Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Separation of duties vs internal controls: where teams go wrong


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Separation of duties is a specific control pattern that prevents one identity from initiating, approving, and recording the same sensitive action, while internal controls are the broader governance mechanisms around accountability, fraud prevention, and compliance, according to Zluri. The distinction matters because teams often overstate SoD as a cure-all when the real requirement is a control framework that matches the process and identity type.

NHIMG editorial — based on content published by Zluri: Security & Compliance Separation Of Duties & Internal Controls: What’s The Difference?

Questions worth separating out

Q: How should organisations implement separation of duties in access governance?

A: Start by identifying the specific processes where one identity should never be able to initiate, approve, and finalise the same action.

Q: Why do internal controls need more than separation of duties?

A: SoD limits role concentration, but internal controls also need monitoring, reconciliation, training, and corrective action.

Q: What do teams get wrong about SoD in identity programmes?

A: They often treat it as a single permission rule instead of a control design problem.

Practitioner guidance

  • Define SoD at workflow level Break sensitive processes into discrete initiation, approval, execution, and reconciliation steps, then assign each step to different identities where the risk justifies it.
  • Test for role concentration Review where one user, service account, or admin role can still influence multiple steps in the same process, especially in finance, procurement, and privileged access paths.
  • Tie SoD to access reviews Use periodic access recertification to verify that role assignments still preserve independence and that inherited permissions have not recreated end-to-end control.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Detailed explanations of preventative, detective, and corrective controls in business and finance processes
  • Expanded examples showing how SoD reduces fraud, error, and conflict of interest in day-to-day operations
  • FAQ material on implementing SoD policies, training staff, and supporting SOX compliance
  • Product-context guidance on how Zluri positions automated access workflows for governance teams

👉 Read Zluri's article on separation of duties and internal controls →

Separation of duties vs internal controls: where teams go wrong?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Separation of duties is a process control, not a governance strategy. The article correctly distinguishes SoD from internal controls, but the deeper point is that SoD only works when it is embedded in a wider control environment. Without access reviews, logging, reconciliation, and enforcement, SoD becomes a policy statement rather than an operational constraint. Practitioners should treat it as one control in a chain, not the chain itself.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding in the same report says only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs.

A question worth separating out:

Q: Who is accountable when SoD failures lead to compliance issues?

A: Accountability usually sits with the control owner, the process owner, and the identity governance team together, because SoD failures often reflect both design gaps and enforcement gaps. Regulators and auditors expect organisations to prove that controls are defined, operating, and independently evidenced.

👉 Read our full editorial: Separation of duties and internal controls are not the same



   
ReplyQuote
Share: