Manual segregation of duties no longer scales across hybrid identity

At a glance

What this is: This analysis says manual segregation of duties governance no longer scales across modern hybrid identity environments, and continuous automation is now the control pattern that closes the gap.

Why it matters: For IAM, IGA, PAM, and compliance teams, SoD automation matters because toxic access combinations now span human, NHI, and machine-driven workflows across systems that change faster than periodic reviews can keep up.

👉 Read SecurEnds' analysis of segregation of duties automation for hybrid identity

Context

Segregation of duties fails when identity sprawl outpaces manual review cycles. In hybrid enterprises, a single person, service account, or workflow can touch finance, cloud, and application permissions in different systems, making spreadsheet-based approvals too slow to catch toxic combinations before they are used.

This is an identity governance problem as much as a compliance problem. The article frames SoD automation as the practical response to continuously changing access, which is the same reason lifecycle and privilege controls now have to operate across human identities, non-human identities, and machine-driven access paths.

For teams building the broader governance model, the relevant question is not whether SoD exists, but whether it is enforced continuously across the environments where access is created and changed. That is the shift from periodic certification to operational identity control.

Key questions

Q: How should security teams implement segregation of duties automation in hybrid environments?

A: Start by defining prohibited access combinations for the processes that matter most, then connect those rules to provisioning, approval, and certification workflows. Automate checks across cloud, SaaS, ERP, and on-premise systems so conflicts are blocked or routed before access becomes active. The control only works when the policy engine sees the full entitlement picture.

Q: Why do manual SoD reviews fail when permissions change daily?

A: Manual reviews fail because they rely on snapshots while modern access changes continuously through role shifts, temporary elevation, integrations, and deployments. By the time a spreadsheet review happens, the conflict may already have been exercised. Continuous monitoring is the difference between documenting a risk and actually controlling it.

Q: What breaks when SoD is applied only to human users?

A: Machine identities can still create, deploy, approve, or move sensitive data, so a human-only model leaves major control gaps in cloud and DevOps workflows. If service accounts, APIs, and bots are excluded, the organisation can pass a policy review while the real conflict remains active. Governance has to cover every identity that can change state.

Q: Who is accountable when an SoD conflict is missed in an audit or incident?

A: Accountability usually sits with the identity governance owner, the business process owner, and the control owner for the affected system. The key issue is whether the organisation can prove that policy, approval, and remediation were consistently enforced. Frameworks such as the NIST Cybersecurity Framework 2.0 support that kind of control ownership.

Technical breakdown

Why manual segregation of duties breaks in hybrid environments

Manual SoD depends on static snapshots, but hybrid estates change continuously. Cloud admins receive temporary elevation, DevOps pipelines provision infrastructure dynamically, and SaaS permissions shift through integrations and role changes. A spreadsheet can record a conflict after the fact, but it cannot evaluate every entitlement mutation as it happens. That creates a structural delay between access change and governance response, which is where toxic combinations persist. The problem is not just scale. It is the mismatch between static review cadences and dynamic permission models across systems that do not share one common authorization layer.

Practical implication: move SoD enforcement into the provisioning and access-change path, not the quarterly review cycle.

How SoD automation detects toxic access combinations

Automated SoD tools continuously compare entitlements against policy rules and identify conflicts such as request-and-approve, create-and-approve, or deploy-and-audit combinations. The mechanism is policy evaluation across connected identity and application data, followed by workflow generation for review, exception handling, or remediation. In practice, the value comes from centralizing identity and entitlement visibility across SaaS, ERP, cloud, and on-premise systems. Without that cross-system view, the platform can only detect isolated permissions, not the combined access pattern that creates a real conflict.

Practical implication: define prohibited access pairs centrally and validate them against every connected system before access is granted.

Why continuous access reviews matter for SoD governance

Continuous access certification closes the gap between initial approval and later privilege creep. Access that was valid on day one can become risky after a role change, temporary project, or contractor transition. SoD automation does not replace access reviews, but it makes them meaningful by feeding them current entitlement data and remediation outcomes instead of stale reports. That matters because audit evidence is only as good as the review of access actually in force. Continuous monitoring also surfaces dormant or orphaned access that periodic certification tends to miss.

Practical implication: pair automated conflict detection with continuous recertification so exceptions do not turn into permanent entitlements.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual SoD governance is a timing problem, not just an operating-model problem: periodic certification assumes access changes slowly enough to be reviewed before it matters. In modern hybrid estates, access mutates daily through provisioning, privilege elevation, and integrations. That means a conflict can exist long before the next review cycle sees it. Practitioners should treat SoD failure as a mismatch between governance cadence and identity velocity.

