Notifications
Clear all
Topic starter
04/06/2026 6:49 pm
TL;DR: Segregation of duties compliance is a core control for SOX, HIPAA, and GDPR, but manual reviews, access creep, and fragmented hybrid environments weaken its ability to prevent fraud and unauthorized action, according to SecurEnds. The control still matters, but it now needs continuous governance rather than periodic checking.
NHIMG editorial — based on content published by SecurEnds: segregation of duties compliance across SOX, HIPAA, and GDPR
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should organisations implement segregation of duties in hybrid environments?
A: Start with a formal SoD matrix that maps prohibited combinations across finance, healthcare, cloud, and SaaS systems.
Q: Why do access reviews often miss SoD violations?
A: Because access reviews are snapshots, not continuous control points.
Q: What breaks when segregation of duties is not continuously monitored?
A: Toxic combinations can persist unnoticed in privileged, financial, and regulated-data workflows.
Practitioner guidance
- Map toxic combinations across business workflows Build an SoD matrix for finance, healthcare, and personal-data workflows, then define explicit conflicts such as create-and-approve or modify-and-audit.
- Embed conflict checks into provisioning Require automated SoD validation before access is approved or assigned in ERP, SaaS, and cloud administration workflows.
- Re-certify privileged access continuously Move privileged and high-risk accounts onto shorter review cycles with event-driven triggers for mover, leaver, and role-change events.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of SoD conflicts in SOX, HIPAA, and GDPR workflows that teams can map to their own applications
- Step-by-step guidance for building and maintaining an SoD matrix across cloud, SaaS, and on-premise environments
- Practical recommendations for automating user access certifications and conflict detection in governance workflows
- Audit-readiness reporting patterns that show remediation history, approvals, and exception handling
👉 Read SecurEnds' guidance on segregation of duties compliance across regulated environments →
SoD compliance in hybrid IAM: where governance breaks down?
Explore further
04/06/2026 7:03 pm
SoD compliance fails when governance assumes access is static between reviews. The article describes a control model built around periodic certification, but that model breaks when identities accumulate privileges continuously across cloud and SaaS systems. The failure is not the absence of policy, it is the assumption that a reviewed entitlement remains valid until the next review. Practitioners should treat SoD as a living entitlement problem, not a checkbox exercise.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when segregation of duties fails in regulated systems?
A: Accountability usually spans business process owners, IAM or IGA teams, and control owners in the regulated function. The organisation must be able to show who approved the access, who owns the conflict rules, and who remediated the violation. Auditors care less about intent than about whether the approval chain is provable.
👉 Read our full editorial: Segregation of duties compliance is breaking under hybrid IAM
