Hybrid human-machine SoD: what identity teams are missing

TL;DR: Traditional segregation of duties breaks down when AI agents, scripts, APIs and cloud services can request, approve and execute financially material actions outside human-paced checkpoints, according to Gathid. The control problem is no longer just who has access, but whether ownership, lifecycle and privilege chains can still be proven in a machine-driven workflow.

NHIMG editorial — based on content published by Gathid: Rethinking Control In A Hybrid Human-Machine Workforce

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: What breaks when segregation of duties is applied to machine identities?

A: Segregation of duties breaks when a bot, script or service account can span request, approval and execution inside one workflow.

Q: Why do machine identities increase financial control risk?

A: Machine identities increase financial control risk because they can operate with standing privilege, scale across systems and keep acting after the original business need has changed.

Q: How do security teams detect SoD violations in hybrid workflows?

A: Teams detect SoD violations by tracing the full identity chain across systems, not by reviewing one application at a time.

Practitioner guidance

• Model SoD around identity chains, not single accounts. Inventory the full request-to-execute path for any financial workflow and identify every human and machine identity that participates.
• Assign accountable owners to every machine identity. Require a named business and technical owner for each service account, bot or API credential that can touch financial systems.
• Timebox and review machine privileges continuously. Replace open-ended access with explicit expiry for credentials used in procurement, payments, reporting and release automation.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor maps machine participation to finance-specific segregation of duties scenarios.
• Examples of identity digital twins and knowledge graphs used to model people, systems and entitlement lineage.
• Board-level reporting patterns for turning identity risk into financial-language evidence packs.
• The article's discussion of how to simulate privilege changes before implementation.

👉 Read Gathid's analysis of segregation of duties in hybrid human-machine work →

Hybrid human-machine SoD: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →