Both teams, but with different responsibilities. IAM owns identity context, ownership, and lifecycle state, while security owns abuse detection, threat correlation, and containment. When those functions stay separate, no one has a complete picture of who or what can actually move through the environment.
Why This Matters for Security Teams
When identity risk crosses IAM and security operations, the failure is usually not a tooling problem. It is a responsibility gap. IAM teams often know ownership, lifecycle state, and access intent, while SOC or security operations sees abuse patterns, anomalous movement, and containment needs. If those signals are not joined, an attacker can exploit a valid secret or workload identity long before either team sees the full path. NHIMG’s 52 NHI Breaches Analysis shows how often identity misuse becomes a breach condition rather than a narrow IAM event. That is why the question of accountability matters as much as the control set.
The practical risk is that teams assume the other side owns the “last mile.” IAM may stop at provisioning and rotation, while security assumes detections will catch misuse after the fact. Current guidance suggests that neither model is sufficient on its own. The most mature programs treat identity as both an access governance problem and an attack surface problem, aligning with the NIST Cybersecurity Framework 2.0 emphasis on shared governance and continuous risk management. In practice, many security teams encounter identity-led lateral movement only after a token, key, or privileged service account has already been used outside its intended scope.
How It Works in Practice
Accountability works best when it is split by decision type, not by organisational silo. IAM should remain accountable for identity truth: who the NHI belongs to, what system or pipeline issued it, what privileges it should have, and whether its lifecycle state is current. Security operations should remain accountable for how that identity behaves in the environment: whether it is used from unexpected locations, chained into unusual tool paths, or correlated with known attacker activity. That division maps well to the NIST CSF 2.0 idea that governance, protection, detection, and response are distinct but connected functions.
For non-human identities, this usually means three operational layers:
- IAM establishes ownership, baseline entitlements, and rotation or revocation rules.
- Security builds detections for secret exposure, anomalous API use, privilege escalation, and impossible tool sequences.
- Both teams share a common incident workflow so evidence can move quickly from identity state to containment.
For practitioners, the most useful control is a joint identity register that includes workload owners, credential type, token TTL, last rotation, and detection coverage. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it frames NHI governance as a lifecycle problem, not just an access review exercise. Security teams should pair that with abuse-focused monitoring and case management, so suspicious identity use is treated as an incident, not a routine IAM ticket. These controls tend to break down in hybrid and multi-cloud environments because ownership records, logs, and revocation paths are fragmented across platforms.
Common Variations and Edge Cases
Tighter accountability often increases operational overhead, requiring organisations to balance faster containment against clearer ownership boundaries. That tradeoff becomes sharper for shared service accounts, third-party integrations, and CI/CD robots that support multiple teams. In those cases, best practice is evolving, but current guidance suggests assigning one named business owner and one technical steward, then making security the detection and escalation authority. There is no universal standard for this yet, but ambiguity is consistently worse than a slightly heavier approval process.
Edge cases also appear when the same identity is both a platform dependency and a threat vector. For example, a deployment token may be created by IAM controls, consumed by engineering pipelines, and abused in a way only security telemetry can see. In that scenario, neither team should “own” the incident alone. Instead, the accountable path is shared: IAM validates scope and revocation, while security validates abuse patterns and containment. NHIMG’s Top 10 NHI Issues and the broader Ultimate Guide to NHIs both point to the same reality: identity accountability fails when organisations treat access administration and threat response as separate stories. In practice, that failure is usually discovered during an incident review, not during design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-03 | Shared accountability depends on clear governance roles and risk ownership. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and poor ownership are core NHI governance failure modes. |
| NIST AI RMF | GOVERN | Accountability across teams requires governance, oversight, and clear responsibility. |
Set cross-functional governance for identity risk so IAM and security share policy, metrics, and escalation.
Related resources from NHI Mgmt Group
- Who is accountable when identity security controls fail across IAM, PAM, and NHI programmes?
- How should security teams implement risk-aware identity in existing IAM programmes?
- How do security teams know whether identity governance is reducing risk?
- How should security teams use ISPM to reduce identity risk?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
