Because wallets, exchange accounts, API keys, and recovery channels determine who can move or freeze assets. If those controls are weak, investigators cannot trust provenance and criminals can change control of funds faster than teams can attribute or contain the activity.
Why This Matters for Security Teams
Wallet and exchange access controls determine whether investigators can still rely on transaction provenance after suspicious activity begins. In crypto incidents, the difference between a recoverable event and a permanent loss often comes down to whether API keys, recovery channels, MFA, and withdrawal approvals were scoped tightly enough to resist rapid takeover. That makes access control a forensic issue as much as an operational one, especially when non-human identities hold the power to move funds.
NHIMG research shows why this is not a niche concern: Ultimate Guide to NHIs reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That pattern maps directly to crypto environments, where exchange API credentials, hot wallet signers, and automation tokens can act as high-trust identities. Security teams therefore need access governance that preserves evidentiary integrity, not just account protection.
Current guidance suggests treating every wallet operator, exchange account, and automated trading key as a privileged identity with traceable ownership, scoped permissions, and revocation procedures. In practice, many investigations fail only after withdrawals are already authorized through legitimate-looking channels, rather than through obvious malware or phishing.
How It Works in Practice
Effective crypto investigations depend on being able to answer three questions quickly: who controlled the account, what could that identity do, and when did control change. That is why controls should cover both human access and the non-human identities that actually execute trades, withdrawals, and custody actions. The operational baseline is least privilege, time-bound access, strong approval workflows for movement of assets, and immutable logs that capture administrative changes, key issuance, and withdrawal rule edits.
For exchanges and custodial platforms, investigators usually look for evidence across account governance, device trust, and transaction policy. The most useful control layers are:
- Named ownership for each wallet, API key, and recovery path.
- Separation between read-only monitoring access and transfer-capable access.
- MFA on console access and step-up approval for recovery or whitelisting changes.
- Rotation and revocation workflows for keys, especially after staff turnover or incident alerts.
- Logging that preserves admin actions, IP context, and withdrawal destination changes.
This lines up with the broader control logic in OWASP Non-Human Identity Top 10 and the control discipline in NIST SP 800-53 Rev 5 Security and Privacy Controls, both of which emphasize access enforcement, auditability, and credential lifecycle management. NHIMG’s 52 NHI Breaches Analysis also reinforces a recurring pattern: once a non-human credential is abused, investigators often lose confidence in all actions taken under that identity until revocation and re-baselining are complete. These controls tend to break down when exchanges support shared admin accounts, opaque recovery procedures, or loosely governed API keys because attribution becomes ambiguous and access changes cannot be reconstructed cleanly.
Common Variations and Edge Cases
Tighter access control often increases operational friction, requiring organisations to balance forensic integrity against trading continuity and customer support speed. That tradeoff becomes sharper in high-volume venues, self-custody setups, and cross-border investigations where multiple actors may hold partial control over the same assets.
There is no universal standard for this yet, but current guidance suggests several edge-case distinctions. Cold storage should use more restrictive, slower approval paths than hot wallets. Exchange subaccounts need separate permissions when investigators are trying to isolate suspicious flows without shutting down the entire platform. Shared recovery channels are especially risky because a single email compromise can undermine every downstream control. If automation triggers withdrawals or transfers, those workflows should be treated as NHI governance problems, not merely application settings.
For regulated environments, investigators should also consider whether customer due diligence, sanctions screening, or asset freeze obligations apply. The governance expectations in CIS Controls v8 and the assurance model in ISO/IEC 27001:2022 Information Security Management both support a documented control boundary, but they do not remove the need to preserve chain of custody. In practice, the hardest cases involve decentralised wallets with no single administrator, or exchange accounts that were shared informally before an incident, because ownership and intent become difficult to prove after the fact.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI credential lifecycle and access governance | Wallets and exchange keys behave like privileged non-human identities. |
| NIST CSF 2.0 | PR.AA, PR.AC, DE.CM | Identity, access, and monitoring controls underpin trustworthy crypto investigations. |
| NIST SP 800-63 | AAL2, AAL3 | Strong authentication is critical where account takeover can move assets. |
| PCI DSS v4.0 | 7, 8, 10 | Access limitation, authentication, and logging mirror controls needed for asset handling. |
| NIST AI RMF | When automated agents control wallets, governance and traceability become risk issues. |
Tighten authentication, restrict privileges, and log access changes for evidentiary use.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org