Notifications
Clear all
Topic starter
04/06/2026 6:48 pm
TL;DR: Weak segregation of duties lets employees, contractors, and privileged users complete sensitive processes without independent oversight, increasing fraud, audit failures, and hidden privilege abuse across finance, HR, cloud, and IAM workflows, according to SecurEnds. The core issue is not missing tools but governance that still allows one identity to control too much.
NHIMG editorial — based on content published by SecurEnds: segregation of duties fraud prevention and internal control governance
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes
Questions worth separating out
Q: What breaks when segregation of duties is not enforced in identity governance?
A: When segregation of duties is absent, a single identity can create, approve, and audit the same sensitive action.
Q: Why do conflicting access rights increase fraud risk more than broad access alone?
A: Broad access is risky, but conflicting access is worse because it lets one person complete an entire sensitive process without challenge.
Q: How do security teams know if SoD controls are actually working?
A: SoD controls are working only if live access state matches the approved separation model across systems.
Practitioner guidance
- Build an SoD matrix for toxic combinations Document incompatible role, entitlement, and approval combinations across finance, HR, cloud, IAM, and PAM workflows, then validate the matrix against live access data.
- Review access for conflict patterns, not just overreach Look for identities that can create and approve the same transaction, provision and certify the same access, or deploy and validate the same change.
- Automate continuous SoD checks inside governance workflows Trigger conflict detection during provisioning, role change, emergency access, and certification events so violations are caught before approval closes.
What's in the full article
SecurEnds's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SoD matrix construction for finance, HR, IAM, and PAM workflows
- Specific examples of conflicting permissions such as payment creation and approval
- Automated conflict detection and workflow-driven remediation patterns
- Audit and compliance reporting structures for regulated environments
👉 Read SecurEnds's analysis of segregation of duties fraud prevention →
Segregation of duties fraud prevention: where IAM controls fail?
Explore further
04/06/2026 7:00 pm
Segregation of duties is the governance assumption that one identity will not control an entire sensitive process. That assumption was designed for environments where approvals, execution, and review were separated by people and process, but it fails whenever a single user accumulates end-to-end authority. The implication is that SoD is not just a control list item, it is a structural constraint on how accountability is assigned.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity weakness can repeat.
A question worth separating out:
Q: Who is accountable when a single user can both approve and execute a sensitive action?
A: Accountability sits with the organisation’s governance owners, because the failure is structural, not just behavioural. If one identity can approve and execute the same action, the control design allowed the conflict to exist. Frameworks such as SOX, SOC 2, ISO 27001, HIPAA, GDPR, and PCI-DSS all expect clear separation and traceable oversight.
👉 Read our full editorial: Segregation of duties fraud prevention is an IAM control gap
