Embodiments are directed to optimizing the secure provisioning of credentials to mobile devices through use of risk decision non-overrides. In some embodiments, a service provider receives a request from a wallet provider to provision a credential associated with an account to a mobile device. The request includes a first risk level associated with the provisioning. The service provider receives a second risk level associated with the provisioning request from an issuer of the account. Based upon determining that a non-override condition exists, the service provider uses the first risk level from the wallet provider and accordingly causes a user authentication to occur. A non-override condition may be determined based upon scenario indicators received within the provisioning request. In some embodiments, the non-override condition may be ignored when the first risk level indicates medium risk and the second risk level indicates high risk.