By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Governance & RiskSource: SecurEnds

TL;DR: Toxic combinations in segregation of duties let one user complete incompatible business actions such as creating and approving payments, increasing fraud, error, and compliance risk across ERP, cloud, and finance workflows, according to SecurEnds. The control problem is not merely access volume but role design, exception handling, and review cadence.


At a glance

What this is: This is an analysis of segregation of duties failures and toxic access combinations, showing how conflicting entitlements let one identity bypass independent oversight.

Why it matters: It matters because IAM, IGA, and PAM teams often inherit hidden permission conflicts that create fraud exposure, audit findings, and weak internal controls across human and machine-administered systems.

👉 Read SecurEnds' analysis of toxic segregation of duties combinations


Context

Toxic combinations in segregation of duties arise when a single identity can perform incompatible steps in a business process, such as creating a vendor and approving the payment. In identity governance terms, the failure is not just excess access. It is the collapse of separation between initiation, approval, and oversight.

As ERP, finance, cloud, and enterprise workflow platforms expand, conflicting entitlements accumulate through role creep, emergency access, and manual provisioning. That makes toxic access a governance problem as much as a security one, because the same entitlement pattern can trigger fraud, operational abuse, and compliance exceptions.

For IAM and IGA teams, this is a reminder that access review programs need to measure business conflict, not only privilege count. SoD control quality depends on how accurately the organisation maps entitlements to business actions and whether compensating controls are enforced when conflicts cannot be removed.


Key questions

Q: What breaks when a user can both create and approve sensitive transactions?

A: When one identity can both initiate and approve a sensitive workflow, the independent oversight model fails. That creates a direct path for fraud, errors, and concealed manipulation because the same person can create the event and validate it. SoD controls exist to prevent exactly that collapse of accountability.

Q: Why do toxic access combinations create audit and compliance risk?

A: Toxic combinations matter because they show that incompatible duties are still concentrated in one access path, which weakens internal control evidence. Auditors look for separation between creation, approval, and administration. If those steps can be completed by one user, the organisation must prove that compensating controls are strong enough to offset the conflict.

Q: How do security teams know if SoD controls are actually working?

A: A healthy SoD programme should show fewer unresolved conflicts, fewer repeated exceptions, and faster remediation of high-risk role overlaps. The strongest signal is whether users can still complete incompatible business actions after provisioning, access changes, or temporary elevation. If they can, the control is not holding at the process level.

Q: Who should own toxic combination remediation across ERP and cloud systems?

A: Ownership should sit with the identity governance function, but remediation needs process owners from finance, operations, and platform teams. SoD is not just an access problem. It is a business control problem, so the people who define the workflow must help decide which combinations are unacceptable and which need compensating controls.


Technical breakdown

How toxic SoD combinations form in enterprise roles

Toxic combinations appear when role models bundle incompatible business actions into the same entitlement set. In ERP and finance systems, a single role may accidentally include both creation and approval permissions, especially after rapid provisioning, mergers, or emergency access changes. The technical issue is not one bad permission but a control graph that no longer separates request, execution, and approval paths. Once that happens, the system can no longer rely on role boundaries to preserve accountability. Practical teams need to understand which combinations create an execution path that bypasses independent review.

Practical implication: map business functions to roles so incompatible actions are structurally separated before they reach production.

Why entitlement drift creates hidden access conflicts

Entitlement drift happens when users accumulate extra permissions over time and the access model is never revalidated. Temporary elevation, project-based access, and inherited roles can silently create toxic combinations that do not exist in the original design. This is common in environments where provisioning is manual or where access changes are reviewed only on a schedule. The security problem is that a valid access state on Monday can become a control failure by Friday without any explicit workflow marking the transition. Continuous entitlement intelligence is what exposes that drift before it becomes an audit finding.

Practical implication: review entitlement accumulation continuously, not just during annual access certifications.

How compensating controls limit SoD risk when conflicts remain

Some toxic combinations cannot be removed immediately because operations depend on them. In those cases, compensating controls reduce the chance that a single identity can fully abuse the conflict. Examples include independent approvals, heightened logging, transaction monitoring, and temporary access expiry. These controls do not fix the underlying role design, but they reintroduce friction and visibility where the original SoD boundary failed. The key technical question is whether the compensating control actually interrupts the same workflow stage the conflict abuses, or merely documents the exception after the fact.

Practical implication: require compensating controls to block or verify the exact business step the conflict makes risky.



