Segregation of duties in internal controls is still a live IAM issue

At a glance

What this is: This is an analysis of segregation of duties in internal controls and its key finding that splitting approval, custody, and recordkeeping materially improves fraud detection and auditability.

Why it matters: It matters because SoD is the same governance problem IAM teams face across NHI, autonomous systems, and human access: no single actor should be able to create, approve, and execute a critical action unchecked.

By the numbers:

• One survey by the Association of Certified Fraud Examiners found companies with strong SoD controls detected fraud 50% faster than those without.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read SecurEnds' article on segregation of duties in internal controls

Context

Segregation of duties in internal controls means no single actor should be able to approve, record, and release a critical transaction. In identity terms, that is an access design problem, not just an accounting policy problem, because the same concentration of authority can appear in finance, payroll, IT, and NHI operations.

The reason this matters to identity programmes is simple: when roles, approvals, and custody collapse into one account or one person, oversight disappears. The control question is the same across human IAM, service accounts, and autonomous workflows, even if the implementation differs.

Key questions

Q: How should security teams implement segregation of duties in high-risk workflows?

A: Start by identifying every workflow where one identity could request, approve, execute, and record the same action. Split those rights across separate identities, then verify the separation at the entitlement level, not just the job-title level. Where separation is impossible, require compensating controls such as independent review and durable evidence.

Q: Why does weak segregation of duties increase fraud and compliance risk?

A: Because it removes the checkpoints that expose misuse and error. If one identity can both initiate and complete a sensitive action, collusion is no longer required and mistakes are easier to hide. Auditors also see weak SoD as evidence that governance cannot prove control effectiveness.

Q: What do teams get wrong when they rely on roles to prove SoD?

A: They assume a role name proves separation, but effective privilege is what matters. A role can look normal and still bundle conflicting rights such as creation, approval, and release. Teams should test permission combinations, accumulated access, and exception paths.

Q: Who is accountable when compensating controls are used instead of full separation?

A: Accountability stays with the control owner and the business process owner, because compensating controls are an exception to design, not a replacement for it. The organisation must be able to show why the overlap exists, who reviews it, and what evidence proves the control is working.

Technical breakdown

Authorization, custody, and recordkeeping are separate control planes

Segregation of duties works when the actor that approves an action is not the actor that performs it, and neither is the actor that records it. That separation creates independent checkpoints, which is why SoD is as much a control architecture as it is a governance rule. In IAM terms, it prevents a single identity from carrying the entire lifecycle of a high-risk process. The control fails when ERP roles, admin rights, or workflow permissions are bundled into one entitlement set, because the audit trail then reflects only one perspective of the event.

Practical implication: map approval, execution, and recording rights to different identities and verify those separations in access reviews.

Role-based access control often hides SoD violations

RBAC can make SoD look present while quietly reintroducing risk through broad role bundles. A user may appear to have a normal job role, yet that role can still include vendor creation, payment release, or deployment authority in the same entitlement package. That is why SoD analysis has to look at effective permissions, not job titles. In practice, the problem is not just excessive access but conflicting access. Once a role can both initiate and complete a sensitive process, the system no longer needs collusion for misuse to happen.

Practical implication: test effective permissions for conflicting combinations, not just whether roles look appropriate on paper.

Compensating controls are not a substitute for separation

Small teams often cannot split every duty cleanly, so they rely on supervisor sign-off, exception review, or periodic independent checks. These compensating controls reduce exposure, but they do not remove the underlying concentration of power. Their real value is evidentiary and detective, not preventive. That distinction matters in audit and in identity governance, because a workflow that depends on review after the fact still assumes someone can act before the review occurs. SoD maturity is measured by how often exceptions are necessary, and how much trust those exceptions require.

Practical implication: document every compensating control as an exception, then monitor how often the exception becomes the default path.

Threat narrative

Attacker objective: The objective is to complete a sensitive transaction or change without independent oversight, so misuse looks like normal business activity.

1. Entry occurs when a single employee or account is granted overlapping authority across approval, recordkeeping, and execution in one workflow.
2. Escalation follows when that identity can create a change, validate it, and release it without a second control owner reviewing the action.
3. Impact is fraud, concealed error, or unauthorized change that persists until an auditor, reconciler, or exception report exposes the conflict.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SoD is an identity control pattern, not just an accounting safeguard. The article frames the issue in finance language, but the underlying problem is broader: one identity should not be able to create, approve, and release a critical action. That principle maps directly to IAM, PAM, and NHI governance, where conflicting entitlements create the same loss of oversight. The practitioner takeaway is that SoD should be measured as an access conflict problem across all high-risk workflows, not only in ledger processes.

