SoD in IAM: what controls are teams missing today?

TL;DR: Segregation of duties reduces fraud and error by splitting critical process steps across different people, but the guide also shows how conflicts, violations, and SoD matrices become harder to manage as access sprawl and compliance pressure grow, according to Zluri. The governance lesson is that SoD only works when identity lifecycle, review, and remediation processes are tight enough to prevent privilege concentration.

NHIMG editorial — based on content published by Zluri: Security & Compliance Segregation of Duties (SoD) - A 101 Guide

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams apply SoD to service accounts and API keys?

A: Treat service accounts and API keys as governed identities, not as technical leftovers.

Q: Why does SoD often fail in cloud and SaaS environments?

A: SoD fails when identity sprawl and automation let one principal accumulate too many compatible-looking permissions.

Q: What do security teams get wrong about SoD matrices?

A: They often treat the matrix as proof of control rather than as a control design tool.

Practitioner guidance

• Map incompatible duties across human and machine identities Build a SoD matrix that includes employees, service accounts, API keys, and automation tokens.
• Tie access reviews to current entitlements Reconcile the SoD matrix against live directory, SaaS, and privileged access data before each certification cycle.
• Separate provisioning from review and approval Ensure the team that grants access is not the team that certifies it, especially for high-risk applications and privileged workflows.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step SoD examples across user access management, backup and recovery, and SaaS configuration workflows
• Access certification and automated review features used to identify SoD conflicts in practice
• How policy-based provisioning and offboarding workflows support control separation
• Reporting and auditing capabilities for demonstrating SoD compliance during review cycles

👉 Read Zluri's guide to segregation of duties and identity governance →

SoD in IAM: what controls are teams missing today?

Explore further

View Full Forum →  |  NHI Foundation Course →