NHI Mgmt Group analysis

Toxic combinations are a role-design failure, not a user-behaviour problem: the issue begins when governance models allow incompatible business actions to coexist in the same access path. That means the control failure is structural, not accidental, and it shows up in ERP, finance, HR, and cloud administration where approval boundaries are blurred. The implication is that SoD programmes need to govern entitlements as process design, not as a spreadsheet cleanup exercise.

Standards compliance is a lagging indicator of SoD health: SOX, SOC 2, ISO 27001, and PCI DSS all expect separation of duties, but passing an audit does not prove the organisation can prevent toxic combinations from forming. A control environment can look compliant while role inheritance, emergency access, and manual provisioning keep recreating the same conflicts. Practitioners should treat unresolved conflicts as evidence of governance debt, not just audit noise.

Access reviews fail when they certify role presence instead of business conflict: a user can hold a formally approved role set and still retain incompatible powers that bypass oversight. That is why recertification must be tied to the actual business actions an identity can perform, not only to the entitlements it owns. The implication is that IGA programmes must measure whether a role combination is operationally separable, not merely whether it is approved.

Compensating controls are useful only when they restore the missing approval boundary: enhanced review, monitoring, and temporary restrictions matter only if they interrupt the exact conflict being exploited. If the control merely adds more logging after the fact, it leaves the toxic combination intact. Practitioners should design compensating controls as a precise substitute for the missing separation, not as a generic exception stamp.

From our research:

What this signals

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the broader governance lesson is that entitlement models are already drifting beyond human parity. That matters for SoD because conflict analysis becomes less reliable when access design assumes consistent role boundaries that no longer exist in practice.

Entitlement conflict debt: the real risk is not one toxic combination, but the accumulation of unresolved overlaps across systems that were never designed to reconcile business actions at scale. Teams should watch for role growth, exception sprawl, and recurring certification overrides because those are the leading indicators that SoD is becoming performative rather than preventive.


For practitioners

  • Map business activities to incompatible access paths Build SoD rules from the actual business process, not from generic role names. Start with the highest-risk workflows such as vendor creation, payment approval, journal posting, and privileged administration, then identify every entitlement pair that lets one identity complete both sides of the process.
  • Revalidate emergency access after the incident ends Make temporary elevation expire automatically and require a post-event review for any access granted outside normal workflow. Emergency permissions that remain active are a common source of toxic combinations, especially when they are inherited into standing roles after the original incident closes.
  • Treat role redesign as a control project Break apart roles that mix request, approval, and administration duties, then test the redesigned model against SoD rules before deployment. In complex platforms, the safest path is often to rebuild composite roles rather than keep layering compensating controls on top of a broken structure.
  • Use exception reporting to force compensating control ownership Require every accepted conflict to have an explicit owner, review cadence, and documented control that verifies the risky step. If the organisation cannot name who watches the exception, the compensation is not operationally real.

Key takeaways

  • Toxic combinations are evidence that process separation has failed, allowing one identity to complete incompatible business actions without independent oversight.
  • The scale of the risk shows up in recurring audit findings, unresolved exceptions, and access drift that quietly reintroduces conflicting duties after provisioning changes.
  • The practical response is to redesign roles, tighten exception ownership, and use compensating controls only where they restore the missing approval boundary.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4SoD conflict management is a core access-control governance concern.
OWASP Non-Human Identity Top 10NHI-03Privilege overreach and toxic access are tightly linked in non-human identity governance.
NIST CSF 2.0GV.RM-01Risk management should capture unresolved SoD conflicts as governance debt.

Review high-risk entitlements against NHI-03 and remove combinations that let one identity bypass oversight.


Key terms

  • Segregation of Duties: Segregation of Duties is the control principle that prevents one identity from performing incompatible steps in the same business process. It reduces fraud and control failure by separating creation, approval, administration, and review so no single user can fully initiate and conceal a sensitive action.
  • Toxic Combination: A toxic combination is a set of conflicting entitlements that lets one user bypass the intended separation between business actions. The risk is not the entitlement itself, but the way two or more permissions combine to create a control failure, audit finding, or fraud opportunity.
  • Compensating Control: A compensating control is an additional safeguard used when a toxic access conflict cannot be removed immediately. It should restore the missing oversight point through approval, monitoring, logging, or time limits, rather than simply documenting the exception after the risky action has already happened.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SecurEnds: toxic combinations in segregation of duties and how they weaken internal controls. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org