TL;DR: When segregation of duties conflicts cannot be removed without disrupting operations, mitigation controls let organisations document, monitor, and re-test accepted risk instead of leaving violations unresolved, according to SafePaaS. The governance issue is not whether SoD matters, but whether teams can prove that accepted conflict risk remains time-bound, justified, and continuously reviewed.
NHIMG editorial — based on content published by SafePaaS: Managing Segregation of Duties risk with mitigation controls
By the numbers:
- Organizations that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
Questions worth separating out
Q: How should security teams handle SoD violations that cannot be remediated?
A: They should treat them as formal risk acceptances with documented mitigation, not as unresolved exceptions.
Q: Why do SoD conflicts remain risky even when no fraud has occurred?
A: Because the risk lies in the access path as much as the transaction outcome.
Q: What do auditors expect to see for accepted SoD risk?
A: Auditors expect a complete treatment trail.
Practitioner guidance
- Build a current SoD conflict matrix Define the business function pairs that create real control conflicts, map them to roles and users, and refresh the matrix whenever finance, procurement, or approval workflows change.
- Use mitigation only for justified exceptions Require a documented reason, named owner, and expiry date for every accepted conflict so mitigation stays time-bound and reviewable.
- Link SoD exceptions to transaction monitors Connect accepted conflicts to activity monitoring so reviewers can see whether the user actually executed both sides of the conflicting process.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- The article explains the seven-phase SoD review lifecycle in implementation terms, including how violations move from detection to certification.
- It describes how mitigation controls are configured with validity periods, owners, and supporting documentation.
- It shows how transaction monitors are linked to accepted conflicts so teams can compare can-do and did-do evidence.
- It outlines how reviewers decide between remediation and mitigation during periodic SoD surveys.
👉 Read SafePaaS's full article on mitigation controls for segregation of duties →
Segregation of duties mitigation controls: what audit teams need now?
Explore further
Mitigation is a governance decision, not a technical workaround. The article correctly frames unresolved SoD conflicts as accepted risk that must be documented, monitored, and revalidated. That is the right control lens for business-critical access that cannot be removed without disrupting operations. The implication is that IAM and IGA teams must manage exceptions with the same discipline they apply to standard entitlements.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: When should organisations prefer remediation over mitigation?
A: They should prefer remediation whenever access can be removed without breaking essential operations. Mitigation is appropriate only when the conflicting access is genuinely required and the organisation can prove that compensating controls, such as monitoring or approval review, reduce the residual risk to an acceptable level.
👉 Read our full editorial: Mitigation controls for segregation of duties risk and audit readiness