Subscribe to the Non-Human & AI Identity Journal

Why do spreadsheet-based SoD reviews fail at scale?

They fail because access changes continuously while a spreadsheet captures only a snapshot. Once conflicting entitlements live in different systems, the manual reconciliation workload grows faster than the review process can keep up. The result is stale evidence, missed conflicts, and controls that are hard to defend in audit.

Why This Matters for Security Teams

Spreadsheet-based segregation of duties reviews fail because they assume entitlement risk is static, while actual access changes every day across SaaS, cloud, CI/CD, and privilege systems. A spreadsheet can record who had access at a point in time, but it cannot continuously reconcile inherited roles, nested groups, standing admin rights, or service-account privilege drift. That makes the control look orderly while the underlying exposure keeps moving.

This matters because SoD is not just an audit artifact. It is a decision-making control that should prevent conflicting capabilities from landing in the same identity path. When evidence is manually assembled, the review becomes slow enough that conflicting access often persists long after the spreadsheet was signed off. Current guidance in NIST Cybersecurity Framework 2.0 pushes organisations toward repeatable, risk-based control operations rather than periodic paper checks, and NHIMG has documented how fragmented identity and secrets estates create the same failure pattern across NHIs in Ultimate Guide to NHIs. In practice, many security teams encounter SoD violations only after an audit request or incident has already exposed the gap, rather than through intentional continuous monitoring.

How It Works in Practice

At scale, effective SoD review is less about producing a spreadsheet and more about continuously evaluating entitlement relationships across systems of record. The control should start with a policy model that defines toxic combinations, then map those rules to current identities, roles, groups, privileged sessions, and machine credentials. That requires scheduled ingestion from HR, IAM, PAM, cloud, and application platforms, plus a way to reconcile entitlements that are not represented consistently across systems.

Practical teams usually move toward three capabilities:

  • Identity correlation that links human users, NHIs, and service accounts to one governance record.
  • Rule-based conflict detection that evaluates SoD constraints at request time or during near-real-time recertification.
  • Exception handling with expiry dates, compensating controls, and documented approvals for temporary risk acceptance.

For NHI-heavy environments, the challenge is that the same access path may be expressed as a secret, an API token, a role assignment, or a workload credential. NHIMG’s research on secrets sprawl in The State of Secrets in AppSec shows why manual inventories decay quickly when credentials and access are fragmented across multiple systems. Standards-oriented teams often pair that operational view with the control discipline in NIST Cybersecurity Framework 2.0 so SoD becomes a repeatable control process, not a quarterly worksheet exercise.

These controls tend to break down when access is governed by disconnected applications that do not expose exportable entitlement data because the review team cannot reliably reconstruct who can actually combine conflicting privileges.

Common Variations and Edge Cases

Tighter SoD enforcement often increases operational overhead, requiring organisations to balance risk reduction against approval latency and business continuity. That tradeoff is especially visible in engineering, finance, and platform operations, where a single person may legitimately need temporary cross-functional access during incident response or release windows.

Best practice is evolving for these cases. There is no universal standard for how often to recheck SoD conflicts across every system, but current guidance suggests moving from annual spreadsheet attestations to policy-driven reviews with expiry, evidence links, and owner accountability. Temporary access should be time-boxed, reviewed separately from permanent entitlements, and revoked automatically when the task ends.

Edge cases also matter for NHIs. A service account may not map cleanly to a named employee, yet it can still hold toxic combinations such as deployment rights plus production database access. That is why NHIMG treats NHI governance as a core part of access review maturity, not a separate niche, especially where machine identities can accumulate privilege faster than human reviewers can track it. When controls depend on human memory, spreadsheet logic, or one-off sign-offs, they usually fail in environments with high change velocity, federated SaaS estates, or large populations of machine identities.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 SoD reviews are access-control assurance, not just documentation.
OWASP Non-Human Identity Top 10 NHI-02 Machine identities often carry toxic access combinations in hidden ways.
NIST AI RMF GOVERN Governance is required when access review processes become continuous and complex.

Continuously validate entitlements and enforce least privilege across systems, not in quarterly spreadsheets.