Segregation of duties compliance is breaking under hybrid IAM

At a glance

What this is: This is an analysis of segregation of duties compliance and how it reduces fraud, insider abuse, and compliance risk across regulated systems.

Why it matters: It matters because IAM, IGA, and PAM teams need SoD controls that still work when access spans cloud, SaaS, on-premise, and third-party systems.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.

👉 Read SecurEnds' guidance on segregation of duties compliance across regulated environments

Context

Segregation of duties compliance is the governance practice of splitting sensitive tasks, approvals, and operational authority so one identity cannot complete a high-risk process alone. In regulated environments, that design is meant to reduce fraud, insider abuse, and unauthorised change, but it becomes harder to enforce when entitlements are spread across hybrid systems and business units.

The core problem is not the policy statement, it is the operating model. Periodic access reviews, spreadsheet SoD matrices, and manual exception handling are too slow for environments where access changes continuously across finance, healthcare, and personal-data workflows. That is why SoD now has to be treated as an identity governance control, not just an audit control.

Key questions

Q: How should organisations implement segregation of duties in hybrid environments?

A: Start with a formal SoD matrix that maps prohibited combinations across finance, healthcare, cloud, and SaaS systems. Then enforce it in provisioning, certification, and exception workflows so toxic combinations are blocked before access is granted. Manual review alone is too slow once identities and permissions move across multiple platforms.

Q: Why do access reviews often miss SoD violations?

A: Because access reviews are snapshots, not continuous control points. A user can become toxic after the review through role changes, inherited permissions, or delegated administration. If the programme only checks access periodically, it will routinely miss the drift that creates segregation of duties failures between review cycles.

Q: What breaks when segregation of duties is not continuously monitored?

A: Toxic combinations can persist unnoticed in privileged, financial, and regulated-data workflows. Without continuous monitoring, organisations often detect violations only after a transaction, audit finding, or incident. The result is delayed remediation, weaker accountability, and a higher chance that one identity can control both sides of a sensitive process.

Q: Who is accountable when segregation of duties fails in regulated systems?

A: Accountability usually spans business process owners, IAM or IGA teams, and control owners in the regulated function. The organisation must be able to show who approved the access, who owns the conflict rules, and who remediated the violation. Auditors care less about intent than about whether the approval chain is provable.

Technical breakdown

How SoD matrices prevent toxic access combinations

An SoD matrix is a ruleset that marks which entitlements, approvals, and duties must never sit with the same identity. In practice, it maps toxic combinations such as create-and-approve, provision-and-approve, or modify-and-audit. The value is not the document itself, but the enforcement point: the matrix becomes useful only when provisioning, certification, and exception workflows check it before access is granted or retained. In hybrid environments, the matrix must cover application roles, privileged accounts, and delegated approvals across systems, or risk will simply move to a different layer of the stack.

Practical implication: validate SoD conflicts at request time, not only during periodic review.

Why access creep defeats segregation of duties

Access creep occurs when users accumulate permissions as they move roles, projects, or teams. That accumulation often creates hidden SoD conflicts because the governance model assumes entitlements are stable, while the business reality is that they are fluid. The problem is especially visible in cloud and SaaS platforms where permissions are inherited, delegated, or duplicated across accounts. Once a user has retained old access, a single role change can silently turn a compliant access profile into a toxic one without any new request being made.

Practical implication: tie joiner-mover-leaver events to entitlement decay and SoD re-evaluation.

Why continuous monitoring matters more than periodic certification

Periodic access certification is a snapshot, not a control loop. It can show that a user was approved at a point in time, but it cannot reliably catch the mid-cycle changes that create SoD violations later. Continuous monitoring closes that gap by watching for risky combinations, privileged access drift, and unapproved administrative paths as they emerge. This matters most for regulated workflows where the same identity can influence financial, clinical, or personal-data operations across multiple applications.

Practical implication: feed SoD checks into monitoring, alerting, and remediation workflows instead of audit-only review cycles.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SoD compliance fails when governance assumes access is static between reviews. The article describes a control model built around periodic certification, but that model breaks when identities accumulate privileges continuously across cloud and SaaS systems. The failure is not the absence of policy, it is the assumption that a reviewed entitlement remains valid until the next review. Practitioners should treat SoD as a living entitlement problem, not a checkbox exercise.

