Notifications
Clear all
Topic starter
07/06/2026 8:44 pm
TL;DR: Separation of duties failures emerge when users accumulate mutually exclusive entitlements across systems, creating access conflicts that can drive fraud and compliance risk, according to ConductorOne. The governance issue is not just detection after the fact, but whether identity controls can stop conflicting access before it is approved.
NHIMG editorial — based on content published by ConductorOne: SoD in modern identity security and access conflict prevention
Questions worth separating out
Q: How should security teams enforce separation of duties before access is granted?
A: Security teams should evaluate exclusion rules at request time, not just during periodic review.
Q: Why do access conflicts keep reappearing even in mature identity programmes?
A: Access conflicts reappear because access is additive across systems and changes faster than manual governance can track.
Q: What do teams get wrong about separation of duties reviews?
A: Teams often treat SoD as a certification activity instead of an entitlement design problem.
Practitioner guidance
- Model mutually exclusive entitlements explicitly Document the access combinations that must never coexist across finance, ERP, HR, and administration systems.
- Block risky access at request time Insert conflict checks into approval workflows so approvers see the overlap before granting access.
- Run continuous conflict monitoring Schedule recurring entitlement scans and on-demand checks for emergency changes, then route violations into review and revocation queues.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- How the conflict monitor evaluates access data on a regular schedule and supports on-demand syncs.
- How flagged insights appear inside access request workflows and influence approver decisions.
- How policy logic can route conflicting requests to a manager, finance lead, or other high-trust approver.
- How access reviews and automations are combined to detect, validate, and revoke existing conflicts.
👉 Read ConductorOne's post on separation of duties and access conflict prevention →
Access conflicts in identity governance: are your controls keeping up?
Explore further
08/06/2026 8:24 am
Access conflict is the operational form of segregation failure, not just a policy gap. SoD only works when mutually exclusive access is evaluated as a live entitlement relationship, not as a document or spreadsheet rule. Once permissions are distributed across systems, the risk is in combination, not possession. Practitioners should treat entitlement overlap as the control object, because that is where fraud pathways and compliance violations actually emerge.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means entitlement conflicts can remain hidden even when teams think they have coverage.
A question worth separating out:
Q: How can organisations tell if SoD controls are actually working?
A: SoD controls are working when conflicts are intercepted before activation, not simply documented after the fact. Useful signals include fewer manual overrides, faster conflict resolution, and review outcomes that lead to actual entitlement revocation. If conflicts are still surfacing late, the control is mostly observational.
👉 Read our full editorial: SoD in modern identity security: preventing access conflicts early
