Because they answer different questions. Screening asks whether a person or entity appears on a restricted or high-risk list, while enhanced due diligence asks whether the relationship itself needs deeper investigation because of ownership, source of funds, or business risk. If the workflows are merged, teams often under-escalate cases that require fuller review.
Why This Matters for Security Teams
Sanctions screening and enhanced due diligence solve different risk problems, so they cannot safely share one generic case queue. Screening is a match-and-match process against restricted party data, while enhanced due diligence is a deeper assessment of ownership, beneficial control, source of funds, and behavioural red flags. When those decisions are merged, teams tend to optimise for speed and miss the cases that require analyst judgement, escalation, or documentation.
This distinction matters because workflow design drives outcome quality. A screening alert may be resolved with identity matching, disambiguation, and disposition rules. An enhanced due diligence case usually needs evidence gathering, corroboration, and a higher bar for sign-off. NHI Mgmt Group’s Ultimate Guide to NHIs shows how governance gaps compound when identity workflows are not separated, especially where privileged access, secrets, and third-party exposure overlap. The same operational lesson appears in the NIST Cybersecurity Framework 2.0: detect, assess, and respond functions work best when the control path matches the risk question.
In practice, many security teams encounter under-escalated cases only after a downstream review or audit has already exposed the mismatch, rather than through intentional workflow design.
How It Works in Practice
Strong programs keep sanctions screening and enhanced due diligence on separate operational tracks, even when they share source data. Screening workflows usually start with a list hit, matching logic, threshold rules, and a fast disposition path for false positives. Enhanced due diligence starts earlier in the lifecycle, often when risk factors indicate the relationship itself deserves more scrutiny, such as opaque ownership, unusual payment flows, high-risk jurisdictions, or a material vendor change.
That separation is not only about case management. It also affects evidence standards, reviewer authority, and timelines. Screening teams generally need repeatable triage rules and a defensible record of why a person or entity was cleared or escalated. EDD teams need a broader investigative record, often including external corroboration, source-of-funds review, beneficial ownership checks, and approvals from a higher-risk committee or compliance lead. The workflow should therefore route based on the question being asked, not only on the data object being reviewed.
- Use one intake layer to collect common data, then branch into screening or EDD based on risk triggers.
- Keep screening logic focused on list matching, alert tuning, and disposition speed.
- Keep EDD logic focused on ownership, control, financing, geography, and relationship context.
- Require different approval thresholds so a cleared screening result does not accidentally close an unresolved risk review.
For teams building governance around identities and access, the same principle applies to NHI lifecycle management: a fast check is not the same as a full risk assessment, and the workflow should reflect that distinction. Best practice is evolving, but current guidance suggests separating alert handling, analyst work, and final approval paths so the evidence standard matches the risk question. These controls tend to break down when high-volume operations force all alerts into one queue because analysts then normalise quick closures and miss deeper escalation signals.
Common Variations and Edge Cases
Tighter workflow separation often increases operational overhead, so organisations have to balance faster screening against more resource-intensive investigations. That tradeoff is real, especially for smaller compliance or security teams that want one toolset for everything.
There is no universal standard for this yet, but current guidance suggests a few practical exceptions. Very low-risk cases may be pre-cleared through automated screening if the match confidence is low and the relationship is materially simple. By contrast, a single relationship can trigger both workflows when the entity is screened against a restricted list and also shows ownership opacity or unusual transaction patterns. In those cases, screening should not suppress EDD. It should simply feed it.
Another edge case is alert fatigue. If teams use the same queue and same service-level objective for both workflows, screening analysts may be pressured to close cases before the broader due diligence evidence is complete. The better pattern is separate work items, separate owners, and separate closure criteria, with escalation rules when one workflow discovers facts relevant to the other. That is especially important in high-volume environments where repeated false positives can mask the minority of cases that need deeper review.
In operational terms, the right question is not whether the two workflows can share data, but whether they should share decision logic. They should share inputs, but not the same judgment path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Separate approval paths support least-privilege and risk-based access decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Workflow separation helps prevent missed escalation on privileged identity risk. |
| NIST AI RMF | Risk-governed decision paths align with AI RMF assessment and oversight functions. |
Define governance, accountability, and escalation so each workflow uses the right decision standard.
Related resources from NHI Mgmt Group
- Why does enhanced due diligence need ongoing monitoring after onboarding?
- Who is accountable when enhanced due diligence fails to catch a high-risk relationship?
- How should organisations decide when a customer needs enhanced due diligence?
- What breaks when enhanced due diligence is treated as a one-time check?