SoD in modern identity security: preventing access conflicts early

At a glance

What this is: This is a blog post about separation of duties in identity security, with the key finding that access conflicts are most effective to manage when they are prevented at request time, not only detected later.

Why it matters: It matters because IAM, IGA, PAM, and compliance teams need controls that catch conflicting entitlements before they create fraud paths, audit findings, or risky privilege combinations across human and non-human access.

👉 Read ConductorOne's post on separation of duties and access conflict prevention

Context

Separation of duties is the control that stops one identity from holding combinations of access that should not coexist. In modern IAM and IGA programmes, the hard problem is not defining conflicting roles in theory, but catching them fast enough when access changes across multiple systems and approval paths.

The vendor's point is that access conflicts should be handled at request time, inside reviews, and through policy logic rather than spreadsheet checks. That aligns with broader identity governance practice, where entitlement overlap, approval quality, and remediation speed determine whether SoD is preventive or merely forensic.

Key questions

Q: How should security teams enforce separation of duties before access is granted?

A: Security teams should evaluate exclusion rules at request time, not just during periodic review. If a proposed entitlement creates a conflict, the workflow should block it, escalate it, or send it to a higher-trust approver. That keeps the control preventive and gives reviewers the context they need before access becomes active.

Q: Why do access conflicts keep reappearing even in mature identity programmes?

A: Access conflicts reappear because access is additive across systems and changes faster than manual governance can track. Role changes, temporary exceptions, and incomplete offboarding can create new overlaps after the original approval. Continuous monitoring is necessary because SoD risk is dynamic, not a one-time configuration issue.

Q: What do teams get wrong about separation of duties reviews?

A: Teams often treat SoD as a certification activity instead of an entitlement design problem. By the time a review finds a conflict, the user may already have used the access. Effective programmes define conflict rules early, enforce them during approval, and connect reviews directly to remediation.

Q: How can organisations tell if SoD controls are actually working?

A: SoD controls are working when conflicts are intercepted before activation, not simply documented after the fact. Useful signals include fewer manual overrides, faster conflict resolution, and review outcomes that lead to actual entitlement revocation. If conflicts are still surfacing late, the control is mostly observational.

Technical breakdown

What is an access conflict in identity governance?

An access conflict occurs when a single identity receives two or more entitlements that should remain mutually exclusive. In practice, the risk comes from combination, not from any one entitlement on its own. A user may appear properly provisioned in each system, yet the aggregate access creates fraud potential, process bypass, or audit exposure. SoD policies model those exclusion rules and evaluate them against requests, reviews, or entitlement inventories. The governance challenge is to keep the rules current as roles, systems, and business processes evolve.

Practical implication: define mutually exclusive entitlements explicitly and treat overlap as a governance control, not an after-the-fact audit finding.

How policy-based SoD enforcement works at request time

Request-time SoD enforcement evaluates proposed access before it is granted. If a new entitlement would create a conflict, the workflow can block, escalate, or route to a higher-trust approver. That matters because review-based detection only sees the problem after privilege has already landed. Policy engines make the decision logic auditable and repeatable, replacing informal judgment with structured rules. This is especially relevant where access grows across ERP, finance, HR, and SaaS platforms, because conflicts are often spread across systems rather than visible in one directory.

Practical implication: place conflict checks in the approval workflow so risky entitlements are intercepted before activation.

Why continuous conflict monitoring still matters after provisioning

Even with preventive controls, entitlement drift can create new SoD violations over time. Continuous monitoring compares current access against conflict models on a schedule or on demand, then surfaces overlaps for investigation and remediation. This is important because role changes, emergency access, and partial deprovisioning can all produce hidden violations. Effective monitoring does more than identify issues. It also supports access review, remediation prioritisation, and evidence gathering for audit and compliance teams.

