TL;DR: Segregation of duties remains a core control for compliance and fraud prevention, but it breaks down when roles overlap, approvals concentrate, or access reviews lag behind organisational change, according to Zluri’s 2026 analysis. The practical issue is not the policy itself, but whether identity governance can keep pace with real-world privilege drift.
NHIMG editorial — based on content published by Zluri: Security & Compliance Segregation of Duties (SoD) Risks to Address in 2026
Questions worth separating out
Q: How should organisations enforce segregation of duties in modern IAM programmes?
A: Start by mapping the real business process, not the org chart.
Q: Why do segregation of duties controls fail after mergers or reorganisations?
A: They fail because inherited access and approval chains often remain intact after the operating model changes.
Q: What do security teams get wrong about collusion risk in SoD?
A: They often assume that separated roles mean independent behaviour.
Practitioner guidance
- Rebuild the SoD matrix around actual business workflows Document which roles initiate, approve, record, and reconcile each sensitive process, then compare that map against live entitlements and delegated permissions.
- Trigger access revalidation on every mover event When a person changes role, automatically review conflicting access, inherited approvals, and dormant privileges before the new assignment is fully active.
- Instrument collusion indicators in approval workflows Watch for repeated cross-approvals, shared admin paths, exception stacking, and unusual combinations of requestor and approver behaviour.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's full breakdown of SoD risk categories across mergers, collusion, efficiency, and implementation cost
- Zluri's examples of approval workflows, access certification, and employee app store controls
- The vendor's mitigation ideas for role-based access control, offboarding, and workflow automation
- FAQ examples and implementation framing that go beyond the governance analysis in this post
👉 Read Zluri's analysis of segregation of duties risks in 2026 →
Segregation of duties risks in identity governance: what teams miss?
Explore further
SoD is failing less because the principle is wrong and more because lifecycle controls do not keep pace with organisational change. The article’s core risk pattern is not just excess access, but access that survives role changes, mergers, and reorganisations long after the original segregation logic has expired. That is a governance failure, not a policy failure. Practitioners should treat SoD drift as evidence that access models are not being revalidated against the operating structure.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Should SoD controls also cover service accounts and automation?
A: Yes, because non-human identities can also accumulate conflicting privileges across request, execution, and approval paths. If a service account or automation account can both trigger and complete a sensitive action, the same separation logic should apply. Treat those identities as part of the governance model, not as exceptions to it.
👉 Read our full editorial: Segregation of duties risks in 2026 expose IAM control gaps