SOX compliance becomes an identity governance problem, not a spreadsheet problem

At a glance

What this is: This is a SOX compliance analysis showing that manual access reviews, fragmented systems, and weak visibility turn audit readiness into an identity governance problem.

Why it matters: It matters because SOX controls overlap directly with human, NHI, and service-account governance, so the same visibility and certification gaps that slow audits also increase privilege risk.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read ConductorOne's SOX compliance workflow for access reviews and evidence collection

Context

SOX compliance is often treated as an accounting requirement, but the practical burden sits inside identity governance. When access reviews, segregation of duties checks, and evidence collection are spread across disconnected systems, the control environment becomes difficult to prove and even harder to maintain.

For identity teams, the problem is bigger than audit season. The same access sprawl that slows SOX certification also affects NHI oversight, privileged access control, and human entitlement governance, which is why SOX programmes now need a shared view of users, roles, service accounts, and review evidence.

Key questions

Q: How should teams run SOX access reviews in fragmented environments?

A: Teams should centralise entitlement data before the review starts, then certify access against the actual systems in use rather than a static spreadsheet. The review should cover users, privileged roles, and service accounts together so reviewers can see conflicts, exceptions, and unresolved access changes in one place.

Q: Why do SOX controls fail when systems are spread across SaaS and cloud?

A: They fail because the organisation loses a single source of truth for who can do what. When entitlements are split across multiple platforms, reviewers cannot reliably confirm segregation of duties, and evidence collection becomes inconsistent. The result is a control that exists in policy but not in operational proof.

Q: What do security teams get wrong about separation of duties?

A: They often treat SoD as a role design problem instead of an effective permissions problem. A role may look compliant on paper while the underlying application access still allows conflicting actions. Teams need to test actual privilege paths, not just review job titles or role names.

Q: Who is accountable when SOX evidence is incomplete or late?

A: Accountability usually sits with the control owner, but the governance failure is shared across IAM, application owners, and compliance teams if no one can prove the control operated as designed. SOX requires evidence that is traceable, timely, and tied to the control being tested.

Technical breakdown

Why manual access reviews break down in SOX programmes

SOX user access reviews depend on reviewers being able to see who has access, why they have it, and whether that access still matches job function or control design. In fragmented environments, that information lives in different IAM, SaaS, cloud, and spreadsheet workflows, so review quality degrades even when the process exists on paper. The technical failure is not the absence of a checklist. It is the absence of a single entitlement graph that can be certified, traced, and audited across systems without reconciliation work.

Practical implication: build review workflows on unified entitlement data, not exports assembled manually from multiple systems.

How separation of duties fails across fast-changing infrastructure

Separation of duties, or SoD, is meant to prevent one identity from controlling incompatible actions such as creating and approving the same financial transaction. In modern environments, SoD often fails because roles, entitlements, and app-level permissions drift faster than governance teams can map them. M&A activity, cloud sprawl, and homegrown applications make the control problem worse because the effective privilege state changes after the policy was written. The result is a control design that looks compliant in documentation but does not hold under live access conditions.

Practical implication: test SoD against actual entitlements and application-level permissions, not against role descriptions alone.

Why automated evidence collection changes the audit model

Audit evidence is only useful if it is complete, time-stamped, and tied to the control being tested. Manual screenshots and email chains create gaps because they are assembled after the fact and often lack a reliable chain of custody. Automated evidence collection turns the audit from a scavenger hunt into a repeatable control process. That matters for SOX because auditors are not just checking whether a control exists. They are checking whether the organisation can prove the control operated consistently over time.

Practical implication: instrument controls so evidence is captured as part of execution, not recreated during audit preparation.

Threat narrative

Attacker objective: The objective is to preserve unauthorized or excessive access long enough to undermine financial controls, delay audits, or enable fraud.

1. Entry begins when fragmented identity and access data prevents teams from identifying who should not have access across SaaS, cloud, and on-prem systems.
2. Escalation occurs when manual access reviews and weak separation of duties let excessive privileges persist long enough to survive certification cycles.
3. Impact lands as audit delays, control exceptions, and increased fraud exposure because the organisation cannot prove that financial controls were operating effectively.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SOX compliance is an identity governance discipline, not a documentation exercise. The controls named in SOX audits depend on knowing who or what can act, where that access lives, and whether the access state matches policy. When that visibility is missing, the audit problem is really a governance problem that affects humans, service accounts, and automated workflows alike. Practitioners should treat SOX readiness as continuous entitlement governance, not annual paperwork.

