Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who should own SMS pumping risk in an…
Governance, Ownership & Risk

Who should own SMS pumping risk in an organisation?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Ownership should sit across identity engineering, fraud operations, and the business team paying the telecom bill. IAM controls decide whether SMS is sent, fraud teams watch for abusive patterns, and finance needs the spend caps and alerting that expose abnormal traffic before the cost becomes material.

Why This Matters for Security Teams

sms pumping is not just a telecom expense issue. It is a fraud and identity control problem that can drain budget, mask bot-driven abuse, and create blind spots in authentication flows. When organisations let ownership sit in only one team, they usually optimise for a narrow symptom instead of the attack path. The result is delayed detection, weak escalation, and disputes over who can actually pause traffic or change policy. Current guidance suggests treating it as a cross-functional risk, similar to how identity abuse is handled in the NIST Cybersecurity Framework 2.0. NHIMG’s research shows that NHIs are often poorly governed, with only 5.7% of organisations reporting full visibility into service accounts in the Ultimate Guide to NHIs, which is the same governance gap that allows abusive automation to keep calling SMS endpoints. In practice, many security teams encounter SMS pumping only after spend spikes or customer complaints have already made the problem visible, rather than through intentional abuse monitoring.

How It Works in Practice

Ownership works best when divided by control point, not by blame. Identity engineering should own the SMS send path, including authentication rules, step-up requirements, API credentials, rate limits, and any logic that decides whether a request is eligible to trigger a message. Fraud operations should own abuse detection, pattern analysis, and the operational response to suspicious traffic, because SMS pumping often looks like legitimate demand until the volume pattern becomes obvious. The business team paying the telecom bill should own spend guardrails, budget thresholds, vendor alerts, and the decision to suspend or reroute traffic when losses become material.

That split aligns with the operational reality described in Top 10 NHI Issues and the NHIMG Ultimate Guide to NHIs: identity abuse, excessive privilege, and weak visibility are usually what make high-cost automation possible. A practical operating model usually includes:

  • clear RACI ownership for SMS initiation, anomaly review, and spend shutdown
  • daily or hourly alerting on destination mix, volume spikes, and new geographies
  • hard caps and progressive throttles at the telecom and application layers
  • credential rotation and least privilege for any service that can trigger messaging
  • fraud rules that distinguish customer demand from repeated low-value abuse

Security leaders should document who can approve exceptions and who can disable the SMS channel immediately, because delayed escalation turns a controllable abuse pattern into a bill shock event. These controls tend to break down when SMS is embedded in product onboarding or password recovery flows because business teams resist throttling anything that could affect conversion.

Common Variations and Edge Cases

Tighter SMS controls often increase friction for legitimate users, requiring organisations to balance fraud reduction against customer experience and support load. That tradeoff is real, especially where SMS is still used for account recovery, one-time passcodes, or market-specific workflows. Best practice is evolving, but current guidance suggests moving high-risk verification flows toward stronger factors while keeping SMS as a fallback rather than a primary trust mechanism.

There is also no universal standard for who owns the final stop button. In smaller organisations, finance may own the spend threshold, while security owns the policy and ops owns the technical kill switch. In larger environments, a fraud team may sit inside security but still need telecom and product support to act quickly. The important part is that ownership is explicit and tested, not implied.

Where this model gets complicated is when vendors abstract the SMS layer behind third-party APIs or shared messaging gateways. Then the organisation must also track service-account access, secret handling, and vendor alert SLAs, which are classic NHI risks described in NHIMG’s Why NHI Security Matters Now. In practice, ownership fails most often when the business assumes fraud will notice first and fraud assumes engineering will limit the blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01SMS pumping needs explicit risk ownership and escalation paths.
OWASP Non-Human Identity Top 10NHI-03Compromised or overused service credentials can drive SMS abuse.
CSA MAESTROGOV-2Agentic and automated actions need clear accountability and control ownership.
NIST AI RMFGOVERNCross-functional governance is needed for financially risky automated behaviour.

Set ownership, thresholds, and escalation for abuse-driven automation before incidents occur.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org