the need to define who owns routing outcomes in practice, as set out in NIST SP 800-207 Zero Trust Architecture.

Practitioners often get this wrong by assuming the ZTNA vendor or platform team automatically owns compliance. In reality, a broker can be configured correctly from an access perspective and still violate residency if policy decisions, path selection, logging, or inspection services send traffic to the wrong jurisdiction. The accountability model has to span security architecture, network engineering, privacy review, and legal interpretation, with a named control owner who can approve exceptions and enforce evidence retention. In practice, many security teams encounter residency violations only after an audit request or data subject complaint, rather than through intentional control testing.

How It Works in Practice

Accountability for ZTNA routing starts with mapping where policy is decided, where traffic is inspected, and where data is actually processed. A mature model separates the control plane from the data plane and documents who owns each layer. Security architecture should define the intended route, networking should implement and monitor the path, and privacy or legal should confirm whether the path satisfies jurisdictional requirements. That division needs to be reflected in operating procedures, not just in diagrams.

Useful control questions include: is user traffic hair-pinned through a region-specific broker, are logs replicated outside the allowed geography, and do failover conditions preserve residency or override it? These concerns fit naturally into NIST SP 800-53 Rev 5 Security and Privacy Controls, particularly where organisations need documented accountability, change control, audit logging, and data handling restrictions. The practical expectation is that control owners can show how routing decisions are validated before go-live and after every material network change.

  • Define a single accountable owner for residency control decisions, even if execution is shared.
  • Record approved geographies for routing, inspection, logging, and backup paths.
  • Test failover and rerouting scenarios to confirm residency does not collapse during outages.
  • Correlate network telemetry with policy change records so exceptions are traceable.
  • Require legal or privacy sign-off where jurisdictional interpretation is ambiguous.

Where organisations extend ZTNA into cloud and SaaS estates, the routing path can span multiple providers and service edges, which complicates evidence collection and control validation. CISA Zero Trust Maturity Model is useful here as a planning reference, but it still leaves the residency decision to internal governance. These controls tend to break down when multi-region failover is automated without jurisdiction-aware policy gates because availability logic silently overrides residency intent.

Common Variations and Edge Cases

Tighter routing control often increases operational overhead, requiring organisations to balance residency assurance against resilience, latency, and deployment speed. That tradeoff is especially visible when brokered access must support remote users, third-party contractors, and high-availability designs at the same time.

Best practice is evolving for hybrid and multi-cloud ZTNA, and there is no universal standard for how residency should be proven in every topology. Some organisations treat the broker location as decisive; others care more about where content is decrypted, inspected, and logged. The correct answer depends on the regulatory regime and the data classification involved. Where personal data is involved, privacy teams should document the interpretation; where regulated sector data is involved, the control owner should align with operational resilience and audit requirements.

The hardest edge case is when routing itself is compliant but downstream services are not. A session may enter a permitted region and still trigger analytics, threat detection, or crash logging in a disallowed one. That is why ZTNA accountability cannot stop at the access gateway. It has to include dependent services, vendor sub-processors, and any automation that can alter path selection without human review. For organisations that operate in multiple jurisdictions, the safest approach is to treat residency as a continuous control, not a one-time deployment decision.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the technical controls, while DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OV-01Oversight is needed to assign and track accountability for residency outcomes.
NIST SP 800-63Identity assurance matters when access decisions depend on user context and routing.
NIST Zero Trust (SP 800-207)PA/PE/DP conceptsZero Trust architecture defines the routing and policy layers that can affect residency.
NIST SP 800-53 Rev 5AU-2, AU-6, AC-4, PL-2Audit, monitoring, and boundary controls support residency evidence and enforcement.
DORAICT risk managementRouting failures can become resilience incidents when services cross restricted regions.

Log routing decisions, enforce boundary restrictions, and review exceptions as part of control operations.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org