A model where the end user is the primary custodian of password recovery and re-authentication decisions. It is convenient for self-service, but it creates a social engineering target that attackers can reach directly, especially when the user controls privileged access or can approve reset prompts.
Expanded Definition
User-mediated credential custody is an identity recovery pattern in which the end user remains the primary decision-maker for password reset, re-authentication, or approval of access restoration. In human identity programs, this can improve self-service and reduce help desk load. In NHI and agentic AI environments, however, it becomes more sensitive because a user may control a workload identity, approve a privileged reset, or unknowingly validate a malicious prompt. The model is not inherently flawed, but its security profile changes when the user is the last gate before credential re-issuance or session recovery.
Definitions vary across vendors when the custody path spans human accounts, service accounts, and delegated agents. NIST SP 800-63 treats identity proofing and authenticator recovery as assurance-bearing steps, while OWASP’s OWASP Non-Human Identity Top 10 frames recovery and secret handling as attack surfaces that can expose NHI controls. In practice, the key question is not whether a user can trigger recovery, but whether that user can be socially engineered into authorizing a reset that grants access to secrets, tokens, or admin-adjacent functions. The most common misapplication is treating user approval as equivalent to strong custody, which occurs when reset workflows rely on convenience over identity assurance.
Examples and Use Cases
Implementing user-mediated custody rigorously often introduces friction in recovery workflows, requiring organisations to weigh self-service speed against the risk of prompt fatigue, impersonation, and accidental approval.
- A developer approves a password reset for a workspace account and unknowingly restores access to a token-backed automation path that should have required stronger verification, echoing the secret exposure patterns discussed in the Guide to the Secret Sprawl Challenge.
- A support portal sends a one-click re-authentication prompt to a user who also owns a privileged cloud role; the user confirms it during a phishing call, bypassing the intent of NIST SP 800-63 Digital Identity Guidelines.
- An agentic workflow asks a human operator to approve credential re-issuance after a failure, but the operator cannot distinguish a legitimate recovery from a malicious takeover attempt.
- An SRE team uses self-service recovery for shared admin tooling, then discovers that approval logs do not show whether the original custodian was coerced or merely inattentive.
NHIMG research on Cisco Active Directory credentials breach illustrates how identity-related compromise can spread when trust in recovery or access paths is too broad.
Why It Matters in NHI Security
User-mediated custody matters because attackers do not need to break the recovery system if they can persuade the user to operate it for them. That is especially dangerous for NHI environments where a human approval can unlock service credentials, API keys, or delegated access that machines use at scale. NHIMG research shows that 23.7% of organisations still share secrets through insecure methods such as email or messaging applications, a pattern that pairs badly with approval-based recovery and increases the chance of covert compromise. The security issue is not only theft of a password, but the downstream reuse of the recovered identity to reach secrets, pipelines, or privileged automation.
Controls should therefore separate human convenience from custody authority, especially for identities that can touch production systems. A recovery flow that is acceptable for low-risk user access may be unacceptable for a workload owner, an operator of a deployment agent, or anyone with authority over secret rotation. Organisations typically encounter the danger only after a reset is abused in a phishing incident or support impersonation event, at which point user-mediated credential custody becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Recovery and approval paths can expose non-human identities to social engineering. |
| NIST SP 800-63 | IAL/AAL recovery | Digital identity guidance treats account recovery as an assurance-bearing event. |
| NIST CSF 2.0 | PR.AA-1 | Authentication and access authorization must be controlled to prevent reset abuse. |
Harden recovery flows and require stronger checks before any NHI credential is reissued.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
