Segregation of duties in auditing is now an identity control problem

At a glance

What this is: This is an analysis of how segregation of duties supports audit-ready governance by splitting sensitive responsibilities across different people and workflows.

Why it matters: It matters because IAM, PAM, and IGA teams increasingly have to prove that no single identity can request, grant, and approve the same sensitive action.

👉 Read SecurEnds' full guide to segregation of duties in auditing

Context

Segregation of duties is the control principle that no single identity should be able to complete an entire sensitive process alone. In practice, that means separating request, approval, execution, and review so fraud and unauthorized activity are easier to detect and harder to conceal. For identity programmes, the real issue is not the policy statement but whether entitlements, workflows, and approvals still enforce the separation once access crosses cloud, ERP, and SaaS systems.

This problem now sits directly inside identity governance. When access administration, privileged role assignment, and certification are all handled in the same operational chain, SoD stops being a finance-only audit topic and becomes a control design question for IAM, PAM, and lifecycle governance. Teams that still rely on spreadsheet review or annual attestation are trying to enforce a dynamic identity problem with static evidence.

Key questions

Q: How should security teams enforce segregation of duties in IAM workflows?

A: Security teams should separate the identities and approval paths used for request, provisioning, certification, and exception handling. The key test is whether any single person or role can complete a sensitive access change alone. Technical controls should block self-approval, and governance controls should record who reviewed and approved each step.

Q: Why do segregation of duties controls fail in cloud and SaaS environments?

A: They fail because authority is distributed across many consoles, delegated roles, and automation paths, so conflicts can hide outside one system. A clean policy in one platform does not prevent overlapping privilege elsewhere. Teams need cross-system entitlement mapping and conflict detection to see the full risk picture.

Q: What do auditors look for in access review and SoD testing?

A: Auditors look for toxic entitlement combinations, weak approval separation, unresolved exceptions, and proof that conflicts were remediated. They also check whether access reviews are consistent across high-risk systems and whether evidence shows who approved, who fixed the issue, and when it was closed.

Q: Who is accountable when a SoD conflict leads to fraud or compliance failure?

A: Accountability usually sits with the control owner, the approver, and the governance function that allowed the conflict to persist. Frameworks such as NIST Cybersecurity Framework 2.0 expect clear ownership of access risk, while audit programs expect documented review and remediation evidence.

Technical breakdown

SoD conflicts in identity workflows

Segregation of duties fails most visibly when the same identity can participate in multiple stages of the access lifecycle. In IAM terms, that means the person or role that provisions access should not also approve it, certify it, or remediate its own exceptions. The control goal is not just to separate titles, but to prevent one entitlement chain from creating self-authorised privilege. In cloud and SaaS environments, hidden conflicts often appear when delegated admins, shared roles, or service desks blur the boundary between request and approval.

Practical implication: Map request, approval, and certification paths to separate identities and block self-approval in every high-risk workflow.

Access reviews and toxic entitlement combinations

SoD reviews are not a simple yes-or-no check. Auditors look for toxic combinations, where individually acceptable rights become risky when held together, such as create-and-approve, request-and-certify, or admin-and-review. This is why access review quality matters as much as access scope. A weak certification process can preserve conflicting entitlements for months, even when the underlying policy is sound. In modern enterprises, the hardest part is keeping that logic consistent across ERP, IAM, PAM, and cloud control planes.

Practical implication: Use entitlement matrices and periodic certification to detect conflicting access combinations before audit evidence is frozen.

Continuous monitoring for audit-ready governance

Periodic audits can confirm that a control existed on a given date, but they do not prove the control stayed effective between reviews. Continuous monitoring closes that gap by detecting access creep, dormant privileged accounts, and policy violations as they emerge. That is especially important where rights change quickly through role moves, project work, or delegated administration. For SoD, continuous evidence is more useful than periodic reassurance because the risk is cumulative: a conflict that lasts only a short time can still be enough to create fraud exposure or compliance failure.

Practical implication: Instrument continuous conflict detection and retain remediation evidence so SoD is demonstrable, not just documented.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Segregation of duties is no longer a policy control alone, it is an identity-state control. The article correctly frames SoD as a governance requirement, but the practical failure point is the identity state itself: who can request, approve, provision, certify, and remediate at any given moment. When those functions collapse into one entitlement chain, the audit problem is already present before the transaction occurs. Practitioners should treat SoD as a live access topology question, not an annual checklist.

