Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who should own identity and access controls in…
Governance, Ownership & Risk

Who should own identity and access controls in a business transformation programme?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

Ownership should sit with the programme, not only with security. Business leaders define the operating model, application teams implement the integrations, and IAM or PAM teams define control standards and review them. Without shared ownership, identity decisions become fragmented and controls lag behind the transformation schedule.

Why This Matters for Security Teams

Identity and access ownership in a transformation programme is not a paperwork issue. It determines whether new platforms launch with enforceable least privilege, traceable approvals, and revocation paths that actually work. When programme teams treat IAM as a downstream security dependency, business change moves faster than control design and the result is usually shadow access, duplicated roles, and delayed deprovisioning.

This is especially visible in environments with service accounts, API keys, and automation tokens. NHIMG research shows that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means the ownership problem scales faster than most governance models expect, as discussed in the Ultimate Guide to NHIs. The practical risk is not just excess access, but controls being designed after deployment pressure has already set the operating model.

Security teams often assume that “security review” is sufficient ownership, but identity controls only hold when business, delivery, and platform teams share accountability for role design, integration timing, and exception handling. In practice, many security teams encounter access sprawl only after go-live has already normalised it.

How It Works in Practice

For a business transformation programme, identity ownership should be split by responsibility, not by blame. The programme sponsor and business design team should define the target operating model: who needs access, for what process, and under which approval path. Application and platform teams should implement the technical integrations, while IAM and PAM teams define standards for authentication, privileged workflows, secrets handling, and periodic review. That division aligns with the control intent in the OWASP Non-Human Identity Top 10, which treats identity failures as design issues, not only operational ones.

In practice, governance works best when the programme sets explicit decision rights:

  • Business owners approve the access model tied to a process or product outcome.
  • Application owners map that model to applications, APIs, and automation paths.
  • IAM and PAM teams define control baselines, including MFA, JIT elevation, vaulting, rotation, and offboarding.
  • Risk and compliance teams validate evidence, not just policy wording.

For non-human workloads, the same principle applies to secrets and workload identity. A static role alone is rarely enough when automations change frequently; current guidance suggests using short-lived credentials, context-aware authorisation, and auditable workflow ownership. NHIMG’s Key Challenges and Risks section highlights why visibility and revocation discipline are so often missed during transformation programmes. The practical control objective is to make identity decisions part of the delivery cadence, not a post-launch cleanup task. These controls tend to break down when multiple workstreams share the same platform but no single team owns the entitlement catalogue because changes outpace review cycles.

Common Variations and Edge Cases

Tighter identity control often increases delivery overhead, requiring organisations to balance speed against auditability and operational stability. That tradeoff becomes sharper in merger integrations, ERP migrations, or cloud platform rollouts where teams inherit different identity stores, approval chains, and privileged access patterns. Best practice is evolving, but there is no universal standard for how much centralisation is enough across every transformation.

One common variation is a federated model: business teams own access requirements, but a central IAM or PAM function enforces standards and exceptions. This works when the programme is large and the target state is still changing. Another variation is a product-led model, where a platform team owns implementation and an identity centre of excellence owns guardrails. The key is that someone outside the project does not “own security” in the abstract; they own specific controls, review points, and sign-off criteria.

For regulated environments, requirements may be more prescriptive. PCI DSS v4.0, for example, makes access governance and least privilege harder to treat as informal programme decisions, even when the business prefers speed. The Top 10 NHI Issues research also shows how poor offboarding and excessive privilege become recurring failure modes when ownership is diffuse. In short, the operating model should decide who requests access, who approves it, who implements it, and who proves it was revoked.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Identity ownership needs lifecycle control, including rotation and revocation.
NIST CSF 2.0PR.AA-01Access control ownership supports identity governance across the transformation.
NIST CSF 2.0PR.AC-4Least-privilege access must be owned and reviewed during change delivery.

Define accountable owners for identity decisions and enforce them through standard approval workflows.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org