Compliance and emergency access risks expose identity governance gaps

At a glance

What this is: This blog post examines survey findings on separation of duties, emergency access, and automation, showing that compliance failures are often driven by weak governance processes rather than missing policy intent.

Why it matters: It matters because SoD and emergency access failures cut across human IAM, NHI governance, and lifecycle controls, so the same governance weakness can create audit exposure, privilege creep, and unresolved access risk.

By the numbers:

• 92% of organizations surveyed require some form of separation of duties.
• 43% of organizations reported that they have failed requirements for separation of duties at some point.
• 60% of companies have had to provide emergency access at some point.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.

👉 Read SailPoint's research on compliance, emergency access, and automation

Context

Separation of duties is the control that prevents one identity from completing an irreversible action without independent oversight. In practice, the control fails when business pressure, staff absence, or manual exception handling allows a single person to act outside the intended approval chain, which is a familiar identity governance problem across human access and privileged workflows.

The article’s findings show that emergency access is often granted in response to unavailable staff, but the real governance issue is whether those exceptions are documented, time-bounded, and revoked cleanly. For IAM and IGA teams, this is the same lifecycle problem that appears in NHI access and privileged access programmes, only with different identity types and different failure modes.

Key questions

Q: What breaks when separation of duties is enforced only on paper?

A: When SoD exists only as policy, teams can still route sensitive actions through manual exceptions, informal approvals, or incomplete workflows. The result is a control that looks present in documentation but fails during execution. The practical failure is not lack of intent, but lack of enforceable entitlement design, reviewer independence, and audit evidence.

Q: Why do emergency access exceptions create long-term governance risk?

A: Emergency access becomes risky when the exception is not tightly bounded and revoked. If teams cannot prove who approved it, why it existed, and when it ended, the organisation inherits unresolved privilege exposure and audit findings. The longer the access persists after the emergency, the more the exception behaves like standing privilege.

Q: How do security teams know if their SoD controls are actually working?

A: They should test whether sensitive tasks still require independent review when the normal approver is absent, unavailable, or offline. A working SoD control produces clear approval evidence, blocked execution paths, and traceable exceptions. If the process can be bypassed without detection, the control is weak even if the policy is well written.

Q: Who is accountable when emergency access is granted and not revoked?

A: Accountability should sit with the owner of the access workflow, the approving manager or control authority, and the team responsible for revocation evidence. If no one owns the expiry and review step, emergency access becomes operationally convenient but governance-unowned. That is a lifecycle failure, not just an incident response gap.

Technical breakdown

How separation of duties breaks down in real access workflows

Separation of duties is a design control, not just a policy statement. It works by splitting a sensitive task so that no single identity can both request and complete it without oversight. In operational environments, the control degrades when systems lack fine-grained entitlement mapping, approval routing, or audit evidence that ties an action to an independent reviewer. That is why SoD issues frequently surface in ERP, privileged admin, and emergency access workflows rather than in ordinary day-to-day access. The article’s data points to a governance implementation gap, not a conceptual one.

Practical implication: map sensitive actions to explicit approval paths and test whether the control still works when staff are absent or unavailable.

Why emergency access creates lasting compliance risk

Emergency access is a controlled exception that can become a standing exception if revocation is slow or undocumented. The risk is not only that someone receives elevated access, but that the organisation cannot prove when the exception ended, who approved it, or whether the access was used only for the emergency event. That creates audit findings, SoD conflicts, and long-tail privilege exposure. In identity programmes, temporary access that outlives the incident becomes a governance failure, not just an operational convenience.

Practical implication: treat every emergency grant as a lifecycle event with expiry, review, and revocation evidence.

Where automation helps compliance and where it does not

Automation can reduce the manual burden of reviews, certifications, and risk checks, but it does not fix unclear policy boundaries. If the underlying entitlement model is weak, automated workflows simply accelerate bad decisions. The useful boundary is whether automation is removing repetitive admin work or masking governance ambiguity. In mature identity programmes, automation supports enforcement, evidence collection, and exception handling, but human ownership still has to exist for policy interpretation and remediation decisions.

Practical implication: automate evidence and enforcement first, then validate that policy design and ownership are still explicit.

Threat narrative

Attacker objective: The objective is to obtain privileged execution without the normal checks that prevent a single identity from completing a sensitive or irreversible action.

