Notifications
Clear all
Topic starter
07/06/2026 8:28 pm
TL;DR: As organizations add more applications and hybrid access paths, segregation of duties becomes harder to enforce consistently across ERP and business systems, according to Delinea’s 2026 roundup. The control now has to work as an operating discipline, not just an audit requirement, because weak application-level separation leaves risky combinations of access intact.
NHIMG editorial — based on content published by Delinea: Top Segregation of Duties (SoD) solutions to know about in 2026
Questions worth separating out
Q: How should security teams implement segregation of duties across multiple business applications?
A: Start by mapping the business actions that must never sit in the same identity across ERP, finance, HR, CRM, and workflow systems.
Q: Why do segregation of duties controls break down in hybrid and multi-application environments?
A: They break down because access governance is often built around one system at a time, while real users and service identities operate across several platforms.
Q: What do teams get wrong when they treat SoD as only an audit requirement?
A: They focus on proving compliance after the fact instead of preventing risky access combinations in the first place.
Practitioner guidance
- Map SoD rules across business applications Define toxic combinations across ERP, CRM, HR, finance, and cloud business apps so conflicts are detected even when no single platform shows a violation.
- Tie access reviews to remediation workflows Require every detected SoD conflict to produce a tracked remediation outcome, not just a review note.
- Expand SoD governance to non-human identities Review service accounts, integration users, and automation identities for combinations of permissions that can complete incompatible business steps.
What's in the full article
Delinea's full blog post covers the operational detail this post intentionally leaves for the source:
- Side-by-side product positioning across Delinea, Pathlock, Saviynt, Oracle, SAP GRC, and other SoD tools
- Application-specific feature descriptions for SAP, Oracle, NetSuite, Workday, Salesforce, and Microsoft Dynamics environments
- Vendor-led guidance on implementation speed, out-of-the-box rule sets, and audit workflow support
- The article's own comparison language for choosing a tool based on ERP footprint and compliance goals
👉 Read Delinea's 2026 comparison of segregation of duties solutions →
Segregation of duties in 2026: are your controls keeping up?
Explore further
07/06/2026 10:22 pm
SoD is no longer a single-application control problem. The article reflects a broader reality that segregation of duties fails when organisations still reason about access inside siloed platforms while users operate across ERP, CRM, HR, and finance systems. The control surface is now cross-application, so a clean role in one system can still create a toxic combination in another. Practitioners need to treat SoD as an identity governance problem across the application estate, not as a point solution inside one business suite.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity control failures recur once governance is weak.
A question worth separating out:
Q: How should organisations evaluate SoD for service accounts and automation identities?
A: They should ask whether a non-human identity can assemble incompatible business actions across systems, even if each permission appears isolated. If an automation account can create, approve, and post transactions or move data between sensitive systems, it deserves the same conflict analysis as a human user. SoD is about action combinations, not whether the actor is human.
👉 Read our full editorial: Segregation of duties tools in 2026: what changes for IAM
