Segregation of duties software still depends on identity lifecycle control

At a glance

What this is: This is a vendor-authored overview of SoD software that argues segregation of duties breaks down when lifecycle controls, role definitions, and monitoring are managed manually or inconsistently.

Why it matters: It matters because SoD failures rarely stay limited to human users: the same governance gaps also undermine NHI access, privileged workflows, and emerging agentic access paths when identity control is fragmented.

👉 Read Zluri's overview of top SoD software for identity governance teams

Context

Segregation of duties is the idea that no single identity should be able to initiate, approve, and complete a high-risk action without independent controls. In practice, SoD fails when role definitions are vague, reviews are periodic but not operational, and offboarding or access changes do not keep pace with how work actually happens across the identity surface.

The article uses SoD software as an IGA and compliance lens, but the underlying problem is broader than human job roles. The same control weaknesses that let conflicting human access persist also show up in service accounts, API credentials, and delegated application access when governance is treated as a one-time configuration instead of a lifecycle discipline.

Zluri’s framing is typical of the market. SoD is often sold as a software category, but the real practitioner question is whether identity governance can continuously enforce separation across provisioning, requests, recertification, and revocation without depending on manual cleanup.

Key questions

Q: How should security teams implement segregation of duties across identity programmes?

A: Start with the highest-risk business processes and map the exact permission combinations that must never sit in one identity. Then connect those rules to joiner-mover-leaver workflows, access reviews, and revocation so conflicts are prevented or removed as identities change. Treat SoD as an entitlement-state problem, not a static role catalog.

Q: Why does segregation of duties fail when access reviews are only periodic?

A: Periodic reviews can confirm what was granted at a point in time, but they do not stop access from drifting in between reviews. If roles change, exceptions accumulate, or accounts remain active after business need has ended, conflicting authority can persist long enough to create fraud or audit exposure.

Q: What breaks when SoD is managed manually?

A: Manual SoD depends on people remembering to approve, revoke, and re-check access across multiple systems. That creates delay, inconsistency, and blind spots, especially when employees move roles or when non-human identities keep their access after the original purpose has changed.

Q: Who is accountable when segregation of duties controls fail?

A: Accountability usually sits across identity governance, application owners, and control owners because SoD is enforced through business rules, access administration, and audit evidence. Organisations should define ownership for policy design, exception approval, and entitlement removal so failures do not fall between teams.

Technical breakdown

How SoD policy engines map conflicting roles

SoD engines work by comparing assigned roles, entitlements, or requested access against a policy matrix that flags incompatible combinations. The matrix is usually built from business processes, regulatory expectations, or internal control standards, then enforced at provisioning or approval time. In mature implementations, the system does not just detect direct conflicts. It also considers inherited permissions, cross-application entitlements, and workflows that allow a user to accumulate contradictory authority across systems. That matters because most SoD failures are not caused by a single toxic role. They emerge when multiple low-risk grants combine into a high-risk path.

Practical implication: map SoD rules to actual permission combinations, not job titles alone.

Why lifecycle management is the hidden control layer in SoD

Segregation of duties depends on the lifecycle state of access, not just the initial grant. Joiner-mover-leaver processes determine whether access is created correctly, adjusted when roles change, and removed when the identity no longer needs it. Access review only works if the underlying entitlement model is current, because reviewers cannot reliably detect conflicts hidden behind stale roles or dormant accounts. For non-human identities, this becomes more brittle: service accounts and tokens can persist long after the business justification has changed, so SoD logic must be tied to provisioning, rotation, and offboarding events as well as periodic certification.

Practical implication: connect SoD policy checks to joiner-mover-leaver and entitlement revocation workflows.

How audit trails and monitoring support SoD enforcement

Audit trails are the evidence layer for SoD. They show who requested access, who approved it, what the system granted, and when the entitlement changed. Continuous monitoring extends that by surfacing policy drift after the fact, including exceptions that bypass normal approval paths. The operational mistake is treating logging as a reporting feature rather than a control dependency. Without a reliable trail, SoD violations become difficult to prove, hard to remediate, and weak in external audits. In identity programmes that span humans and non-human identities, the evidence model must be consistent across all actor types.

Practical implication: require immutable audit evidence for requests, approvals, grants, and revocations.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SoD software is only as strong as the lifecycle discipline behind it. The article treats segregation of duties as a software capability, but the real control is whether identity state changes are kept current enough to prevent conflicting authority from accumulating. When provisioning, mover events, and offboarding are handled inconsistently, SoD becomes a partial control that looks complete on paper. Practitioners should judge SoD by lifecycle integrity, not dashboard coverage.