The real control gap is toxic combination drift. Segregation of duties is only effective when the organisation can detect when one identity gains both sides of a sensitive workflow, such as create and approve or modify and audit. That drift is amplified by manual workflows, shared administrative patterns, and inconsistent approvals across systems. The implication is that SoD governance has to be enforced at the entitlement layer, not reconstructed after the fact in spreadsheets.

Hybrid identity sprawl makes SoD a cross-domain governance problem, not a finance-only one. The article correctly ties SoD to SOX, HIPAA, and GDPR, but the underlying issue is broader: every regulated environment now depends on identity separation across business systems, not just inside one application. That means IAM, IGA, and PAM teams must coordinate on the same toxic combination model. Practitioners need a common SoD language across domains, or control exceptions will multiply.

Regulated workflows need independent approval, not just separate usernames. The article shows that the same person should not both perform and approve high-risk actions, but too many programmes still stop at role assignment. Real separation of duties requires separate decision paths, separate evidence, and separate remediation authority. For auditors, the question is whether the organisation can prove that no identity controlled the full transaction chain. Practitioners should design for reviewable accountability, not nominal separation.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• That pattern makes Ultimate Guide to NHIs -- Lifecycle Processes for Managing NHIs the next place to look when access governance needs to cover rotation, offboarding, and certification.

What this signals

SoD will keep drifting from audit language into operational identity control as environments become more fragmented. The programme signal is clear: if conflict detection still depends on periodic spreadsheet review, governance is already lagging the business. Teams should expect stronger demand for event-driven entitlement validation across finance, cloud, and SaaS systems.

toxic combination drift: the condition where a previously safe access profile becomes a SoD violation after role changes, delegation, or entitlement inheritance. That shift is why governance teams need the same conflict model across IGA, PAM, and application owners, not three separate interpretations of separation of duties.

As identity programmes mature, SoD evidence will be judged less by policy existence and more by whether the organisation can prove approval independence and remediation timing. Teams that can show conflict detection, exception expiry, and review traceability will be better positioned for SOX, HIPAA, and GDPR scrutiny.

For practitioners

• Map toxic combinations across business workflows Build an SoD matrix for finance, healthcare, and personal-data workflows, then define explicit conflicts such as create-and-approve or modify-and-audit. Keep the matrix tied to actual application roles and privileged paths, not only job titles.
• Embed conflict checks into provisioning Require automated SoD validation before access is approved or assigned in ERP, SaaS, and cloud administration workflows. Exceptions should route to separate approvers with recorded justification and expiry.
• Re-certify privileged access continuously Move privileged and high-risk accounts onto shorter review cycles with event-driven triggers for mover, leaver, and role-change events. Do not wait for the next quarterly review to discover a toxic combination.
• Document remediation evidence for audits Record conflict detection, approval history, remediation actions, and exception expiry in a format auditors can trace end to end. Evidence quality matters as much as the control itself.

Key takeaways

• Segregation of duties is a control against toxic authority concentration, not just an audit requirement.
• The biggest failure mode is access creep turning a previously compliant identity into a hidden SoD conflict.
• Continuous validation at provisioning and review time is the control that matters most in hybrid environments.

Key terms

• Segregation Of Duties: Segregation of duties is the practice of splitting sensitive tasks and approvals so one identity cannot complete a high-risk process alone. In identity programmes, it reduces fraud and abuse by ensuring that creation, approval, execution, and audit responsibilities are separated across different people or control paths.
• SoD Matrix: An SoD matrix is a control map that lists which access combinations, approvals, or duties are prohibited. It becomes effective only when provisioning and review workflows check it automatically, because a static spreadsheet cannot stop toxic combinations from entering the environment.
• Toxic Combination: A toxic combination is a set of permissions that gives one identity excessive control over a sensitive process. In regulated environments, it often means a user can both perform and approve an action, which removes independent oversight and creates fraud, compliance, or audit risk.
• Access Creep: Access creep is the gradual accumulation of permissions beyond what a role legitimately needs. It usually happens during job moves, project changes, or exception handling, and it is one of the most common ways a previously safe identity becomes a segregation of duties violation.

Deepen your knowledge

Segregation of duties compliance and entitlement conflict detection are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance across hybrid systems, it is worth exploring.

This post draws on content published by SecurEnds: segregation of duties compliance across SOX, HIPAA, and GDPR. Read the original.