Back to Risk Catalogue
AIR-SEC-008
AI Governance Framework Icon

Unauthorised Change

Edit on GitHub

Summary

Unauthorised changes to source code, configuration, or build artefacts represent a significant risk to the integrity of software systems. Such changes may be introduced deliberately by malicious actors or inadvertently through inadequate controls, and can result in the deployment of compromised or untested software into production environments.

Description

Unauthorised change encompasses any modification to software, configuration, or related artefacts that has not been subject to the appropriate review, approval, and tracking processes. This includes changes made directly to production systems, alterations to source code outside of controlled workflows, tampering with build pipelines or deployment artefacts, and modifications to configuration files that bypass formal change management processes.

Unlike insider threat, which focuses on the actor, unauthorised change focuses on the act itself — the introduction of a change that lacks a verifiable, auditable chain of custody. The risk may materialise through a variety of vectors:

  • Direct repository tampering — modifying source code or history in a version control system without going through a controlled workflow
  • Build pipeline injection — altering build scripts, dependencies, or artefacts between the point of development and deployment
  • Configuration modification — changing application or infrastructure configuration outside of version-controlled processes
  • Credential compromise — an external attacker using stolen credentials to introduce changes while masquerading as a legitimate committer

The consequences of unauthorised change can be severe: malicious code may reach production undetected, compliance audit trails may be broken, and the organisation may be unable to demonstrate the integrity of its software at any given point in time.

Consequences

  • Integrity compromise — Untrusted or malicious code may be deployed into production systems, potentially affecting customers, counterparties, or financial markets.
  • Regulatory breach — Inability to demonstrate controlled change management processes may constitute a breach of FFIEC, SOX, or PCI DSS requirements.
  • Audit trail failure — Without a verifiable record of who changed what and when, forensic investigation following an incident becomes significantly harder.
  • Operational disruption — Unreviewed changes introduce a higher probability of defects, misconfigurations, or incompatibilities reaching production.

Related Risks

RI-1: Insider Threat

Key Mitigations

AIR-PREV-008 : Version Control

FFIEC References

DAM: III Risk Management of Development, Acquisition, and Maintenance
SEC: II Information Security Program Management
SEC: III Security Operations

NIST SP 800-53r5 References

CM-3 Configuration Change Control
CM-5 Access Restrictions For Change
CM-14 Signed Components
SI-7 Software, Firmware, And Information Integrity
AU-6 Audit Record Review, Analysis, And Reporting
SA-10 Developer Configuration Management