Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who should own IoT connectivity changes when devices…
Governance, Ownership & Risk

Who should own IoT connectivity changes when devices are managed in the field?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Governance, Ownership & Risk

Ownership should sit with a clearly defined operations or identity governance function, not with whichever team happens to have the credentials. Field changes affect device trust and business continuity, so the right model is role-based authority, documented approvals and revocation paths that work at scale.

Why This Matters for Security Teams

When IoT connectivity changes are handled ad hoc, the risk is not just configuration drift. The bigger issue is broken accountability: a device may keep working while its trust boundary, telemetry path, or remote access method changes without a clear owner. That creates gaps in approval, logging, and rollback, especially for fleets managed outside a central office. Guidance from the NIST Cybersecurity Framework 2.0 points security teams toward defined governance, asset visibility, and controlled change management rather than informal handoffs.

For field-managed devices, the ownership question is really about who can authorise a connectivity change, who can validate the impact, and who can revoke access if the change goes wrong. That matters for both operational resilience and identity security because the device often relies on credentials, certificates, or tokens that must remain tightly scoped. If those controls are not owned by a defined function, the organisation can end up with unmanaged secrets and inconsistent privilege boundaries across sites, vendors, and technicians.

In practice, many security teams encounter the ownership problem only after a failed field change has already interrupted service or exposed an unnecessary access path.

How It Works in Practice

The most reliable model is a clear split between technical execution and control ownership. A field engineer or service partner may perform the physical or remote change, but the authority to approve, track, and reverse that change should sit with operations, identity governance, or another named control owner. That owner should maintain the change standard, not just the ticket. For IoT fleets, the standard should define who can modify network configuration, certificate state, eSIM or SIM profiles, broker endpoints, VPN settings, and device registration details.

Practitioners usually get better outcomes when they treat connectivity changes as governed identity events, not routine maintenance. If a device is using a certificate to authenticate to an IoT platform, the approval path should include the expected issuer, renewal window, and revocation plan. If a remote technician needs temporary access, that access should be time-bound and recorded, with a named approver and a defined rollback. This is closely aligned with zero trust thinking and with operational access controls described in NIST CSF 2.0, even when the devices sit outside traditional IT management.

In practice, the operating model often includes:

  • Role-based authority for requesting, approving, and executing connectivity changes.
  • Documented approval chains for planned changes and emergency changes.
  • Inventory linkage so every device change updates the asset and identity record.
  • Revocation paths for certificates, tokens, remote sessions, and vendor access.
  • Logging to a central monitoring function so field activity is visible after the fact.

This is also where IAM and NHI governance intersect. A device certificate, API key, or gateway credential is a non-human identity asset, so ownership must include lifecycle control, not just deployment. Where device fleets are distributed across regions or third parties, the model should also define who can suspend a device, who can isolate it from the network, and who can approve any exception to the normal trust policy. These controls tend to break down when field teams use local workarounds and connectivity changes are made through shared accounts because accountability and revocation become unreliable.

Common Variations and Edge Cases

Tighter control over field connectivity often increases operational overhead, requiring organisations to balance speed of restoration against assurance and traceability. That tradeoff is real in emergency maintenance, contractor-led service calls, and environments where devices operate offline for long periods. Best practice is evolving, but there is no universal standard for allowing exceptions without weakening ownership.

In some environments, especially utility, healthcare, or industrial deployments, a local site manager may approve a change while a central identity governance team retains final policy ownership. That can work if the approval is time-limited and the revocation path is pre-built. In other cases, vendors may need limited access for diagnostics, but that access should be brokered through the owning function rather than handed out as standing privilege. The main risk is confusing execution rights with ownership rights.

For fleets using certificates or hardware-backed trust, the ownership model should also define who controls renewal and key replacement. If that responsibility is fragmented, a routine connectivity update can become a service outage or a security exception. The right pattern is to keep the owner stable, even when the technician, carrier, or service provider changes.

Where device connectivity depends on shared credentials across many sites, this guidance becomes fragile because revocation and auditability no longer map cleanly to a single accountable function.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.1Governance clarifies who owns and approves connectivity changes.
OWASP Non-Human Identity Top 10IoT connectivity often relies on non-human credentials needing lifecycle control.
NIST Zero Trust (SP 800-207)PA-1Zero trust requires explicit policy control over remote connectivity decisions.
NIST SP 800-63Identity proofing and credential lifecycle concepts map to trusted device access.

Use strong identity and credential governance for any person or service changing device access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org