Segregation of duties vs user access review in identity governance

At a glance

What this is: This is a practical comparison of segregation of duties and user access reviews, showing that one prevents conflicting access while the other catches stale access after provisioning.

Why it matters: IAM teams, IGA leads, and compliance owners need both controls because access risk builds across the lifecycle, and relying on only one leaves material gaps in auditability and governance.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

👉 Read SecurEnds' explanation of segregation of duties vs user access review

Context

Access governance fails when teams treat preventive and detective controls as the same thing. Segregation of duties stops toxic combinations from being granted, while user access reviews validate whether access still belongs after it has already been issued. In practice, that difference matters because identity governance problems usually appear as lifecycle drift, not as a single provisioning mistake.

This article is about segregation of duties vs user access review in identity governance, and why the distinction matters for audit outcomes under SOX, ISO 27001, and SOC 2. The operational question is not whether one control is enough. The real issue is how access risk accumulates when prevention and review are not connected across the full access lifecycle.

Key questions

Q: How should security teams combine segregation of duties and user access reviews?

A: Treat segregation of duties as the preventive gate and user access reviews as the corrective loop. SoD should stop conflicting access during provisioning, while reviews should verify that remaining access still matches the role. The controls only work well together when they share the same identity data, remediation ownership, and evidence trail.

Q: Why do user access reviews fail when they are used alone?

A: They fail because they only find problems after access already exists. That means conflicting permissions, contractor accounts, and role drift can remain active for weeks or months before the next cycle. Reviews are useful, but they are not a substitute for preventive control at entitlement creation.

Q: What breaks when segregation of duties is the only control in place?

A: SoD blocks some toxic combinations, but it does not clean up stale, unused, or orphaned access. Users can change roles, projects can end, and temporary access can become permanent without any SoD alert. A programme built only on prevention still accumulates governance debt over time.

Q: Who should be accountable for access review decisions under SOX or ISO 27001?

A: Application owners, business managers, and control owners should be accountable for the decision itself, while IAM or IGA teams should provide the evidence and workflow. Auditors usually care less about the tool and more about whether decisions are documented, defensible, and actually enforced.

Technical breakdown

Segregation of duties as a preventive control

Segregation of duties, or SoD, defines conflicting permission combinations and blocks them before access is granted. The control is preventive because it works at provisioning time, not during later certification. In identity governance, SoD rules are usually tied to roles, transactions, or application entitlements. A single user should not be able to create and approve the same financial event, for example. The mechanism depends on accurate policy definitions, timely conflict checks, and enforcement at the point of request. If the rule set is incomplete or bypassed manually, the preventive layer fails quietly.

Practical implication: enforce SoD checks inside provisioning workflows so toxic combinations cannot enter production access states.

User access reviews as a detective control

User access reviews, or UARs, examine the access that already exists and decide whether it still matches the job, project, or business need. The control is detective because it works after entitlement assignment, usually on a recurring cadence. Reviews are meant to catch access creep, orphaned accounts, role changes, and over-extended temporary access. Their effectiveness depends on review quality, documented decisions, and the authority to remove access quickly. Without that, the review becomes a paper exercise rather than a governance control.

Practical implication: assign accountable reviewers and require recorded revoke decisions, not just attestation clicks.

Why the two controls fail when treated as substitutes

SoD and UAR solve different problems at different points in the lifecycle. SoD cannot clean up stale access because it only evaluates new assignments. UAR cannot prevent toxic combinations because it only sees what already exists. When teams rely on one control alone, the blind spot becomes structural. Conflicts can live in the environment for months, or old access can linger indefinitely after a role change or exit. Identity governance only becomes coherent when both controls are tied to the same entitlement source and evidence trail.

Practical implication: connect provisioning, certification, and deprovisioning so prevention and review operate on the same access record.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SoD and UAR are not parallel versions of the same control. They sit on opposite sides of the access lifecycle and answer different governance questions. SoD is about preventing a toxic entitlement state from ever existing, while UAR is about proving that existing access still makes sense. Teams that collapse the two into one workflow lose the distinction between prevention and evidence, which is exactly where audit findings begin.

The named failure mode here is lifecycle drift, not a control shortage. The article shows how permissions are added for temporary reasons and then left behind, which creates a governance gap even when a review process exists. That gap is best understood as access that outlives its business justification. The implication is that identity programmes must track entitlement relevance over time, not just initial approval.

