Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who should own MFA policy when security and…
Governance, Ownership & Risk

Who should own MFA policy when security and user experience pull in different directions?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 12, 2026 Domain: Governance, Ownership & Risk

MFA policy should be owned jointly by IAM, security architecture, and business application leaders, with compliance involved where regulated access is in scope. Authentication affects fraud, support load, and conversion rates, so it cannot be managed as a pure security setting. Shared ownership keeps assurance decisions aligned with operational reality.

Why This Matters for Security Teams

MFA policy is not just an authentication setting. It shapes account takeover resistance, fraud exposure, help desk volume, and whether employees can actually get work done. That is why ownership becomes contentious when security wants stronger assurance and the business wants fewer interruptions. Current guidance from the NIST Cybersecurity Framework 2.0 supports shared accountability across governance, protection, and operational functions rather than leaving identity decisions in a silo.

For NHI governance, the same pattern appears in Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs: identity controls fail when they are designed without lifecycle ownership, not when they are merely documented. That matters because MFA often sits at the point where policy intent meets real user behaviour. If the policy is too strict, users route around it; if it is too loose, attackers exploit the gap. In practice, many security teams discover the ownership problem only after support tickets spike or a phishing event exposes a weak exception path, rather than through intentional policy review.

How It Works in Practice

Effective MFA ownership is usually a federated model. IAM teams define the control baseline, security architecture sets assurance standards, application owners define what is tolerable for their workflows, and compliance confirms where regulated access requires stronger factors or step-up rules. That structure aligns with the NIST principle that access control should be risk-based, auditable, and mapped to business impact, not treated as a one-size-fits-all gate.

In practice, policy teams should separate the question of who decides from who operates. The owner approves the standard, but implementation teams handle enrollment flows, recovery procedures, device binding, and exception handling. This is especially important for high-friction populations such as contractors, frontline staff, and privileged users. NHIMG’s Top 10 NHI Issues also reflects a broader identity truth: controls that are not managed through lifecycle discipline tend to drift into exceptions, duplicated credentials, and invisible bypasses.

  • Set one policy owner for assurance standards and one operational owner for rollout and support.
  • Use risk-based step-up MFA for higher-value actions rather than forcing the same challenge everywhere.
  • Define exception approval paths with expiry dates, not permanent waivers.
  • Measure policy impact using both security outcomes and user friction metrics.

Where this guidance breaks down is in highly decentralized environments with many acquired applications, because inconsistent identity stacks make a single MFA policy difficult to enforce cleanly.

Common Variations and Edge Cases

Tighter MFA policy often increases friction and support cost, so organisations have to balance stronger assurance against productivity and abandonment risk. That tradeoff is real, and current guidance suggests it should be managed explicitly rather than hidden inside technical settings. For example, executive, admin, and finance access may justify phishing-resistant methods, while lower-risk internal tools may use lighter controls with conditional access.

There is no universal standard for this yet, especially for passwordless rollouts and device-bound authentication across mixed fleets. The State of Non-Human Identity Security shows how quickly identity oversight degrades when ownership is unclear: only 1.5 out of 10 organisations are highly confident in securing NHIs, which is a useful warning sign for human MFA policy too. The lesson is not that every control should be maximal, but that ownership must be explicit enough to resolve disputes quickly when business and security priorities diverge.

Edge cases include shared workstations, legacy apps that cannot support modern authenticators, and regulated processes that require stronger authentication than the rest of the environment. In those cases, policy exceptions should be time-bound, documented, and reviewed by the same cross-functional owners who approved the baseline.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OVMFA ownership is a governance decision with operational and business impact.
NIST SP 800-63IAL/AAL/FALMFA assurance level should match the required identity and authentication strength.
NIST Zero Trust (SP 800-207)Policy EngineZero Trust uses context-aware access decisions rather than static authentication rules.
OWASP Non-Human Identity Top 10NHI-01Shared ownership issues often mirror broader identity governance failures for non-human accounts.
NIST AI RMFGOVERNPolicy ownership requires accountability, oversight, and documented decision rights.

Assign MFA policy oversight through governance reviews that include security, IAM, and business owners.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org