Scaling technologies increase the number of systems, dependencies, and exception paths that must be governed. Layer-2s and bridges can improve throughput, but they also make visibility, reconciliation, and incident containment harder unless teams extend control coverage beyond the base chain. The risk shifts from transaction delay to control fragmentation.
Why This Matters for Security Teams
Scaling technologies do not just increase transaction capacity; they expand the governance surface. Layer-2 systems, bridges, sequencers, relayers, and cross-domain messaging all introduce new dependencies that can fail independently of the base chain. That creates a control problem, not just a performance problem. Security teams need to know which components are trusted, which are monitored, and which can pause or reroute value when something goes wrong. The governance gap is often larger than the technical gap.
This is why NHI Management Group treats scaling infrastructure as part of the security boundary, not as an optional integration layer. The same pattern appears in broader identity operations, where Key Challenges and Risks grow when systems multiply faster than controls. In practice, many teams discover the weakest link only after a bridge, relay path, or privileged operator workflow has already been exploited, rather than through intentional control design.
How It Works in Practice
Scaling architectures change where trust sits. On a base chain, governance may focus on validators, smart contracts, and key management. Once a Layer-2 or bridge is introduced, teams also have to govern message validation, upgrade authority, delay windows, dispute resolution, and operational keys. Each of those elements can become a security decision point. That is why the NIST Cybersecurity Framework 2.0 is useful here: it forces teams to map identify, protect, detect, respond, and recover controls across the full dependency chain, not just the primary ledger.
For practical governance, teams should separate the architecture into control domains:
- Protocol trust assumptions, such as fraud proofs, finality, or message verification.
- Operational privilege, including admin keys, upgrade paths, and emergency pause functions.
- Monitoring and reconciliation, so activity on the scaling layer is compared with canonical state.
- Incident containment, including revocation, throttling, and cross-domain halt procedures.
That operational split matters because scaling components often behave like high-value non-human identities: they authenticate services, move assets, and make policy decisions without human intervention. The 2024 ESG Report: Managing Non-Human Identities shows how quickly risk rises when these identities are not governed consistently. Current guidance suggests the same lesson applies to crypto scaling, where control ownership and monitoring often lag behind deployment velocity. Teams should also align with Lifecycle Processes for Managing NHIs when scaling components use service accounts, keys, or automation to move funds or validate state.
These controls tend to break down when bridge operators, sequencers, and application teams are split across different vendors or governance models because no single team owns the full failure path.
Common Variations and Edge Cases
Tighter governance often increases latency, operational overhead, and coordination cost, requiring organisations to balance resilience against execution speed. That tradeoff is especially visible in crypto, where some scaling designs optimise for throughput while others prioritise stronger verification and rollback options. There is no universal standard for this yet, so best practice is evolving.
Some edge cases are easy to miss. A rollup may inherit base-chain settlement guarantees but still depend on a small set of administrators for upgrades. A bridge may be technically sound but operationally fragile because one compromise can affect multiple ecosystems at once. In highly automated environments, the control issue can resemble NHI sprawl: too many privileged machine actors, too little inventory, and weak lifecycle governance. That is why the same research lens used for NHI control mapping should also be applied to scaling infrastructure.
The most common mistake is assuming decentralisation eliminates governance. It does not. It redistributes it across contracts, operators, monitoring pipelines, and exception handling. Security teams should treat every exception path as a potential control boundary and verify whether alerts, freezes, and reconciliations still work when a scaling layer is degraded. In practice, the biggest failures occur when teams assume the bridge is just plumbing, not a separate trust domain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-03 | Scaling layers expand the security boundary and ownership map. |
| OWASP Non-Human Identity Top 10 | Scaling stacks often rely on privileged machine identities and automation. | |
| NIST Zero Trust (SP 800-207) | SC-7 | Cross-domain message paths need explicit trust and segmentation decisions. |
| NIST AI RMF | GOVERN | Autonomous orchestration around scaling systems needs accountable oversight. |
| MITRE ATLAS | Adversarial manipulation can target automated validation and routing logic. |
Inventory and harden service identities that move value or validate cross-domain state.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org