The real control failure is cross-system blind spots: toxic combinations often span cloud, SaaS, ERP, and identity platforms, but manual processes tend to review each system in isolation. That is why a user can appear compliant in one application while still holding conflicting authority elsewhere. Cross-domain visibility is the baseline condition for SoD governance, not an optional enhancement. Practitioners need an entitlement graph, not scattered point-in-time reports.

SoD automation is strongest when it governs human and non-human identities together: the article correctly notes that service accounts, APIs, bots, and automation workloads also create separation-of-duties exposure. A human-only matrix leaves machine identities outside the control perimeter even though they can still trigger, approve, or move data. That gap is increasingly visible in cloud and DevOps workflows. Practitioners should extend SoD policy to every identity that can change state or authorize work.

Compliance evidence has become an identity operations output: audit readiness now depends on whether remediation history, approval context, and access-review records are generated continuously rather than assembled later. That changes the role of IGA from documentation support to active control enforcement. When evidence trails are created as a byproduct of governance, the audit burden falls and the control becomes more defensible. Practitioners should design SoD workflows to emit evidence automatically.

SoD automation exposes a broader governance concept: access combination debt: every delayed review, inconsistent approval, or unremediated exception adds to the number of conflicting entitlements an organization carries forward. This debt accumulates across people and systems, then surfaces during audits, incidents, or reorgs. The longer it persists, the harder it is to separate legitimate business access from toxic overlap. Practitioners should measure the age and volume of unresolved conflicts, not just the number detected.

From our research:

• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, showing that governance failure is now as much about decision quality as access scope.
• For a broader lifecycle lens, read NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding discipline that SoD automation should plug into.

What this signals

Access combination debt: organisations that leave SoD to periodic review accumulate unresolved conflicts faster than human governance teams can clear them. That debt does not stay abstract. It shows up as audit friction, production exceptions, and the inability to prove that conflicting access was removed on time.

With 69% of security leaders saying identity management must fundamentally shift to address agentic AI systems, the wider market is moving toward continuous identity control rather than paperwork-driven governance. For practitioners, that means SoD programmes should be built to inspect live entitlements and policy violations, not just certify historical access states.

As more machine identities participate in business workflows, SoD must expand beyond user roles into the full entitlement graph. The governance model that works for a quarterly access review will not keep pace with cloud provisioning, temporary elevation, and automated workloads that change state all day.

For practitioners

• Build a formal SoD matrix Document prohibited access combinations by system and process, then map each conflict to the identities that can trigger it. Keep the matrix current for ERP, finance, cloud, and identity platforms so policy enforcement is consistent across environments.
• Automate provisioning checks before access is granted Evaluate every new entitlement request against SoD policy at the point of approval, including temporary elevation and delegated admin paths. Use the same control logic for human and non-human identities wherever they can initiate sensitive actions.
• Prioritise high-risk systems first Start with payment, financial close, privileged administration, and cloud production workflows where conflicting access has the highest business impact. Use those systems to prove the workflow, then expand the control pattern to lower-risk applications.
• Continuously review privileged access Re-certify elevated permissions on a rolling basis and require remediation tracking for every exception. Tie reviews to live entitlement data so access creep, orphaned accounts, and dormant privileges do not survive the next review cycle.
• Extend governance to machine identities Include service accounts, APIs, bots, and automation workloads in SoD policy definitions so machine-driven actions cannot bypass the same separation rules applied to people. Treat these identities as part of the same entitlement universe, not a separate exception class.

Key takeaways

• Manual segregation of duties breaks because modern access changes too quickly for periodic review to catch toxic combinations in time.
• The scale problem is now cross-system, with cloud, SaaS, ERP, and machine-driven workflows all contributing to the same governance gap.
• Automated policy checks, continuous certification, and machine-identity coverage are the controls that make SoD defensible in hybrid environments.

Key terms

• Segregation of duties: Segregation of duties is an identity governance control that prevents one actor from holding conflicting permissions that could enable fraud, misuse, or unreviewed change. In practice, it separates the ability to create, approve, and execute sensitive actions so no single identity can control the full transaction path.
• SoD automation: SoD automation is the continuous use of policy and workflow logic to detect, block, and remediate conflicting access rights across systems. It replaces spreadsheet-based review with live entitlement evaluation, making the control useful in environments where identities and permissions change daily.
• Access combination debt: Access combination debt is the accumulation of unresolved conflicting entitlements that remain active because reviews are too slow or inconsistent. It behaves like control debt in security programmes. The longer it persists, the harder it becomes to prove that separation rules are enforced.
• Continuous access certification: Continuous access certification is the practice of validating whether active permissions are still justified using current entitlement data rather than periodic snapshots. It is especially useful when access changes quickly, because it ties review outcomes to live governance state instead of stale reports.

Deepen your knowledge

Segregation of duties automation and continuous identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still depends on periodic review cycles, it is worth exploring.

This post draws on content published by SecurEnds: segregation of duties automation across enterprise environments. Read the original.