Segregation of duties only works when provisioning is the enforcement point. If a conflict is approved manually or defined too late, the preventive model is already weakened. The control assumption is that risky combinations can be identified before the user can act on them. Once access is live, the SoD logic has lost its chance to stop the business event it was designed to block.

User access reviews only work when reviewers can act on evidence quickly. The article correctly shows that review campaigns often surface role changes, inactive users, and contractor accounts that should have been removed earlier. That means the control is as much about remediation discipline as it is about attestation. Practitioners should read the review process as a governance record, not a checkbox exercise.

Identity governance becomes more credible when preventive and detective controls share one operating model. SoD handles entitlement creation, UAR handles entitlement persistence, and both depend on the same role taxonomy, access data, and audit trail. Where those inputs are inconsistent, the programme can neither block risk cleanly nor prove that it removed it. Practitioners should treat access governance as a lifecycle discipline, not a set of disconnected checks.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• Another finding from that research shows 62% of all secrets are duplicated and stored in multiple locations, which makes review evidence harder to trust.
• For a broader governance lens, see NHI Lifecycle Management Guide for lifecycle ownership, rotation, and offboarding practices.

What this signals

Lifecycle governance, not isolated certification, is where access programmes either hold or fail. The moment teams separate provisioning, review, and deprovisioning into different systems or owners, the evidence chain starts to fracture. That fragmentation is where SoD and UAR stop being complementary controls and become disconnected tasks.

Access review maturity should now be measured by remediation speed and exception closure, not completion rates alone. A review campaign that produces findings but leaves entitlements in place is not a control outcome. Practitioners should watch for whether stale access is actually removed before the next business cycle closes.

Identity drift is the programme risk that hides inside routine operations. When roles change, projects end, and contractors exit, governance has to keep pace with the business or the control model becomes ceremonial. Teams that anchor their workflow to the Ultimate Guide to NHIs -- Lifecycle Processes for Managing NHIs will have a clearer path to enforce continuity across provisioning, review, and revocation.

For practitioners

• Embed SoD checks in provisioning workflows Block or route for approval any request that creates a conflicting entitlement combination before access is issued, especially in finance and admin systems.
• Run access reviews on a risk-based cadence Review privileged, financial, and sensitive-data access more frequently than low-risk entitlements, and require explicit revoke or recertify decisions for every exception.
• Tie reviews to removal, not attestation alone Make sure reviewers can remove stale access immediately after confirming that a role change, termination, or project end invalidates the entitlement.
• Standardise audit evidence across the lifecycle Record who approved access, who reviewed it, what changed, and when the decision was enforced so audit trails survive SOX and ISO 27001 scrutiny.

Key takeaways

• Segregation of duties prevents conflicting access from being granted, while user access reviews validate whether access should still exist.
• Access risk is cumulative, which is why stale entitlements and role drift can remain hidden if teams rely on only one control.
• Strong identity governance depends on a shared lifecycle model that links provisioning, certification, and removal to the same evidence trail.

Key terms

• Segregation Of Duties: Segregation of duties is a preventive access control that blocks one identity from holding conflicting permissions that could enable fraud, error, or unauthorized change. In practice, it defines combinations that must never coexist and enforces them during provisioning or role assignment.
• User Access Review: A user access review is a detective control that evaluates whether existing access still matches the business need, role, or lifecycle state of the identity. It is used to identify stale entitlements, orphaned accounts, and access creep after permissions have already been granted.
• Access Creep: Access creep is the gradual accumulation of unnecessary permissions over time as roles change, temporary grants persist, and offboarding is incomplete. It is a governance problem, not a single event, and it often becomes visible only when someone finally reviews the entitlement record.
• Audit Evidence Trail: An audit evidence trail is the recorded history showing who approved access, who reviewed it, what decision was made, and when enforcement happened. It matters because identity governance must be provable, not just intended, especially under compliance frameworks that expect durable control records.

Deepen your knowledge

Segregation of duties and user access review are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to connect preventive and detective controls across the access lifecycle, it is worth exploring.

This post draws on content published by SecurEnds: segregation of duties vs user access review in identity governance. Read the original.