Segregation of duties in hybrid IT: where do controls fail?

TL;DR: Static segregation of duties programs are struggling against hybrid IT, role proliferation, and faster change, according to SafePaaS. Manual reviews and spreadsheet-driven controls leave toxic access combinations undiscovered until audit, fraud, or breach events expose them, making continuous enforcement the real governance threshold.

NHIMG editorial — based on content published by SafePaaS: segregation of duties in modern hybrid environments

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should teams enforce segregation of duties in hybrid IT environments?

A: Teams should enforce SoD with centralised policy logic that evaluates actual business process risk across ERP, SaaS, and custom systems.

Q: What breaks when segregation of duties relies on annual spreadsheet reviews?

A: Annual spreadsheet reviews fail because they see access too late and too abstractly.

Q: How do organisations know whether SoD controls are actually working?

A: SoD is working when conflict detection is tied to live identity and transaction events, not just audit reports.

Practitioner guidance

• Centralise SoD policy around business process risk Map toxic combinations to real process steps such as create, approve, post, and reconcile, then apply the same policy logic across ERP, SaaS, and custom applications.
• Move from annual review to continuous conflict detection Trigger SoD evaluation on access changes, exception grants, and identity lifecycle events so risky combinations are identified before they are used in a transaction.
• Inspect entitlement inventories at transaction level Review the actual permissions, menus, and privileges that enable action rather than relying on role names or job titles, which often hide layered access.

What's in the full article

SafePaaS's full analysis covers the operational detail this post intentionally leaves for the source:

• Policy design examples for toxic combinations such as create and approve, or post and review, in finance workflows
• Operational mapping guidance for ERP, SaaS, and legacy applications where role structures differ
• Continuous monitoring and remediation workflow patterns for SoD exceptions and compensating controls
• Implementation detail on how business process owners should approve and document high-risk access combinations

👉 Read SafePaaS's analysis of why traditional segregation of duties falls short →

Segregation of duties in hybrid IT: where do controls fail?

Explore further

View Full Forum →  |  NHI Foundation Course →