Notifications
Clear all
Topic starter
22/06/2026 3:43 pm
TL;DR: Unchecked trading at Société Générale created a €4.9 billion loss, illustrating how weak segregation of duties and incomplete risk controls can turn authorised access into severe operational damage, according to EmpowerID. The same failure pattern now appears across IAM, access governance, and recertification programmes when technical, data, and financial risks are managed in silos.
NHIMG editorial — based on content published by EmpowerID: a blog post on risk management, segregation of duties, and access governance
By the numbers:
- In 2008, a rogue trader at Société Générale caused a €4.9 billion loss due to unchecked trading activities.
Questions worth separating out
Q: How should security teams implement segregation of duties in access governance?
A: Start by defining the risky business functions that must not coexist in one identity, then map those functions to entitlements and roles.
Q: Why do role-based reviews miss risk in IAM and GRC programmes?
A: Role names often hide the actual actions a user can perform, especially when inheritance or local permissions expand authority underneath a simple label.
Q: What breaks when segregation of duties is only reviewed periodically?
A: Periodic reviews are too late to stop a toxic combination from being used between certification cycles.
Practitioner guidance
- Map risky functions before defining policies Catalogue the specific actions that create risk in each major system, then express them as policy objects that SoD engines can evaluate.
- Block toxic combinations at request time Evaluate access requests before granting entitlements that let one identity both initiate and approve a sensitive process.
- Expose function-level risk in recertification Present reviewers with the actual risky functions attached to an entitlement, not just the role name or group label.
What's in the full article
EmpowerID's full blog post covers the operational detail this post intentionally leaves for the source:
- Risk policy creation and management examples for sensitive business functions across IAM and ERP workflows
- Recertification workflow examples showing how risk data can be surfaced to approvers during access reviews
- Fine-grained permission mapping and role inheritance handling for more accurate risk evaluation
- User-facing reporting patterns such as digest emails and risk violation summaries for ongoing governance
👉 Read EmpowerID's blog post on risk management and segregation of duties →
Risk management and segregation of duties: what IAM teams miss?
Explore further
22/06/2026 3:48 pm
Segregation of duties is still the decisive control, but only when it is expressed as machine-enforceable function policy. Risk language without mapped functions becomes a reporting layer, not a control layer. The article is right to separate risk functions from risk policies, because governance only works when the policy engine understands which action combinations are toxic. Practitioners should treat SoD as an execution control, not a quarterly audit artefact.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
A: Accountability usually sits with the organisation that defined the workflow, the access owners who approved the entitlement, and the control owners who failed to enforce SoD. Governance frameworks expect traceable decisions, so unclear ownership is itself part of the control failure.
👉 Read our full editorial: Risk management for identity governance needs stronger SoD controls
