Notifications
Clear all
Topic starter
08/06/2026 4:26 pm
TL;DR: SOX compliance fails when access reviews, evidence collection, and separation of duties still rely on manual processes across fragmented systems, according to ConductorOne. The operational issue is not audit volume but identity governance maturity: without centralized visibility, controls drift faster than reviewers can certify them.
NHIMG editorial — based on content published by ConductorOne: Five Ways to Streamline SOX Compliance with C1
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should teams run SOX access reviews in fragmented environments?
A: Teams should centralise entitlement data before the review starts, then certify access against the actual systems in use rather than a static spreadsheet.
Q: Why do SOX controls fail when systems are spread across SaaS and cloud?
A: They fail because the organisation loses a single source of truth for who can do what.
Q: What do security teams get wrong about separation of duties?
A: They often treat SoD as a role design problem instead of an effective permissions problem.
Practitioner guidance
- Unify entitlement data before audit season Create a single entitlement view across SaaS, cloud, on-prem, and homegrown applications so reviewers are not reconciling exports by hand.
- Map SOX controls to live access state Tie each critical control to the actual users, roles, and service accounts that can execute it, then reconcile that mapping continuously.
- Automate evidence capture at control execution time Record approvals, access reviews, and SoD decisions as immutable audit evidence when they occur, not after the fact in a separate workflow.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow examples for automated access reviews across business systems.
- How the platform assembles auditor-ready evidence and timestamps control activity.
- Operational guidance for reducing back-and-forth between system owners, compliance teams, and auditors.
- Practical setup details for centralising visibility across SaaS, cloud, and on-prem environments.
👉 Read ConductorOne's SOX compliance workflow for access reviews and evidence collection →
SOX access reviews and SoD: what identity teams should rethink?
Explore further
08/06/2026 6:04 pm
SOX compliance is an identity governance discipline, not a documentation exercise. The controls named in SOX audits depend on knowing who or what can act, where that access lives, and whether the access state matches policy. When that visibility is missing, the audit problem is really a governance problem that affects humans, service accounts, and automated workflows alike. Practitioners should treat SOX readiness as continuous entitlement governance, not annual paperwork.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when SOX evidence is incomplete or late?
A: Accountability usually sits with the control owner, but the governance failure is shared across IAM, application owners, and compliance teams if no one can prove the control operated as designed. SOX requires evidence that is traceable, timely, and tied to the control being tested.
👉 Read our full editorial: SOX compliance becomes an identity governance problem, not a spreadsheet problem