Consolidated workflow authority creates a hidden identity blast radius. When authorization, custody, and recordkeeping sit in one role, the blast radius is not just bigger, it is unbounded by design. The same pattern appears when service accounts, admin roles, or workflow bots inherit broad permissions to move from request to execution without a second control owner. The implication for practitioners is to treat overlapping entitlements as a structural governance defect, not a user convenience issue.

Compensating controls reveal where governance has already failed to segment authority. Supervisor sign-off and periodic review can reduce exposure, but they exist because the primary design could not enforce separation. That is a useful signal for IAM teams, because repeated reliance on exception handling usually means the access model is too coarse for the process risk. The practitioner conclusion is to measure how many critical workflows depend on manual backstops and why.

Separation of duties is the practical test of whether access governance can survive audit. SOX, COSO, and GAAP only matter operationally when teams can show that no single identity controls a material process end to end. In identity terms, that means effective permissions, evidence trails, and review cadence must all align. The practitioner takeaway is straightforward: if the same identity can initiate, approve, and certify a change, governance has already failed.

Identity governance breaks when people treat job role and effective privilege as the same thing. A role label can look compliant while its permission bundle still enables conflicting actions. That is why SoD analysis has to be built from actual access paths, not org charts. The implication for practitioners is to recertify against effective privilege combinations, not against title alone.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means SoD reviews often start from incomplete access data.
• That visibility problem is why teams should pair SoD analysis with the NHI Lifecycle Management Guide and separate entitlement review from entitlement provisioning.

What this signals

SoD is becoming an identity governance test across the full access estate, not just a finance control. When organisations cannot separate approval from execution, they usually cannot separate ownership from access either, which is why the same defect appears in ERP, payroll, service accounts, and admin workflows. Teams that want audit resilience should align SoD reviews with NIST Cybersecurity Framework 2.0 control governance and evidence collection.

Identity conflict density: the useful metric is not how many policies exist, but how many workflows still allow one identity to complete a critical action alone. That number will often rise as organisations consolidate platforms and delegate more activity to workflow automation. The governance response is to measure conflict density, then reduce it before it becomes an audit finding.

As access estates grow, SoD failures tend to surface first in the long tail of exceptions, transfers, and temporary access. That is where recertification and lifecycle offboarding become practical controls rather than compliance chores. Programmes that can tie SoD to lifecycle review will be better positioned to prove control effectiveness under audit.

For practitioners

• Map conflicting entitlements across critical workflows List the identities that can initiate, approve, record, and release each high-risk process, then flag any overlap that lets one actor complete the flow end to end.
• Test effective access, not just role names Review ERP, IT, and payroll permissions at the entitlement level so you can find bundled rights such as vendor creation plus payment approval or deploy plus approve.
• Treat compensating controls as exceptions Where staffing forces overlap, require named supervisor review, independent reconciliation, and evidence retention so the exception is visible and auditable.
• Automate conflict detection in access reviews Use periodic and event-driven access reviews to surface users whose accumulated access now creates SoD conflicts after transfers, promotions, or project changes.
• Document audit evidence for every split duty Keep approval logs, change records, and sign-off trails together so auditors can verify that no single identity controlled the transaction from start to finish.

Key takeaways

• Segregation of duties is an identity governance control that prevents one actor from owning an entire critical workflow.
• The scale of the risk is real: strong SoD controls were associated with fraud detection 50% faster than weaker programmes in the ACFE survey cited by SecurEnds.
• Practitioners should focus on effective privilege conflicts, compensating controls, and audit evidence, because that is where SoD succeeds or fails.

Key terms

• Segregation Of Duties: A control design that prevents one identity from owning all steps in a critical process. In practice, it separates approval, execution, custody, and recording so errors and misuse are easier to detect. The control applies to human users, service accounts, and automated workflows whenever a single actor would otherwise hold end-to-end power.
• Compensating Control: A secondary control used when full separation is not practical. It does not replace the underlying design weakness, but it adds review, evidence, or oversight that reduces the chance of undetected misuse. In identity programmes, compensating controls are strongest when they are named, owned, and regularly tested.
• Effective Privilege: The actual permissions an identity can use after roles, groups, inherited rights, and exceptions are combined. It matters more than the job title or role name because SoD failures usually hide inside permission bundles. Effective privilege is the real object of access review and conflict detection.

Deepen your knowledge

Segregation of duties in internal controls is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are translating finance-style control separation into identity governance, the course gives you the governance lens to do it consistently.

This post draws on content published by SecurEnds: segregation of duties in internal controls. Read the original.