Disparate systems create a control gap that auditors can see before security teams do. Once M&A activity, cloud adoption, and homegrown applications fragment access data, no single team can reliably certify segregation of duties or review outcomes. That is a structural failure of the control plane, not a process annoyance. The implication is that access governance must be designed around unified evidence and entitlement state, or SOX certification will keep lagging reality.

Manual review cadence is the wrong operating model for fast-changing privilege. Reviews that happen quarterly or only during audit prep assume entitlement state is stable long enough to certify after the fact. In modern enterprises, that assumption breaks because access changes faster than the review cycle can observe. The practitioner conclusion is straightforward: governance must track live privilege drift, not just archived attestations.

Centralised visibility is the named concept that separates compliant-looking programmes from defensible ones. Without a single view of users, roles, privileges, and evidence, organisations cannot reliably connect SoD design to operational reality. That gap affects financial reporting controls, but it also exposes the broader identity stack because the same blind spots hide NHI overreach and privileged access creep. Security and compliance leaders should view visibility as the control substrate, not the reporting layer.

SOX pressure is pushing identity teams toward evidence-driven governance. The market signal is that audit readiness is becoming inseparable from IAM operations, especially where systems are distributed and control owners are distributed too. That does not replace auditor judgment; it reduces the time spent reconstructing control history. Practitioners should expect more demand for continuous certification, immutable logs, and control evidence that can survive challenge.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next resource for teams formalising review, rotation, and offboarding discipline.

What this signals

Centralised entitlement visibility: SOX pressure is exposing the same blind spots that weaken NHI governance, because organisations cannot certify what they cannot see. When only 5.7% of organisations have full visibility into their service accounts, per the Ultimate Guide to NHIs, the lesson extends beyond service identities to the broader access model: fragmented control planes produce fragmented assurance.

The practical shift is toward continuous evidence generation, not periodic evidence assembly. That aligns naturally with NIST Cybersecurity Framework 2.0, especially where identity governance, detection, and response have to operate as one control system rather than separate audit tasks.

SOX as control telemetry: organisations that treat access reviews as an annual event will keep finding the same exceptions late. The stronger model is to treat entitlement state, certification results, and privileged-path drift as operational telemetry that can be reviewed before auditors ask for it.

For practitioners

• Unify entitlement data before audit season Create a single entitlement view across SaaS, cloud, on-prem, and homegrown applications so reviewers are not reconciling exports by hand.
• Map SOX controls to live access state Tie each critical control to the actual users, roles, and service accounts that can execute it, then reconcile that mapping continuously.
• Automate evidence capture at control execution time Record approvals, access reviews, and SoD decisions as immutable audit evidence when they occur, not after the fact in a separate workflow.
• Test separation of duties against effective permissions Validate SoD using application-level entitlements and privileged paths, especially where M&A has introduced overlapping roles or duplicate admin access.

Key takeaways

• SOX compliance breaks down fastest where identity data is fragmented, because reviewers cannot prove who had access, when they had it, or whether the control worked.
• The scale of the visibility problem is already severe, with only 5.7% of organisations reporting full visibility into service accounts.
• Teams that want durable SOX readiness need continuous entitlement governance, automated evidence capture, and SoD testing against live permissions.

Key terms

• Separation Of Duties: A control that prevents one identity from performing incompatible actions in the same process. In SOX programmes, it is only effective if the live entitlement state matches the policy design. Drift in roles, app permissions, or privileged access can make the control look sound while it fails in practice.
• Access Review: A governance process used to confirm that an identity still needs the permissions it has been granted. For SOX, the review must be evidence-based and tied to current entitlements, not a historical list. If the data is incomplete, the review becomes a compliance exercise instead of a control test.
• Entitlement Graph: A mapped view of who or what has access to which systems, roles, and privileges. It provides the operational basis for review, certification, and segregation-of-duties analysis. Without it, teams rely on disconnected reports that cannot reliably prove control effectiveness.
• Control Evidence: Records that show a security or compliance control operated as intended. In SOX programmes, evidence should be time-stamped, immutable where possible, and directly linked to the control being tested. Recreated screenshots and email chains are weaker because they are harder to verify and reconcile.

Deepen your knowledge

SOX access reviews, separation of duties, and control evidence management are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your compliance programme depends on understanding who or what can act across systems, this is a relevant starting point.

This post draws on content published by ConductorOne: Five Ways to Streamline SOX Compliance with C1. Read the original.