Ownership should be shared, but governance must be explicit. IAM teams control assurance design, fraud teams monitor abuse patterns, and risk or compliance teams define acceptable thresholds for onboarding and recovery. If those groups operate separately, attackers exploit the gaps between their controls rather than the controls themselves.
Why This Matters for Security Teams
Fraud and IAM overlap most painfully at the points where identity proofing, account recovery, and step-up controls meet. If ownership is unclear, one team may optimise for access speed while another optimises for abuse detection, and attackers exploit the gap. NIST Cybersecurity Framework 2.0 treats identity as a shared governance problem, but it still requires explicit accountability for each control decision.
This is not just an organisational chart issue. Weak ownership leads to inconsistent verification standards, duplicate review paths, and inconsistent thresholds for what counts as acceptable risk. That becomes especially dangerous when secrets, tokens, or recovery workflows are reused across systems. NHIMG’s Ultimate Guide to NHIs shows how quickly identity risk compounds when lifecycle controls are unclear, and the same pattern appears in fraud operations when verification rules are not aligned with access governance.
In practice, many security teams discover the ownership problem only after a recovery flow or onboarding exception has already been abused, rather than through intentional governance design.
How It Works in Practice
The cleanest operating model is shared ownership with clearly separated decision rights. IAM teams should own assurance design, identity proofing standards, and control implementation. Fraud teams should own abuse detection, anomalous behaviour signals, and escalation criteria tied to known attack patterns. Risk or compliance should define the acceptable thresholds for onboarding, account recovery, and exception handling. That structure works because verification is both a security control and a fraud signal, but it is not the same function.
Operationally, this means the workflow should be explicit at every checkpoint:
- IAM defines what evidence is required for identity proofing and recovery.
- Fraud sets the detection logic for velocity, device, location, and behavioural anomalies.
- Risk defines when manual review is mandatory and when friction is acceptable.
- All three functions agree on who can override a decision and how that override is logged.
This is where standards guidance matters. NIST CSF 2.0 supports coordinated identity governance, while NIST digital identity guidance helps teams separate proofing, authentication, and lifecycle assurance. For control design, many organisations pair that governance model with an external playbook such as the Top 10 NHI Issues to keep lifecycle and recovery risks visible. The practical lesson is that fraud patterns should inform IAM thresholds, but fraud teams should not be forced to run the identity platform itself. That separation reduces abuse without turning every recovery event into an operational bottleneck. A recent NHIMG report found that only 19.6% of security professionals are strongly confident in securing non-human workload identities, which is a useful warning signal about overestimating control maturity.
These controls tend to break down when onboarding, support, and recovery are outsourced across different platforms because each system enforces a different trust model.
Common Variations and Edge Cases
Tighter verification often increases customer friction and manual review load, so organisations need to balance fraud reduction against conversion, support cost, and recovery time. There is no universal standard for this yet, especially in high-volume environments where risk tolerance changes by channel or transaction type.
One common edge case is delegated authority. If support agents, help desks, or channel partners can reset identities, the control owner must also own the override policy, not just the workflow. Another is step-up verification for high-risk actions: fraud may detect suspicious behaviour, but IAM should decide whether that signal triggers re-authentication, re-proofing, or temporary lockout. In zero trust programmes, this distinction matters because identity assurance and runtime authorisation are related but not interchangeable.
For identity recovery specifically, organisations should avoid letting a single team define both the attack detector and the approval rule without independent review. That arrangement creates blind spots, especially where account takeover, synthetic identity, and impersonation techniques overlap. NHIMG’s 52 NHI Breaches Analysis is useful background for understanding how identity failures spread across multiple control layers, not just one. Best practice is evolving, but the principle is stable: shared governance works only when the boundaries between assurance, detection, and decision-making are written down and tested.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Identity ownership needs clear governance, roles, and accountability. |
| NIST SP 800-63 | Identity proofing and recovery are central to this overlap question. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared ownership reduces identity abuse across verification and recovery paths. |
Treat recovery workflows as attack paths and enforce least privilege plus strong lifecycle controls.
Related resources from NHI Mgmt Group
- Who should own digital identity trust when fraud, IAM, and compliance overlap?
- Who should own fraud governance when identity and transaction risk overlap?
- Why can identity fabric improve governance without solving IAM risk on its own?
- Who is accountable when identity fraud succeeds through weak verification?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
