Teams should separate request, approval, and administration paths so no single role can grant itself conflicting access. They also need evidence that privileged groups, finance roles, and reviewer roles are tested against one another during certification cycles, with exceptions documented and time-bound.
Why This Matters for Security Teams
Proving segregation of duties in active directory is not just an audit exercise. It is the control that shows whether request, approval, and administration paths are truly independent, or whether one privileged path can quietly approve its own access. That matters because AD remains a common choke point for privilege escalation, especially when groups, delegated admin rights, and review workflows are managed by the same people or the same service principal. NIST Cybersecurity Framework 2.0 reinforces that access governance has to be demonstrable, not assumed, which is why evidence quality matters as much as policy design.
In practice, teams often discover SoD failures only after a review uncovers self-approval, shared admin roles, or stale exceptions that never expired. NHIMG has documented how privilege pathways can be abused in the wild, including cases like Cisco Active Directory credentials breach, where credential exposure becomes an access-governance problem, not just a password problem. The operational question is whether the directory design makes conflict impossible to hide.
How It Works in Practice
Teams prove segregation of duties by showing that no single identity can complete a conflicting end-to-end action inside AD. That usually means separating the person who requests access, the approver who validates it, and the administrator who implements it, then retaining logs that show those paths stayed independent during the entire certification cycle. A clean control story normally includes RBAC, delegated administration boundaries, and time-bound exceptions with expiration dates.
Evidence should be collected from the systems that actually enforce the control, not from policy statements alone. Common proof points include:
- Directory group membership records showing approvers are not members of the groups they approve.
- Privileged access review logs showing finance, HR, and admin roles were tested against one another during certification.
- Change tickets and approval records proving no reviewer also executed the change.
- Exception registers showing compensating controls, owner sign-off, and an expiry date.
- Privileged role assignment histories showing removal of standing access after completion.
NIST CSF 2.0 is useful here because it treats governance, access control, and evidence retention as operational capabilities, not paperwork. For directory environments that rely on secrets or delegated admin workflows, the risk often extends beyond human accounts into service identities and automation. NHIMG’s Ultimate Guide to NHIs highlights how weak visibility and excessive privilege are recurring failure modes, and those same patterns can hide SoD violations inside AD administration paths. When SoD is done well, auditors can trace each conflicting role decision to separate actors, separate systems, and separate timestamps. These controls tend to break down when one admin group both approves and executes access changes because the evidence trail becomes self-referential.
Common Variations and Edge Cases
Tighter segregation often increases operational overhead, requiring organisations to balance auditability against speed, especially in small IAM teams and high-change environments. The tradeoff is real: the more granular the separation, the more approvals, reviews, and exception handling are needed.
There is no universal standard for how much SoD evidence is enough, so current guidance suggests tailoring it to the risk of the privilege involved. High-risk AD roles such as domain admin, group policy management, and cross-functional reviewer access usually need stronger evidence than routine joiner-mover-leaver changes. In hybrid environments, the problem becomes harder because Azure AD, on-prem AD, and ticketing tools may each show only part of the control path. That is where Azure Key Vault privilege escalation exposure is a useful reminder that delegated access and privileged roles can intersect in unexpected ways.
One practical edge case is emergency access. Break-glass roles can be acceptable, but they need separate issuance, separate logging, and post-event review. Another edge case is when certification is performed by business managers who do not understand technical role conflicts; in that situation, the review process should present conflict metadata rather than raw group names. If the directory design cannot produce reviewer-independent evidence without manual reconstruction, the SoD control is too fragile for a mature audit posture.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SoD evidence depends on access control decisions being enforced and reviewable. |
| OWASP Non-Human Identity Top 10 | NHI-06 | AD admin paths often rely on privileged non-human identities that can bypass SoD. |
| NIST AI RMF | AI RMF governance principles map well to demonstrable accountability and oversight. |
Separate approval, administration, and review paths, then retain logs that prove each decision came from a different role.
