Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Toxic access combinations: where SoD controls break down


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Toxic combinations in segregation of duties let one user complete incompatible business actions such as creating and approving payments, increasing fraud, error, and compliance risk across ERP, cloud, and finance workflows, according to SecurEnds. The control problem is not merely access volume but role design, exception handling, and review cadence.

NHIMG editorial — based on content published by SecurEnds: toxic combinations in segregation of duties and how they weaken internal controls

Questions worth separating out

Q: What breaks when a user can both create and approve sensitive transactions?

A: When one identity can both initiate and approve a sensitive workflow, the independent oversight model fails.

Q: Why do toxic access combinations create audit and compliance risk?

A: Toxic combinations matter because they show that incompatible duties are still concentrated in one access path, which weakens internal control evidence.

Q: How do security teams know if SoD controls are actually working?

A: A healthy SoD programme should show fewer unresolved conflicts, fewer repeated exceptions, and faster remediation of high-risk role overlaps.

Practitioner guidance

  • Map business activities to incompatible access paths Build SoD rules from the actual business process, not from generic role names.
  • Revalidate emergency access after the incident ends Make temporary elevation expire automatically and require a post-event review for any access granted outside normal workflow.
  • Treat role redesign as a control project Break apart roles that mix request, approval, and administration duties, then test the redesigned model against SoD rules before deployment.

What's in the full article

SecurEnds' full post covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of toxic permission pairs across ERP, finance, procurement, and cloud workflows
  • Remediation workflows for redesigning roles and documenting compensating controls
  • Metrics teams can track to measure open conflicts, exception volume, and remediation speed
  • Audit-oriented reporting patterns for SOX, SOC 2, ISO 27001, and PCI DSS reviews

👉 Read SecurEnds' analysis of toxic segregation of duties combinations →

Toxic access combinations: where SoD controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Toxic combinations are a role-design failure, not a user-behaviour problem: the issue begins when governance models allow incompatible business actions to coexist in the same access path. That means the control failure is structural, not accidental, and it shows up in ERP, finance, HR, and cloud administration where approval boundaries are blurred. The implication is that SoD programmes need to govern entitlements as process design, not as a spreadsheet cleanup exercise.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how access weakness tends to recur rather than remain isolated.

A question worth separating out:

Q: Who should own toxic combination remediation across ERP and cloud systems?

A: Ownership should sit with the identity governance function, but remediation needs process owners from finance, operations, and platform teams. SoD is not just an access problem. It is a business control problem, so the people who define the workflow must help decide which combinations are unacceptable and which need compensating controls.

👉 Read our full editorial: Toxic segregation of duties conflicts are still a governance risk



   
ReplyQuote
Share: