Inherited Controls vs Customer Controls

Inherited controls are controls the customer can rely on from the provider because they are performed within the provider-owned layer. Customer controls are controls the customer must design, operate, and evidence for its own workload. Between those two sits a large middle area of shared or partially inherited controls, where provider evidence helps but customer configuration and operation still determine whether the control is effective.

This distinction is central to audit readiness because it tells teams which evidence can be sourced from provider reports and which evidence must come from customer systems, runbooks, and change records. Without this distinction, audit work becomes noisy and teams either over-collect low-value evidence or miss customer-owned controls entirely.

The control split usually looks like this:

    flowchart LR
	    A["Inherited controls"] --> D["Audit-ready control set"]
	    B["Shared or partially inherited controls"] --> D
	    C["Customer-owned controls"] --> D

What to notice:

• inherited does not mean universal; it means the provider performs that control within scope
• partially inherited controls still need customer design choices and evidence
• the final audit picture is assembled from multiple ownership types, not from one source

Common Examples by Type

Inherited controls often include:

• physical data-center security
• underlying infrastructure maintenance
• provider-side environmental protections

Partially inherited controls often include:

• encryption capabilities where the provider operates the mechanism but the customer chooses how to use it
• logging features where the provider offers the function but the customer must enable and monitor it
• backup capabilities where the provider offers tooling but the customer defines scope and validation

Customer-owned controls often include:

• identity governance and privileged access
• workload configuration
• data classification and retention logic
• application-level security and monitoring

A Practical Control Mapping Example

 1control_mapping:
 2  - control_id: AC-01
 3    control_name: privileged_access_management
 4    type: customer
 5    evidence_source: customer_iam_reviews
 6  - control_id: DC-02
 7    control_name: physical_data_center_security
 8    type: inherited
 9    evidence_source: provider_attestation
10  - control_id: LG-03
11    control_name: audit_log_collection
12    type: shared
13    evidence_source:
14      - provider_logging_capability
15      - customer_log_enablement_and_retention

What this demonstrates:

• type should be explicit for each control, not implied
• evidence collection changes based on whether the control is inherited, shared, or customer-owned
• shared controls need both provider context and customer evidence

Why This Gets Confused

Confusion usually appears when teams classify controls by technology instead of by operational ownership. A cloud logging service feels “provider-ish,” so teams may classify logging as inherited even when alerting, routing, and retention are customer decisions. The better question is not “whose product is this?” but “who must configure, operate, and prove this control works for the workload?”

Common Mistakes

• labeling too many controls as inherited because the provider offers the feature
• failing to distinguish partially inherited controls from fully inherited controls
• collecting provider evidence for customer-owned controls and assuming that is enough
• building audit spreadsheets without a clear owner and evidence source for each control

Design Review Question

An audit workbook marks identity governance, workload logging, encryption configuration, and infrastructure physical security as all inherited because the workload runs on a major cloud provider. Is that a strong control classification?

No. The stronger answer is that only some infrastructure controls are truly inherited. Identity governance and workload logging remain customer-owned, while encryption configuration is often shared or partially inherited depending on how the service is used.

Check Your Understanding