Notifications
Clear all
Topic starter
06/06/2026 2:16 am
TL;DR: Segregation of duties is a preventive control that blocks conflicting access before it is granted, while user access reviews are detective controls that validate whether existing access still fits the role, according to SecurEnds. Treating them as interchangeable leaves audit gaps, stale access, and unresolved risk in governance cycles.
NHIMG editorial — based on content published by SecurEnds: segregation of duties vs user access review in identity governance
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams combine segregation of duties and user access reviews?
A: Treat segregation of duties as the preventive gate and user access reviews as the corrective loop.
Q: Why do user access reviews fail when they are used alone?
A: They fail because they only find problems after access already exists.
Q: What breaks when segregation of duties is the only control in place?
A: SoD blocks some toxic combinations, but it does not clean up stale, unused, or orphaned access.
Practitioner guidance
- Embed SoD checks in provisioning workflows Block or route for approval any request that creates a conflicting entitlement combination before access is issued, especially in finance and admin systems.
- Run access reviews on a risk-based cadence Review privileged, financial, and sensitive-data access more frequently than low-risk entitlements, and require explicit revoke or recertify decisions for every exception.
- Tie reviews to removal, not attestation alone Make sure reviewers can remove stale access immediately after confirming that a role change, termination, or project end invalidates the entitlement.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of SoD conflicts in finance and IT workflows.
- A side-by-side comparison table of preventive and detective control timing.
- Practical guidance on review cadence, reviewer ownership, and audit evidence.
- How the platform frames unified workflows for access governance and certification.
👉 Read SecurEnds' explanation of segregation of duties vs user access review →
Segregation of duties vs user access review: where do controls differ?
Explore further
06/06/2026 3:51 am
SoD and UAR are not parallel versions of the same control. They sit on opposite sides of the access lifecycle and answer different governance questions. SoD is about preventing a toxic entitlement state from ever existing, while UAR is about proving that existing access still makes sense. Teams that collapse the two into one workflow lose the distinction between prevention and evidence, which is exactly where audit findings begin.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Another finding from that research shows 62% of all secrets are duplicated and stored in multiple locations, which makes review evidence harder to trust.
A question worth separating out:
Q: Who should be accountable for access review decisions under SOX or ISO 27001?
A: Application owners, business managers, and control owners should be accountable for the decision itself, while IAM or IGA teams should provide the evidence and workflow. Auditors usually care less about the tool and more about whether decisions are documented, defensible, and actually enforced.
👉 Read our full editorial: Segregation of duties vs user access review in identity governance