Manual segregation of duties creates governance latency that attackers and auditors both exploit. If role exceptions, access grants, and recertifications depend on people remembering to act, the organisation accumulates unmanaged overlap between approval, execution, and review rights. That overlap is where fraud, accidental misuse, and audit failure converge. The more distributed the identity estate becomes, the less tolerable manual exception handling is. Practitioners should treat latency itself as a control defect.

Standing access is the hidden failure mode in many SoD programmes. A role model can be formally correct and still fail if users retain old entitlements after moving teams or leaving projects. This is the same lifecycle issue that appears in non-human identity governance, where access outlives the business purpose that justified it. The implication is that SoD is not just a policy question, it is an entitlement freshness problem.

SoD is increasingly a cross-identity governance problem, not a human-only compliance function. The article’s examples focus on employees, but the same separation principle must extend to service accounts, API credentials, and delegated application access where a single identity can still create unacceptable concentration of authority. That is where NHI governance and human IAM converge. Practitioners should align SoD controls across human and non-human pathways instead of running them as separate discipline silos.

Named concept, identity entitlement freshness gap: SoD programmes fail when access is reviewed as a snapshot instead of as a living entitlement state. Roles, exceptions, and approvals can all look compliant while the underlying access has drifted out of alignment with business need. The implication is that identity governance must be evaluated on how quickly it detects and removes stale authority, not just on whether it can document it.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• If you need the lifecycle angle behind that confidence gap, review NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding controls that keep access from drifting.

What this signals

Identity entitlement freshness gap: SoD programmes that rely on periodic certification will continue to miss access drift unless they connect reviews to the underlying lifecycle events that change authority. For teams running mixed human and machine estates, that means the governance model must recognise stale access as a living control failure, not just a reporting issue.

The market is moving from static role separation toward continuous entitlement governance because audit pressure and operational sprawl now meet in the same place. Teams that cannot prove who approved access, who changed it, and when it was removed will keep seeing SoD collapse into exception management.

For programmes that span human users and non-human identities, the practical next step is to align SoD with lifecycle control evidence and exception handling. The most useful internal reference point is Top 10 NHI Issues, because the same visibility and governance gaps usually reappear outside the employee estate.

For practitioners

• Align SoD rules to high-risk entitlement combinations Build policy logic around the combinations that actually create fraud or control failure, then validate those combinations against real application permissions rather than job titles.
• Tie SoD checks to lifecycle events Trigger review and conflict detection on joiner, mover, and leaver events so role drift is caught when access changes, not weeks later during a periodic review.
• Treat audit evidence as a control requirement Capture request, approval, grant, exception, and revocation records in a form that can support internal investigation and external compliance testing.
• Extend segregation logic to non-human identities Apply the same separation model to service accounts, API credentials, and delegated application access so privilege concentration does not reappear outside the employee estate.

Key takeaways

• SoD software fails when role control is separated from lifecycle control, because access drift then outruns governance.
• The evidence problem is real: audit trails and exception records matter as much as role policies when conflicting access is being challenged.
• Practitioners should extend segregation logic beyond employees and into non-human identities, where stale access and standing privilege often recreate the same risk pattern.

Key terms

• Segregation of Duties: Segregation of duties is a control model that prevents one identity from holding enough authority to initiate, approve, and complete a sensitive action alone. In identity governance, it is enforced through roles, policies, approvals, and audit evidence so conflicting access does not accumulate unnoticed.
• Entitlement Drift: Entitlement drift is the gradual mismatch between the access an identity has and the access it still needs. It happens when roles change, exceptions linger, or offboarding is incomplete, and it is especially dangerous because the access often remains technically valid even after the business reason has disappeared.
• Access Review: An access review is a recurring governance check where an owner validates whether an identity should still retain its current permissions. The control is only effective when the entitlement data is current, the reviewer has enough context to judge conflict, and remediation happens quickly after decisions are made.
• Joiner-Mover-Leaver: Joiner-mover-leaver is the lifecycle process that creates, adjusts, and removes access as people or systems enter, change, and exit an organisation. It applies equally to human identities and non-human identities, and it is the backbone that keeps SoD policies from becoming stale paperwork.

Deepen your knowledge

Segregation of duties, lifecycle governance, and entitlement control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is already dealing with role drift or stale access, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Top 10 SoD Software for Your Organization in 2026. Read the original.