Access review without workflow separation produces false confidence. A certification campaign can look clean while the underlying approval path still allows self-approval or delegated conflict. That is why toxic entitlement combinations matter more than isolated permissions. The implication is straightforward: auditors do not just care whether access exists, they care whether incompatible access can coexist long enough to matter.

Cloud and SaaS have turned SoD into a cross-system governance problem. The control was once easier to reason about in single-purpose enterprise systems, but modern identity estates distribute authority across apps, admin consoles, and automation layers. That expands the number of places where a conflict can hide. Practitioners need one governance model for all high-risk systems, not separate local interpretations.

SoD evidence quality is now part of the control, not just the record. If remediation actions, approvals, and exception handling are not traceable, the organisation cannot defend the separation it claims to maintain. That makes evidence discipline a first-class control objective. The practical conclusion is that audit readiness depends on proving separation continuously, not reconstructing it after the fact.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have already endured a successful cyberattack resulting from compromised non-human identities, which shows that identity governance failures are now measurable operational risk, not theory.
• For the broader control picture, see Top 10 NHI Issues for the access and governance patterns that repeatedly create audit exposure.

What this signals

SoD is converging with NHI governance. As enterprises expand automation, service accounts, and privileged workflows, the same separation logic used in financial audits has to be enforced across machine identities as well as humans. The programme implication is that access reviews, PAM controls, and lifecycle governance can no longer be treated as separate disciplines.

Audit evidence is becoming a runtime problem. Continuous entitlement monitoring and conflict detection matter because a quarterly review can miss the period when a conflict was active. That means identity teams need evidence trails that show not only who had access, but when incompatible access was created, reviewed, and removed.

With 72% of organisations reporting or suspecting an NHI breach, per The 2024 ESG Report: Managing Non-Human Identities, separation of duties is increasingly a cross-identity control pattern rather than a finance-specific audit rule. That shifts programme design toward unified governance for humans, workloads, and automation. Teams that keep SoD local to one domain will miss the cumulative risk.

For practitioners

• Build an SoD matrix for identity workflows Document incompatible combinations across request, approval, provisioning, certification, and exception handling. Include IAM, PAM, ERP, finance, and cloud administration paths so the same person cannot complete a full sensitive process.
• Block self-approval in high-risk workflows Enforce technical separation so the identity that creates or requests access cannot approve or recertify it. Apply this to privileged roles, financial transactions, and admin exceptions before they reach production.
• Review toxic entitlement combinations continuously Track combinations such as create-and-approve, request-and-certify, and admin-and-review across all major systems. Escalate overlaps as governance defects, not just review findings, and retain remediation evidence for audit defense.
• Automate access certifications with conflict detection Use continuous review workflows that flag overlapping entitlements, dormant privileged access, and unresolved exceptions. Tie each finding to a named owner and a recorded decision so the audit trail is complete.
• Preserve remediation evidence alongside approvals Store the approval chain, the remediation decision, and the closure record together. Auditors need to see that the conflict was not only identified but also resolved within the same governance process.

Key takeaways

• Segregation of duties is an identity governance control that prevents one actor from requesting, approving, and executing the same sensitive action.
• Cloud, SaaS, ERP, and PAM environments make SoD harder to prove because conflicts can be distributed across systems and workflows.
• Continuous conflict detection, self-approval blocking, and preserved remediation evidence are the controls that make SoD audit-defensible.

Key terms

• Segregation Of Duties: Segregation of duties is the practice of splitting sensitive tasks across different people or roles so no one identity can complete an entire critical process alone. In identity programs, the control must be enforced in workflows, entitlements, and approvals, not just written into policy.
• Toxic Entitlement Combination: A toxic entitlement combination is a set of permissions that becomes risky when held together, even if each permission seems acceptable on its own. Auditors look for combinations such as request and approve, create and certify, or administer and review, because they create self-reinforcing control failure.
• Access Certification: Access certification is the periodic review of assigned permissions to confirm they are still needed and appropriate. In mature identity governance, certification should not only validate presence of access, but also detect conflicting access paths and produce evidence that remediation was completed.

Deepen your knowledge

Segregation of duties in auditing and access governance is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to prove separation across cloud, ERP, and privileged workflows, this is a practical place to start.

This post draws on content published by SecurEnds: segregation of duties in auditing and why it matters for modern governance. Read the original.