Segregation of duties risks in identity governance: what teams miss

TL;DR: Segregation of duties remains a core control for compliance and fraud prevention, but it breaks down when roles overlap, approvals concentrate, or access reviews lag behind organisational change, according to Zluri’s 2026 analysis. The practical issue is not the policy itself, but whether identity governance can keep pace with real-world privilege drift.

NHIMG editorial — based on content published by Zluri: Security & Compliance Segregation of Duties (SoD) Risks to Address in 2026

Questions worth separating out

Q: How should organisations enforce segregation of duties in modern IAM programmes?

A: Start by mapping the real business process, not the org chart.

Q: Why do segregation of duties controls fail after mergers or reorganisations?

A: They fail because inherited access and approval chains often remain intact after the operating model changes.

Q: What do security teams get wrong about collusion risk in SoD?

A: They often assume that separated roles mean independent behaviour.

Practitioner guidance

• Rebuild the SoD matrix around actual business workflows Document which roles initiate, approve, record, and reconcile each sensitive process, then compare that map against live entitlements and delegated permissions.
• Trigger access revalidation on every mover event When a person changes role, automatically review conflicting access, inherited approvals, and dormant privileges before the new assignment is fully active.
• Instrument collusion indicators in approval workflows Watch for repeated cross-approvals, shared admin paths, exception stacking, and unusual combinations of requestor and approver behaviour.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• The article's full breakdown of SoD risk categories across mergers, collusion, efficiency, and implementation cost
• Zluri's examples of approval workflows, access certification, and employee app store controls
• The vendor's mitigation ideas for role-based access control, offboarding, and workflow automation
• FAQ examples and implementation framing that go beyond the governance analysis in this post

👉 Read Zluri's analysis of segregation of duties risks in 2026 →

Segregation of duties risks in identity governance: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →