Why RACI Matters in Regulated Environments
Regulatory frameworks — including DORA, NIS2, and ISO 27001 — share a common expectation: organisations must demonstrate clear accountability for security decisions. When a regulator or auditor asks “who approved this exception?” or “who is responsible for ensuring pipeline security controls are enforced?”, the answer cannot be vague or distributed across unnamed teams.
A RACI matrix (Responsible, Accountable, Consulted, Informed) is the established governance instrument for mapping activities to roles. In a DevSecOps context, it serves a dual purpose: it structures internal decision-making and provides auditors with a single document that evidences accountability design.
Without a documented RACI, organisations face several regulatory risks:
- Inability to demonstrate who approved security exceptions or risk acceptances
- Unclear escalation paths when security gates fail or are bypassed
- Audit findings related to segregation of duties violations
- Regulatory sanctions under DORA Article 5 (management body accountability) or NIS2 Article 20 (governance and accountability)
RACI Explained for Non-Technical Stakeholders
Before applying the matrix, it is essential that all stakeholders — particularly compliance officers and risk owners — understand the four designations:
| Letter | Role | Meaning | Key Question |
|---|---|---|---|
| R | Responsible | The person or team who performs the work | Who does the task? |
| A | Accountable | The single person who is ultimately answerable — they approve or sign off | Who answers to the regulator? |
| C | Consulted | Those whose input is sought before a decision or action is taken | Whose expertise is needed? |
| I | Informed | Those who are notified after a decision or action is taken | Who needs to know? |
Critical governance rule: There must be exactly one “A” per activity. If accountability is shared, it is diluted — and diluted accountability is, in regulatory terms, no accountability at all.
Comprehensive RACI Matrix for DevSecOps Activities
The following matrix maps fourteen core DevSecOps activities to eight organisational roles. This should be adapted to your organisation’s structure, but it provides a robust starting point for regulated environments.
| Activity | CISO | Security Architect | DevSecOps Lead | Platform / CI-CD Team | Dev Team Lead | Developer | Compliance Officer | Risk Owner |
|---|---|---|---|---|---|---|---|---|
| Security policy definition | A | C | C | I | I | I | C | C |
| Pipeline security configuration | I | C | A | R | C | I | I | I |
| SAST/DAST/SCA tool management | I | C | A | R | I | I | I | I |
| Vulnerability triage | I | C | A | I | R | C | I | I |
| Remediation execution | I | C | I | I | A | R | I | I |
| Exception/suppression approval | I | C | C | I | I | I | C | A |
| Security gate configuration | I | R | A | R | C | I | C | I |
| Access control management | A | C | R | R | C | I | C | I |
| Secrets management | I | A | R | R | C | C | I | I |
| Incident response | A | C | R | R | C | C | I | I |
| Audit preparation | I | C | R | C | C | I | A | I |
| Metrics reporting | I | I | R | C | C | I | A | I |
| Third-party risk assessment | I | C | C | I | I | I | C | A |
| Security training | A | C | R | I | C | R | I | I |
Governance Notes: Accountability and Escalation
Final Accountability for Pipeline Security
In the matrix above, the DevSecOps Lead is accountable for the technical configuration and enforcement of pipeline security. However, the CISO retains ultimate accountability for security policy and its effectiveness. This two-tier accountability must be clearly documented.
Under DORA, the management body (typically the board or senior management committee) bears responsibility for the overall ICT risk framework. The CISO acts as their delegate for security operations. This delegation must be formally documented and periodically reviewed.
Escalation Path
When conflicts arise — for example, a development team contests a security gate blocking a release — the escalation path should follow a documented procedure:
- First level: DevSecOps Lead and Development Team Lead attempt resolution
- Second level: Security Architect provides technical ruling
- Third level: Risk Owner and Compliance Officer assess the risk acceptance
- Final level: CISO makes the binding decision, documented in the risk register
Every escalation must be recorded. Auditors will look for evidence that the escalation path was followed — not merely that it exists on paper.
Adapting the RACI for Organisation Size
Enterprise (Full Role Separation)
Large regulated organisations — banks, insurers, critical infrastructure operators — should maintain full role separation as shown in the matrix above. Each role is held by a distinct individual or team. This provides the strongest segregation of duties and the clearest audit trail.
Key requirements at this scale:
- Dedicated DevSecOps team separate from development and operations
- Security Architect role distinct from DevSecOps Lead
- Formal Compliance Officer involvement in exception approvals
- Risk Owner designated per business line or application portfolio
Mid-Size (Combined Roles)
Organisations with 200–1,000 employees may need to combine certain roles. Acceptable combinations include:
- Security Architect + DevSecOps Lead (one person, documented dual role)
- Compliance Officer + Risk Owner (if no direct conflict of interest)
- Platform Team + DevSecOps team (with documented security responsibilities)
Unacceptable combinations:
- Developer + Exception Approver (self-approval violates segregation of duties)
- DevSecOps Lead + sole Vulnerability Triage and sole Exception Approver (no independent review)
Small (Minimal Viable Separation)
Smaller regulated firms must still demonstrate accountability. At minimum:
- One designated person accountable for security policy (even if part-time)
- Exception approvals require sign-off from someone other than the requester
- Audit preparation responsibilities assigned to a named individual
- Board or management committee receives periodic security reports
Document explicitly where roles are combined and what compensating controls exist (e.g., peer review, external audit, automated controls).
What Auditors Should Verify
When assessing an organisation’s DevSecOps RACI, auditors should seek evidence across three dimensions:
1. Documentation
- Is there a formally approved RACI matrix covering DevSecOps activities?
- Is it version-controlled and reviewed at least annually?
- Does it cover all critical security activities, not just a subset?
- Are role definitions clear and mapped to named individuals or teams?
2. Evidence of Accountability in Practice
- Sample exception approvals: who actually approved them? Does it match the RACI?
- Security gate bypass records: was the accountable party involved?
- Incident response records: did the designated roles participate as defined?
- Access permissions: do system access rights align with RACI assignments?
3. Alignment Between RACI and System Permissions
- Only those designated as Responsible or Accountable for access control management should have administrative privileges on CI/CD platforms
- Exception approval workflows should enforce the sign-off chain defined in the RACI
- Audit log access should be restricted to those with Responsible or Accountable roles for audit preparation
Red Flags for Auditors and Compliance Officers
| Red Flag | Why It Matters | Regulatory Implication |
|---|---|---|
| No documented RACI for DevSecOps | Accountability cannot be demonstrated | DORA Art. 5, ISO 27001 A.5.2 |
| Developers self-approving security exceptions | Segregation of duties violation | PCI DSS Req. 6, SOC 2 CC6.1 |
| Security team not consulted on pipeline changes | Security controls may be weakened without oversight | NIS2 Art. 21, ISO 27001 A.8.32 |
| CISO not informed of risk acceptances | Management body oversight gap | DORA Art. 5(4), NIS2 Art. 20 |
| Multiple people listed as Accountable for same activity | Diluted accountability — no single point of ownership | General governance weakness |
| RACI not updated after organisational changes | Matrix does not reflect reality | ISO 27001 A.5.4 |
| No evidence of escalation path being used | Suggests conflicts are resolved informally without governance | Audit trail deficiency |
Next Steps
A well-governed DevSecOps RACI matrix is a foundational control document. It underpins every other governance activity — from DevSecOps program design to audit and governance readiness.
Organisations should:
- Draft or review their DevSecOps RACI against the template above
- Validate that system access permissions align with the matrix
- Test the escalation path with a tabletop exercise
- Schedule annual review, aligned with organisational change management
- Retain versioned copies as audit evidence
Related for Auditors
- Glossary — Plain-language definitions of technical terms
- Executive Audit Briefing
- How Auditors Review CI/CD
- Core CI/CD Security Controls
New to CI/CD auditing? Start with our Auditor’s Guide.
