They fail because a policy does not prove that the control was executed consistently. In regulated environments, supervisors look for evidence of implementation, not just intent. If identity checks, monitoring, and risk responses are disconnected, the organisation may appear compliant while its actual operating model remains fragile.
Why This Matters for Security Teams
Paper-based compliance fails in regulated virtual asset environments because supervisors and auditors care about whether controls are operating, not whether they are described. A policy can state that wallet approvals, customer due diligence, monitoring, and escalation are required, yet still leave gaps if those steps are not consistently enforced or evidenced. That gap becomes acute where transaction speed, cross-border activity, and third-party dependencies make manual oversight unreliable. The NIST Cybersecurity Framework 2.0 emphasizes outcomes and continuous governance, which is closer to what regulators expect in practice.
For virtual asset businesses, the problem is not only control design but control provability. If compliance evidence is assembled after the fact, it can look tidy while still missing the actual control execution trail. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives frames this clearly: identity, access, and lifecycle evidence must be operationally defensible, not merely documented. In practice, many security teams discover weak control execution only after an audit, incident, or supervisory inquiry has already exposed the gap.
How It Works in Practice
Effective compliance in a regulated virtual asset environment starts with mapping each obligation to an executable control, an owner, and a source of evidence. That means moving from narrative policies to systems that can prove who approved what, when it happened, what data informed the decision, and whether exceptions were handled correctly. Controls around customer onboarding, sanctions screening, wallet risk scoring, and privileged access should generate logs that are immutable enough for audit and useful enough for operations.
The best programmes treat evidence as a by-product of normal operations. For example, approval workflows should capture timestamps and approver identity; monitoring should retain alert disposition and escalation records; access reviews should show removal of stale entitlements; and incident response should preserve decision history. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because virtual asset environments often rely on non-human identities for APIs, automation, and exchange integrations, and those identities need lifecycle controls that can be evidenced end to end.
- Translate every policy statement into a control test with a measurable artifact.
- Bind identity verification, transaction monitoring, and escalation into one workflow rather than separate documents.
- Use immutable logs and retention settings that match supervisory expectations, not internal convenience.
- Review exceptions as operational events, not paperwork corrections.
This is where the NIST Cybersecurity Framework 2.0 and the Top 10 NHI Issues both converge on the same point: governance fails when evidence, identity, and execution live in different systems. These controls tend to break down when compliance teams rely on spreadsheet attestations while engineering and operations continue to change workflows without synchronized evidence capture.
Common Variations and Edge Cases
Tighter evidence collection often increases operational overhead, requiring organisations to balance auditability against speed, privacy, and workflow friction. That tradeoff is especially visible in virtual asset firms that operate across multiple jurisdictions, where one regulator may expect detailed traceability while another emphasises retention limits or data minimisation.
Current guidance suggests that controls should be risk-based, but there is no universal standard for exactly how much evidence is enough across all asset classes, products, and jurisdictions. A custodial exchange, a broker-dealer, and a DeFi-adjacent platform may all need different control depth even if they face similar headlines. The recurring failure mode is over-reliance on policy documents, board decks, and annual attestations when the real exposure sits in runtime operations, delegated administration, and third-party integrations. NHIMG’s DeepSeek breach is a reminder that exposed credentials and weak operational controls can undermine even well-written governance.
For that reason, regulator-ready programmes usually combine documented policy with live telemetry, exception tracking, and periodic control testing. If the organisation cannot show that a control executed consistently, the paper trail becomes a liability instead of a defence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Governance outcomes must be measurable, not just documented. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI lifecycle and secret handling underpin audit-proof operations. |
| NIST AI RMF | GOVERN | AI RMF governance maps well to operational accountability and traceability. |
Assign ownership, monitoring, and review for every compliance control and exception.
Related resources from NHI Mgmt Group
- What breaks when compliance stays entity-based instead of activity-based?
- How should payment providers implement activity-based compliance in Indonesia?
- Why do identity verification programmes fail when they stop at onboarding?
- Why do fraud and compliance programmes need shared identity governance evidence?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
