Custody controls protect how assets are stored, but fraud often happens through valid-looking transfer paths, delegated access, or manipulated approvals. That means a secure vault can still sit beside weak transaction screening, poor KYT, or over-broad workflow permissions. Teams need both storage assurance and movement assurance.
Why This Matters for Security Teams
Custody controls answer a narrow question: whether digital assets are stored safely. Fraud risk is broader. It shows up when a legitimate-looking payment or transfer is initiated through a compromised service account, a misused approval workflow, or a trusted integration that was never meant to authorize movement at scale. NHI Management Group’s Ultimate Guide to NHIs shows why this matters, since NHIs often carry excessive privileges and many organisations lack full visibility into them.
That gap is exactly why custody is not the same as fraud prevention. A vault can be hard to breach while downstream transaction paths remain easy to abuse, especially in environments with delegated permissions, API-driven payout rails, or approval chains that assume internal users are trustworthy. The practical risk is that an attacker does not need to steal assets from storage if they can persuade systems to move them on their behalf. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that protection must extend beyond asset custody into governance, monitoring, and response. In practice, many security teams only discover this when a valid workflow has already executed an unauthorised transfer.
How It Works in Practice
Fraud controls need to cover the full lifecycle of asset movement, not just where balances are held. The operational goal is to make every transfer provable, policy-checked, and bounded by context. That usually means combining custody assurance with transaction assurance, identity assurance, and workflow assurance. NHI Management Group’s Top 10 NHI Issues is useful here because many fraud paths begin with over-broad machine access, weak key rotation, or unreviewed service-to-service permissions.
- Use strong custody controls for key storage, signing, and recovery, but do not assume they stop misuse after a key is validly used.
- Apply transaction monitoring or KYT to flag unusual counterparties, amount anomalies, velocity spikes, and first-time destinations.
- Constrain approvals with RBAC, separation of duties, and step-up review for high-risk movement, especially when limits or beneficiaries change.
- Issue just-in-time access for sensitive workflows so standing permissions do not exist longer than necessary.
- Bind non-human identities to workload identity and short-lived credentials so every action can be attributed to a specific service or agent.
The NIST Cybersecurity Framework 2.0 is relevant because it treats risk as an end-to-end control problem, not a vault-only problem. In practice, fraud detection also depends on whether logs, alerts, and approval trails are complete enough to reconstruct intent after the fact. That is where many environments fail: custody may be strong, but workflow permissions, delegated signing, or treasury automation still allow a legitimate identity to move value in an illegitimate way. In practice, these controls tend to break down in high-velocity payment stacks with fragmented ownership, because approval logic, IAM, and fraud analytics are rarely tuned together.
Common Variations and Edge Cases
Tighter custody often increases operational overhead, requiring organisations to balance loss prevention against payment speed and customer friction. That tradeoff is real, especially in digital finance where instant settlement, automated market making, or programmatic treasury actions are business requirements.
There is no universal standard for this yet, but current guidance suggests that the highest-risk environments need layered controls rather than a single custody gate. For example, a regulated exchange may need stronger multi-party approvals than a retail wallet provider, while an internal treasury platform may need more emphasis on service account governance and anomaly detection. The 2024 ESG Report: Managing Non-Human Identities is relevant because compromised NHIs frequently correlate with repeated incidents, which is a warning sign for transaction abuse as well as credential abuse.
Edge cases also matter. A perfectly safe vault does not stop fraud if a trusted reconciliation job, payout bot, or API client can create valid transfers. Nor does custody alone address collusion, where insiders use approved tools to move assets through normal channels. The right question is not only “can the assets be stolen?” but also “can the system be made to approve a bad transfer as if it were routine?” That distinction is where most fraud programs either mature or fail.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Fraud exposure grows when identity and access are broader than required. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Over-privileged non-human identities can authorize fraudulent movement. |
| NIST AI RMF | GOVERN | Digital finance fraud requires accountable oversight across automated decisions. |
Restrict workflow and service permissions to least privilege and review them with transaction risk in mind.
Related resources from NHI Mgmt Group
- How should crypto firms design onboarding when regulation and fraud risk both increase?
- Why do service accounts and automation scripts create material risk for finance teams?
- When does digital identity verification create more risk than it reduces?
- Who should own fraud-related identity risk decisions?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
