TL;DR: 92% of organisations require separation of duties, yet 43% have failed SoD requirements and 60% have had to grant emergency access, often with delayed revocation and audit gaps, according to SailPoint and an external research firm. The core issue is not policy intent but governance execution, where manual processes turn exception handling into sustained risk.
NHIMG editorial — based on content published by SailPoint: New research on compliance, emergency access risks, and automation
By the numbers:
- 92% of organizations surveyed require some form of separation of duties.
- 43% of organizations reported that they have failed requirements for separation of duties at some point.
- 60% of companies have had to provide emergency access at some point.
Questions worth separating out
Q: What breaks when separation of duties is enforced only on paper?
A: When SoD exists only as policy, teams can still route sensitive actions through manual exceptions, informal approvals, or incomplete workflows.
Q: Why do emergency access exceptions create long-term governance risk?
A: Emergency access becomes risky when the exception is not tightly bounded and revoked.
Q: How do security teams know if their SoD controls are actually working?
A: They should test whether sensitive tasks still require independent review when the normal approver is absent, unavailable, or offline.
Practitioner guidance
- Rebuild separation of duties around actual workflows Map the specific sensitive actions that require independent review, then verify that ERP, PAM, and IGA workflows enforce those checks end to end.
- Treat emergency access as a time-bounded lifecycle event Require explicit approval, expiry, and revocation evidence for every emergency grant.
- Automate evidence collection before automating decisions Use workflow automation to capture approvals, timestamps, and entitlement changes, but keep policy interpretation and exception ownership with accountable reviewers.
What's in the full report
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown for the 300-plus security and IT professionals interviewed
- Detailed compliance gap statistics for separation of duties, emergency access, and revocation timing
- Additional findings on how automation and centralized governance affect GRC workflows
- Product-level context for SailPoint Access Risk Management in ERP environments
👉 Read SailPoint's research on compliance, emergency access, and automation →
Emergency access and SoD failures: what IAM teams need to know?
Explore further
Separation of duties is not failing because the model is wrong. It is failing because organisations still treat it as a static policy instead of a live governance control. The survey data shows broad adoption but frequent failure, which is exactly what happens when policy language outpaces process design. In practice, SoD only works when entitlement modelling, approvals, and evidence collection remain aligned to the actual workflow. The practitioner conclusion is that SoD maturity is a control-execution problem, not a policy-awareness problem.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: Who is accountable when emergency access is granted and not revoked?
A: Accountability should sit with the owner of the access workflow, the approving manager or control authority, and the team responsible for revocation evidence. If no one owns the expiry and review step, emergency access becomes operationally convenient but governance-unowned. That is a lifecycle failure, not just an incident response gap.
👉 Read our full editorial: Compliance and emergency access risks expose identity governance gaps