Who is ultimately accountable for a resource or control?

The central idea here is accountability for assets and the controls that protect them. The owner is the person or entity with the rights and responsibility to an asset and to decide how it should be used, what protections are required, and what risks are acceptable. Because they hold overall responsibility, the owner must ensure that appropriate measures are in place, that safeguards are maintained, and that if risks change, action is taken. Even when others carry out specific tasks—like designing or implementing controls or performing audits—the ownership role remains the ultimate line of accountability. A trustee might hold the asset for others, but accountability still rests with the owner who has the prerogative and duty to manage risk. The security officer focuses on implementing and operating controls day to day, not on being accountable for the asset itself, and the auditor provides independent assessment rather than accountability for the resource. So the one who ultimately bears responsibility for the resource and its controls is the owner.