Notifications
Clear all
Topic starter
04/06/2026 6:49 pm
TL;DR: Manual segregation of duties governance breaks down as organizations spread across cloud, SaaS, ERP, and hybrid systems, where permissions change daily and toxic combinations can linger for weeks or months, according to SecurEnds. Automated identity governance is now the practical way to detect conflicts continuously, standardize approvals, and keep audit evidence usable.
NHIMG editorial — based on content published by SecurEnds: segregation of duties automation across enterprise environments
Questions worth separating out
Q: How should security teams implement segregation of duties automation in hybrid environments?
A: Start by defining prohibited access combinations for the processes that matter most, then connect those rules to provisioning, approval, and certification workflows.
Q: Why do manual SoD reviews fail when permissions change daily?
A: Manual reviews fail because they rely on snapshots while modern access changes continuously through role shifts, temporary elevation, integrations, and deployments.
Q: What breaks when SoD is applied only to human users?
A: Machine identities can still create, deploy, approve, or move sensitive data, so a human-only model leaves major control gaps in cloud and DevOps workflows.
Practitioner guidance
- Build a formal SoD matrix Document prohibited access combinations by system and process, then map each conflict to the identities that can trigger it.
- Automate provisioning checks before access is granted Evaluate every new entitlement request against SoD policy at the point of approval, including temporary elevation and delegated admin paths.
- Prioritise high-risk systems first Start with payment, financial close, privileged administration, and cloud production workflows where conflicting access has the highest business impact.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of the automated SoD workflow from conflict detection through remediation tracking.
- Examples of toxic access combinations across finance, IAM, cloud, and DevOps environments.
- The article's discussion of audit-readiness outputs, including access review logs and remediation history.
- The vendor's explanation of how continuous certification fits into enterprise governance workflows.
👉 Read SecurEnds' analysis of segregation of duties automation for hybrid identity →
Segregation of duties automation for hybrid identity environments?
Explore further
04/06/2026 7:02 pm
Manual SoD governance is a timing problem, not just an operating-model problem: periodic certification assumes access changes slowly enough to be reviewed before it matters. In modern hybrid estates, access mutates daily through provisioning, privilege elevation, and integrations. That means a conflict can exist long before the next review cycle sees it. Practitioners should treat SoD failure as a mismatch between governance cadence and identity velocity.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, showing that governance failure is now as much about decision quality as access scope.
A question worth separating out:
Q: Who is accountable when an SoD conflict is missed in an audit or incident?
A: Accountability usually sits with the identity governance owner, the business process owner, and the control owner for the affected system. The key issue is whether the organisation can prove that policy, approval, and remediation were consistently enforced. Frameworks such as the NIST Cybersecurity Framework 2.0 support that kind of control ownership.
👉 Read our full editorial: Manual segregation of duties no longer scales across hybrid identity
