Annual spreadsheet reviews fail because they see access too late and too abstractly. By the time a conflict is documented, the user may already have created, approved, or concealed a transaction. That makes SoD a reporting exercise rather than a preventive control, which is a governance failure.
Why This Matters for Security Teams
segregation of duties fails when it is treated as evidence collection instead of a live control. Annual spreadsheet reviews are inherently backward-looking, so they cannot stop a user from creating, approving, and reconciling the same activity before the conflict is noticed. That is a structural weakness, not a process gap. NHI Mgmt Group’s Ultimate Guide to NHIs shows how identity sprawl and weak visibility turn access governance into a recurring blind spot, while the NIST Cybersecurity Framework 2.0 reinforces that governance must be continuous, not annual.
The practical issue is that SoD conflicts are often embedded in workflow tools, service accounts, and delegated approvals, not just in a human employee roster. A spreadsheet can describe who had access at one moment, but it cannot prove whether that access was exercised appropriately, temporarily elevated, or chained with other permissions. In environments with fast-moving finance, procurement, or privileged operations, a delayed review can also normalize exceptions that should have been removed immediately. In practice, many security teams encounter SoD violations only after a transaction has already been posted, approved, or concealed.
How It Works in Practice
Effective segregation of duties needs runtime enforcement, not retrospective reporting. The control should be designed into approval flows, entitlement management, and privileged access workflows so that incompatible actions are blocked before execution. For human users, that usually means role design, transaction rules, and just-in-time elevation. For NHIs, the same logic applies through workload identity, scoped tokens, and policy evaluation at request time. A static review can still have value, but only as one input into a broader control system.
Practitioners increasingly pair access governance with policy-as-code and continuous monitoring. That allows the system to check the current context, not last quarter’s export. The most useful pattern is to bind identity, task, and time together so that a user or agent receives only the permissions needed for a specific action, then loses them automatically. This is especially important where a single identity can request, approve, and execute through different tools.
- Define SoD rules as machine-enforceable policies, not spreadsheet comments.
- Use just-in-time access for sensitive approvals and privileged functions.
- Validate conflicts at the moment of request, not at quarter-end.
- Track both human and non-human identities, including API keys and service accounts.
Current guidance suggests that continuous control testing is more reliable than periodic attestation for high-risk workflows, especially where identities can act across multiple systems. The challenge is not only knowing who has access, but whether the active session, token, or delegated workflow can combine into an SoD conflict. These controls tend to break down when access is spread across shadow IT, manual exception handling, and unmanaged service accounts because the control owner cannot see the full transaction path.
Common Variations and Edge Cases
Tighter segregation controls often increase operational overhead, requiring organisations to balance fraud prevention against process speed. That tradeoff matters most where the business depends on frequent exception handling, emergency approvals, or cross-functional platform administration. There is no universal standard for every SoD design, but best practice is evolving toward risk-based enforcement rather than blanket prohibition.
Some environments still rely on annual reviews because tooling is fragmented or because legacy ERP and IAM systems cannot enforce real-time policy. In those cases, the review should be treated as a detective backstop, not the primary control. The same caution applies when third parties, contractors, or NHIs hold delegated authority. NHIMG data shows only 5.7% of organisations have full visibility into their service accounts, which means spreadsheet-based reviews can miss the very identities most likely to bypass human oversight. That is why mature programs anchor SoD in continuous visibility and lifecycle control, not in annual reconciliation alone.
For program design, the key question is whether a conflict can be prevented, detected, and revoked before harm occurs. If the answer depends on next year’s audit cycle, the control is already too slow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-03 | Annual reviews are governance oversight, but SoD needs continuous control assurance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Spreadsheet reviews miss stale or excessive NHI privileges that create SoD conflicts. |
| NIST AI RMF | The question is about governance controls failing to manage dynamic, runtime risk. |
Apply AI RMF-style continuous risk monitoring to shift SoD from periodic review to live enforcement.
Related resources from NHI Mgmt Group
- What breaks when organisations rely only on periodic access reviews?
- How can IAM teams reduce segregation-of-duties exceptions without slowing the business?
- Why do segregation of duties failures still happen in mature finance programmes?
- How should security teams run access reviews for non-human identities?