1. Entry occurs when an organisation grants emergency access because the normal approver, operator, or subject matter expert is unavailable.
2. Escalation follows when the temporary privilege is used to complete sensitive actions without the usual separation of duties review.
3. Impact emerges when the access is not revoked promptly, leaving a longer-lived compliance exposure and repeated audit exceptions.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Separation of duties is not failing because the model is wrong. It is failing because organisations still treat it as a static policy instead of a live governance control. The survey data shows broad adoption but frequent failure, which is exactly what happens when policy language outpaces process design. In practice, SoD only works when entitlement modelling, approvals, and evidence collection remain aligned to the actual workflow. The practitioner conclusion is that SoD maturity is a control-execution problem, not a policy-awareness problem.

Emergency access is where identity governance becomes measurable. If a team cannot show who approved the exception, why it existed, and when it was removed, then the control did not complete. This is why emergency access belongs in lifecycle governance, not as an informal operational workaround. The practitioner conclusion is that exception handling must be engineered as part of the access model, not improvised during a crisis.

Manual compliance processes create false confidence because they preserve activity but not assurance. A team can issue access, record a ticket, and still leave the organisation unable to prove separation of duties or revocation discipline. That gap is especially visible in privileged workflows, where the consequences of one over-broad approval are immediate and auditable. The practitioner conclusion is that evidence quality matters as much as approval count.

Identity governance needs to collapse the distinction between human, machine, and emergency access when the control objective is accountability. The article is about human workflows, but the same governance failure appears when service accounts, tokens, or delegated access are allowed to outlive their approved purpose. Access that cannot be clearly bounded in time and purpose is an identity risk regardless of subject type. The practitioner conclusion is to govern exceptions by lifecycle, not by identity category alone.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
• For the control model behind this risk, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed across identity types.

What this signals

Separation of duties is becoming a lifecycle issue, not just a compliance issue. Teams that still treat emergency access as a ticket-driven workaround will keep seeing revocation delays, audit exceptions, and unclear accountability. The practical shift is to govern every exception as an identity event with ownership, expiry, and evidence.

The same governance pattern is emerging across machine and delegated access, where temporary privilege can easily outlive its intended purpose. That is why lifecycle discipline matters across human access, service accounts, and broader NHI governance, especially when review cycles are too slow to catch the exception window.

For practitioners building maturity, the signal is simple: if approvals are present but revocation evidence is weak, the programme is recording control activity rather than enforcing control outcomes. Align the workflow with the NHI Lifecycle Management Guide and use the NIST Cybersecurity Framework 2.0 to anchor ownership, review, and recovery responsibilities.

For practitioners

• Rebuild separation of duties around actual workflows Map the specific sensitive actions that require independent review, then verify that ERP, PAM, and IGA workflows enforce those checks end to end. Test the process against staff absence, role changes, and escalation paths so the control still holds when the normal approver is unavailable.
• Treat emergency access as a time-bounded lifecycle event Require explicit approval, expiry, and revocation evidence for every emergency grant. Record the reason for the exception, the identity that used it, and the point at which access was removed so auditors can reconstruct the full lifecycle.
• Automate evidence collection before automating decisions Use workflow automation to capture approvals, timestamps, and entitlement changes, but keep policy interpretation and exception ownership with accountable reviewers. That prevents automation from becoming a faster way to bypass governance.
• Measure how often exceptions become persistent access Track the percentage of emergency grants that remain active beyond the incident, the average revocation delay, and the number of repeated exceptions per team. Those signals show whether the programme is controlling access or merely recording it.

Key takeaways

• Separation of duties fails most often at execution time, not in policy design, which makes workflow enforcement the real control problem.
• Emergency access becomes a compliance issue when revocation is delayed, undocumented, or left without clear ownership.
• Identity programmes need measurable exception handling because manual governance can preserve activity while destroying assurance.

Key terms

• Separation of duties: A control that splits a sensitive task into separate steps so no single identity can complete the whole action alone. It reduces fraud, error, and misuse by forcing independent review or approval before irreversible changes are made.
• Emergency access: A temporary exception that grants elevated access when normal operating roles cannot complete a task in time. In mature governance, it is time-bounded, documented, reviewed, and revoked as soon as the incident or operational need ends.
• Revocation evidence: Proof that access was actually removed after it was no longer needed. This includes timestamps, approval records, and entitlement changes, and it is essential for showing that a temporary exception did not turn into persistent privilege.
• Identity governance: The discipline of controlling who or what can access resources, why that access exists, and when it should end. It covers approvals, certifications, exceptions, and lifecycle events across human identities, NHIs, and delegated access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: New research on compliance, emergency access risks, and automation. Read the original.