Use compensating controls such as supervisor sign-off, periodic independent review, and tighter monitoring of high-risk transactions. The goal is not to pretend overlap is safe. The goal is to reduce the chance that one person can create and conceal a payment error without detection.
Why This Matters for Security Teams
When staff constraints make perfect segregation of duties impossible, the risk is not just procedural drift. It is a direct increase in the chance that a single person can initiate, approve, and obscure a high-risk transaction before detection. That matters most in payment flows, privileged admin actions, and exception handling, where overlap can turn a minor error into a material loss. Current guidance suggests treating SoD as a risk control, not a binary checkbox, which is consistent with the intent of the NIST Cybersecurity Framework 2.0.
In NHI Management Group research, the same control failure pattern shows up in identity abuse: the LLMjacking report notes that exposed AWS credentials can be targeted within 17 minutes on average, which is a reminder that any control gap can become an exploitation window very quickly. The practical mistake is assuming “temporary” staffing overlap is harmless when the real issue is whether the overlap is observable, reviewable, and reversible. In practice, many security teams encounter loss and concealment only after a transaction has already cleared and the evidence trail has been weakened.
How It Works in Practice
When perfect SoD is not feasible, teams should redesign the control environment around compensating controls that reduce both the opportunity to commit an error and the ability to hide it. That usually means combining approval gates, independent review, alerting, and post-event reconciliation instead of relying on a single user to be separated from every step. The practical objective is not perfect prevention. It is timely detection and constrained blast radius.
A workable pattern is to assign one person to perform the task and a different person, manager, or control owner to validate the outcome within a defined timeframe. For higher-risk actions, review should happen before release, not only after the fact. For recurring processes, exception reports and sampled audits should be tied to named reviewers with escalation paths. The NIST Cybersecurity Framework 2.0 supports this kind of layered risk reduction through governance, access control, and continuous monitoring outcomes.
- Use supervisor sign-off for transactions above a defined threshold.
- Require periodic independent review of the same user’s activity and reconciliations.
- Increase monitoring on high-risk transactions, exception paths, and manual overrides.
- Separate creation, approval, and payment release as much as staffing allows.
- Preserve logs so reviewers can reconstruct who did what, when, and why.
Where overlap is unavoidable, teams should document the constraint, approve the compensating control set, and review it on a fixed cadence. That approach is more defensible than informal workarounds, and it aligns with the reality that controls can fail fast when a process is high-volume, poorly logged, or heavily dependent on one person’s operational memory.
Common Variations and Edge Cases
Tighter compensating controls often increase operational overhead, so organisations must balance speed against assurance. That tradeoff is especially visible in small teams, after-hours operations, and specialist environments where there may be only one qualified operator. Best practice is evolving here, and there is no universal standard for every scenario, but the risk-based principle remains the same: if SoD cannot be perfect, the remaining control stack must be stronger, not weaker.
Some environments need stronger measures than others. For example, payment processing, treasury actions, and master-data changes usually justify stricter approval thresholds and more frequent review than low-value routine work. Temporary access for leave coverage should be time-bounded and re-authorised, not left to linger. If the business cannot staff true separation, the control owner should explicitly define which overlap is acceptable, how it will be detected, and what event triggers escalation. The DeepSeek breach illustrates how quickly governance gaps can expose sensitive systems when control boundaries are unclear.
The main exception is a heavily automated control environment with strong immutable logging and independent downstream reconciliation. Even there, the guidance is not “SoD no longer matters.” It is that evidence quality and review discipline become the substitute safeguards when staffing reality prevents clean role separation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control must limit what one person can do across a risky process. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Compensating controls reduce abuse when one identity can perform conflicting actions. |
| NIST AI RMF | Governance requires documenting residual risk when ideal separation is not possible. |
Enforce short-lived privileged access, approvals, and auditability for any NHI with elevated task overlap.
