They fail because real risk comes from how identities move through actual business processes, not from a job title alone. Temporary access, cross-functional roles, and system migrations can create toxic combinations that static matrices miss. SoD has to be evaluated against live process paths and runtime entitlements.
Why This Matters for Security Teams
Static separation of duties matrices look reassuring on paper because they map responsibilities to job titles, but finance systems rarely operate that neatly. Access shifts during month-end close, acquisitions, ERP migrations, reconciliations, and emergency support windows. That means a user can stay “within role” while still creating a toxic combination across systems, approvals, and data paths. NIST frames this as a continuous governance problem, not a one-time classification exercise, in the NIST Cybersecurity Framework 2.0.
NHIMG research on the State of Secrets in AppSec shows how often security confidence exceeds operational reality, and the same pattern appears in SoD programs when entitlements, service accounts, and temporary exceptions outgrow the original control design. The core risk is not that a matrix exists, but that it is treated as proof of control when it is only an abstraction. In practice, many security teams discover SoD violations only after a payment error, audit finding, or fraud event has already exposed the gap.
How It Works in Practice
Modern SoD has to be evaluated against live process paths, not just role labels. A practical control design starts by inventorying the business actions that matter: create vendor, change bank details, approve invoice, release payment, post journal entry, and override exception handling. Those actions must be mapped to the identities that can execute them, including humans, bots, API clients, and system-to-system accounts. This is where finance teams often need workload identity discipline, because a service account with broad ERP rights can bypass a matrix that only tracks named users.
Current guidance suggests combining policy-as-code with runtime entitlements so that SoD is checked at the moment of action. That can include:
- real-time authorisation checks against transaction context, not just static role membership
- temporary elevation with explicit expiry for close-period or migration work
- segregation across systems, not only inside a single application
- continuous logging that ties approvals, posting, and release actions back to one traceable identity
This is consistent with the direction of the DeepSeek breach lesson: once identity controls drift from real usage, attackers and insiders can move faster than periodic reviews detect. Finance organisations should treat SoD as an operational control plane, then use standards such as NIST and zero trust to enforce context-aware decisions rather than static approvals. These controls tend to break down in highly customised ERP environments because process ownership is fragmented and entitlement data is incomplete across modules.
Common Variations and Edge Cases
Tighter SoD enforcement often increases operational friction, requiring organisations to balance fraud prevention against close-cycle speed and auditability. That tradeoff becomes especially sharp during mergers, system replacements, and emergency accounting periods, where legitimate exceptions are common and manual approvals can become the new risk.
There is no universal standard for every finance workflow yet, so best practice is evolving. Some organisations apply strict SoD only to high-risk transactions, while allowing compensating controls for low-risk administrative actions. Others use JIT access with dual approval and short TTLs for privileged tasks. The key is to distinguish between persistent entitlement and temporary exception, then document why an override existed and when it expired. This matters for shared services models, outsourced finance operations, and RPA workflows, where a single control can span multiple legal entities or process owners.
For broader governance alignment, finance teams can use the State of Secrets in AppSec findings as a reminder that fragmented control ownership weakens central oversight, even when controls appear mature on paper. In practice, static matrices fail most often when temporary access is granted without downstream revocation, because the exception outlives the business need.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Addresses access control decisions that should reflect business context, not only role labels. |
| NIST Zero Trust (SP 800-207) | ZTA | Zero trust supports continuous verification for dynamic finance workflows and exceptions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers over-privileged non-human identities that can bypass static SoD matrices. |
Tie SoD enforcement to PR.AC-4 and verify access at transaction time, not just during quarterly reviews.