Practical implication: run recurring conflict analysis and pair it with review and revocation workflows so SoD stays current as access changes.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access conflict is the operational form of segregation failure, not just a policy gap. SoD only works when mutually exclusive access is evaluated as a live entitlement relationship, not as a document or spreadsheet rule. Once permissions are distributed across systems, the risk is in combination, not possession. Practitioners should treat entitlement overlap as the control object, because that is where fraud pathways and compliance violations actually emerge.

Request-time prevention is the key governance shift in modern identity programmes. Legacy IGA often assumes conflicts can be discovered during certification, but by then the entitlement may already have been used. That creates a control lag between grant and review. The implication is that identity governance has to move closer to the access transaction if it wants to be preventive rather than purely evidentiary.

SoD is now a cross-domain control spanning human IAM, finance workflows, and privileged access governance. The same conflict logic that prevents a user from holding incompatible business roles also matters when elevated operational access can combine with transactional authority. That makes SoD a governance pattern, not a narrow compliance checkbox. Practitioners should align role engineering, approval policy, and review evidence under one conflict model.

The real failure mode is entitlement accumulation across systems that no single control plane sees end to end. As organisations grow, access often becomes additive by default. Without continuous modelling of exclusion rules, a compliant-looking identity can still become unsafe through role creep. The practical conclusion is that SoD must be treated as an always-on governance relationship across the full identity lifecycle.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means entitlement conflicts can remain hidden even when teams think they have coverage.
• For a broader control baseline, review OWASP Non-Human Identity Top 10 alongside the role and entitlement models used in SoD programmes.

What this signals

Access conflict management is becoming a design discipline, not an audit chore. The next maturity step for identity programmes is to treat exclusion rules as active policy logic that follows the request, review, and remediation flow end to end. Teams that keep SoD trapped in spreadsheets will continue to find risk after it has already entered the environment.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the same entitlement-sprawl problem that affects humans also shows up in machine access. That means SoD thinking increasingly needs to extend into service accounts, tokens, and other non-human identities where role overlap can be harder to see but just as damaging.

For practitioners

• Model mutually exclusive entitlements explicitly Document the access combinations that must never coexist across finance, ERP, HR, and administration systems. Use those rules to drive request validation, not just audit reporting.
• Block risky access at request time Insert conflict checks into approval workflows so approvers see the overlap before granting access. Escalate to a higher-trust approver when a request introduces a SoD conflict.
• Run continuous conflict monitoring Schedule recurring entitlement scans and on-demand checks for emergency changes, then route violations into review and revocation queues.
• Tie access reviews to remediation Do not stop at certification evidence. Use the review outcome to revoke conflicting access and close the loop before the next business cycle.

Key takeaways

• Separation of duties fails when conflicting access is discovered too late to prevent misuse.
• The scale problem is entitlement accumulation across systems, where overlap is often invisible until a review or audit finds it.
• The control that changes outcomes is request-time prevention combined with continuous monitoring and remediation.

Key terms

• Separation of duties: A governance control that prevents one identity from holding access combinations that would create fraud, override, or compliance risk. The control is enforced by defining mutually exclusive entitlements and checking them during approval, review, and remediation so risky combinations do not persist.
• Access conflict: An access conflict occurs when a single identity holds entitlements from two groups that should never be combined. The risk comes from the overlap itself, not from either entitlement in isolation, and it becomes material when the combined access enables an unsafe business or privileged action.
• Request-time enforcement: Request-time enforcement is the practice of evaluating a proposed access change before it becomes active. In identity governance, this shifts SoD from a retrospective review activity into a preventive control that can block, escalate, or reroute risky entitlement combinations.
• Entitlement drift: Entitlement drift is the gradual accumulation or mutation of access over time as roles change, exceptions pile up, and offboarding is incomplete. It is one of the main reasons SoD violations reappear after they were supposedly resolved, especially in distributed environments.

Deepen your knowledge

Separation of duties and access conflict governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending governance patterns across human and non-human identities, it is worth exploring.

This post draws on content published by ConductorOne: SoD in modern identity security and access conflict prevention. Read the original.