Notifications
Clear all
Topic starter
04/06/2026 6:47 pm
TL;DR: Segregation of duties in auditing separates sensitive tasks, approvals, and privileged actions to reduce fraud, abuse, and compliance failures, according to SecurEnds. In modern cloud and SaaS environments, that control is increasingly an identity governance problem, not just an audit checklist.
NHIMG editorial — based on content published by SecurEnds: segregation of duties in auditing and why it matters for modern governance
Questions worth separating out
Q: How should security teams enforce segregation of duties in IAM workflows?
A: Security teams should separate the identities and approval paths used for request, provisioning, certification, and exception handling.
Q: Why do segregation of duties controls fail in cloud and SaaS environments?
A: They fail because authority is distributed across many consoles, delegated roles, and automation paths, so conflicts can hide outside one system.
Q: What do auditors look for in access review and SoD testing?
A: Auditors look for toxic entitlement combinations, weak approval separation, unresolved exceptions, and proof that conflicts were remediated.
Practitioner guidance
- Build an SoD matrix for identity workflows Document incompatible combinations across request, approval, provisioning, certification, and exception handling.
- Block self-approval in high-risk workflows Enforce technical separation so the identity that creates or requests access cannot approve or recertify it.
- Review toxic entitlement combinations continuously Track combinations such as create-and-approve, request-and-certify, and admin-and-review across all major systems.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SoD workflow examples for financial, IAM, and privileged access controls.
- Common audit findings and how to evidence remediation across access reviews and approvals.
- Operational guidance for maintaining SoD across cloud, SaaS, ERP, and hybrid environments.
- Practical examples of continuous monitoring and compliance-ready reporting.
👉 Read SecurEnds' full guide to segregation of duties in auditing →
Segregation of duties in auditing: is your identity governance keeping up?
Explore further
04/06/2026 7:00 pm
Segregation of duties is no longer a policy control alone, it is an identity-state control. The article correctly frames SoD as a governance requirement, but the practical failure point is the identity state itself: who can request, approve, provision, certify, and remediate at any given moment. When those functions collapse into one entitlement chain, the audit problem is already present before the transaction occurs. Practitioners should treat SoD as a live access topology question, not an annual checklist.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have already endured a successful cyberattack resulting from compromised non-human identities, which shows that identity governance failures are now measurable operational risk, not theory.
A question worth separating out:
Q: Who is accountable when a SoD conflict leads to fraud or compliance failure?
A: Accountability usually sits with the control owner, the approver, and the governance function that allowed the conflict to persist. Frameworks such as NIST Cybersecurity Framework 2.0 expect clear ownership of access risk, while audit programs expect documented review and remediation evidence.
👉 Read our full editorial: Segregation of duties in auditing is now an identity control problem
