Ownership should sit with a shared governance model across IT, security, HR, and the business process owners who understand the transactions at risk. ERP and HCM access is not just a technical entitlement problem. It affects financial controls, payroll integrity, and audit evidence, so accountability must be explicit and cross-functional.
Why This Matters for Security Teams
ERP, HCM, and integration accounts sit on top of payroll, finance, and operational workflows, so identity governance for these users is really a control-owner question, not just an access-admin task. When ownership is unclear, access reviews become perfunctory, segregation of duties breaks down, and exceptions linger long after the business process has changed. That is why NHI Management Group treats governance as a cross-functional discipline, consistent with the NIST Cybersecurity Framework 2.0 focus on governance and risk ownership.
The risk is not theoretical. NHIMG research on the 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect a breach of non-human identities, and two-thirds have endured a successful cyberattack tied to compromised NHIs. In ERP and HCM environments, that same pattern can translate into fraudulent payments, payroll manipulation, or untraceable integration activity. In practice, many security teams encounter the ownership gap only after an audit finding or transaction anomaly has already exposed it, rather than through intentional governance design.
How It Works in Practice
The most reliable model is shared governance with clearly separated duties. Security should set policy, minimum control baselines, and monitoring requirements. IT or IAM should implement provisioning, lifecycle automation, and technical enforcement. HR should own employee and contractor source data for joiner, mover, leaver events. Finance, payroll, and application process owners should approve access based on transaction risk, not just job title. For integrations and service accounts, the owner should be the team responsible for the business process the account supports, with technical custodianship documented separately.
For organisations managing large numbers of service accounts, API tokens, and middleware identities, current guidance suggests treating these as NHIs with explicit lifecycle controls. That means unique ownership, scoped entitlements, time-bound secrets where possible, periodic recertification, and revocation when the process is retired. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because it frames ownership as part of create, approve, monitor, rotate, and decommission workflows rather than a one-time assignment. Where access is highly sensitive, policy should align to the spirit of OWASP guidance and the control expectations in NIST Cybersecurity Framework 2.0.
- Assign one accountable business owner per ERP, HCM, or integration identity.
- Separate approval authority from technical administration to preserve segregation of duties.
- Require periodic review of privileges against actual process ownership.
- Document break-glass and emergency access with post-use review.
- Revoke stale integrations, test accounts, and dormant service identities on a fixed schedule.
For auditability, the evidence trail should show who approved access, who implemented it, who reviewed it, and who is accountable if the process changes. These controls tend to break down when ERP customisations, outsourced payroll operations, or middleware sprawl make the true process owner unclear.
Common Variations and Edge Cases
Tighter ownership models often increase administrative overhead, requiring organisations to balance stronger control against slower approvals and more complex RACI management. That tradeoff is usually worth it in ERP and HCM because the downstream impact of a wrong entitlement is so high, but the model should be adjusted for edge cases. Shared service centres may need regional approvers. M&A environments may temporarily allow duplicate ownership while systems are being reconciled. Third-party managed payroll or integration platforms may require contractual ownership clauses so accountability does not disappear into the vendor relationship.
There is no universal standard for this yet, but best practice is evolving toward explicit business accountability for each identity class. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is a good reference when mapping this into audit evidence, while the Top 10 NHI Issues highlights how ownership gaps and stale credentials surface in real incidents. If a team cannot name the business owner for an ERP or integration account, the identity is already outside effective governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Ownership gaps are a core non-human identity governance failure. |
| NIST CSF 2.0 | GV.OV-01 | Governance requires clear accountability for business-critical access. |
| CSA MAESTRO | GOV-02 | Cross-functional governance is essential for machine and integration identities. |
Document ownership, approval authority, and review cadence for each identity class.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
