Emergency access and SoD failures: what IAM teams need to know

TL;DR: 92% of organisations require separation of duties, yet 43% have failed SoD requirements and 60% have had to grant emergency access, often with delayed revocation and audit gaps, according to SailPoint and an external research firm. The core issue is not policy intent but governance execution, where manual processes turn exception handling into sustained risk.

NHIMG editorial — based on content published by SailPoint: New research on compliance, emergency access risks, and automation

By the numbers:

• 92% of organizations surveyed require some form of separation of duties.
• 43% of organizations reported that they have failed requirements for separation of duties at some point.
• 60% of companies have had to provide emergency access at some point.

Questions worth separating out

Q: What breaks when separation of duties is enforced only on paper?

A: When SoD exists only as policy, teams can still route sensitive actions through manual exceptions, informal approvals, or incomplete workflows.

Q: Why do emergency access exceptions create long-term governance risk?

A: Emergency access becomes risky when the exception is not tightly bounded and revoked.

Q: How do security teams know if their SoD controls are actually working?

A: They should test whether sensitive tasks still require independent review when the normal approver is absent, unavailable, or offline.

Practitioner guidance

• Rebuild separation of duties around actual workflows Map the specific sensitive actions that require independent review, then verify that ERP, PAM, and IGA workflows enforce those checks end to end.
• Treat emergency access as a time-bounded lifecycle event Require explicit approval, expiry, and revocation evidence for every emergency grant.
• Automate evidence collection before automating decisions Use workflow automation to capture approvals, timestamps, and entitlement changes, but keep policy interpretation and exception ownership with accountable reviewers.

What's in the full report

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• Survey methodology and respondent breakdown for the 300-plus security and IT professionals interviewed
• Detailed compliance gap statistics for separation of duties, emergency access, and revocation timing
• Additional findings on how automation and centralized governance affect GRC workflows
• Product-level context for SailPoint Access Risk Management in ERP environments

👉 Read SailPoint's research on compliance, emergency access, and automation →

Emergency access and SoD failures: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →