Security teams should separate the identities and approval paths used for request, provisioning, certification, and exception handling. The key test is whether any single person or role can complete a sensitive access change alone. Technical controls should block self-approval, and governance controls should record who reviewed and approved each step.
Why This Matters for Security Teams
segregation of duties is not just an audit preference; it is a control that reduces the chance that one identity can request, approve, provision, and later certify its own access. In IAM workflows, that risk shows up when tickets, approvals, and privileged changes all collapse into a single admin path. The result is a workflow that looks controlled on paper but still permits self-service privilege expansion in practice.
This matters even more where secrets, service accounts, and NHI workflows are involved, because privileged access often changes faster than human review cycles can keep up. Research from Azure Key Vault privilege escalation exposure shows how a poorly separated role path can turn a normal operational action into a privilege escalation path. Security teams should pair that kind of operational lesson with policy baselines such as NIST Cybersecurity Framework 2.0, which emphasizes governance, access control, and monitoring as connected disciplines rather than isolated tasks.
The practical goal is simple: no single person, role, or automation chain should be able to both initiate and complete a sensitive access change without independent review. In practice, many security teams encounter SoD failure only after a high-risk access path has already been used to approve itself.
How It Works in Practice
Effective SoD in IAM starts by mapping the workflow into discrete trust steps: request, approval, provisioning, certification, and exception handling. Each step should be owned by a different identity or at least a different control domain. For example, a manager or app owner may approve access, but a separate platform or PAM control should perform provisioning, and a separate reviewer should certify whether the entitlement still belongs. The important test is not whether the same team is involved, but whether the same actor can complete the whole path.
Technical enforcement matters because governance-only separation is easy to bypass. Block self-approval in the workflow engine, require independent approval for privileged roles, and log every transition with immutable audit context. Where the access path touches secrets or high-impact service accounts, pair SoD with PAM, just-in-time approval, and short-lived credentials so approval does not translate into standing privilege. This is especially important for NHI-related workflows, because secrets often outlive the business reason they were issued.
That pattern lines up with guidance from NIST Cybersecurity Framework 2.0, which expects organisations to operationalise access control and continuous oversight, not merely document them. It also fits the failure modes seen in ASP.NET machine keys RCE attack, where exposed secrets and weak process boundaries can turn one control gap into a larger compromise chain.
- Separate requester, approver, provisioner, and certifier identities.
- Use workflow logic that rejects the same identity across sensitive steps.
- Require dual approval for privileged or exception-based changes.
- Record each decision with user, role, timestamp, and reason code.
- Review whether automation has inherited human approval paths without checks.
These controls tend to break down in highly automated environments where ticketing, CI/CD, and identity orchestration are tightly coupled and the same service account can trigger and approve downstream actions.
Common Variations and Edge Cases
Tighter segregation of duties often increases operational friction, requiring organisations to balance speed against resistance to abuse. That tradeoff is real, especially for small teams, 24/7 operations, and emergency response workflows where there may be too few people to maintain perfect separation at all times.
Best practice is evolving, but current guidance suggests using compensating controls when strict separation is not feasible. For example, emergency access can be allowed through time-boxed break-glass accounts, but those accounts should be excluded from ordinary approval flows, heavily monitored, and reviewed after use. The same principle applies to delegated administration: a regional admin may approve routine local access, but not their own privileged exception. If a workflow cannot enforce that distinction, it does not truly enforce SoD.
For NHI and machine-to-machine access, the SoD question becomes whether one pipeline can both mint credentials and authorize their use. That is where Azure Key Vault privilege escalation exposure is instructive: a role that appears operational can still become a privilege boundary bypass if it can expose or reuse secrets unchecked. Organisations should also treat review quality as a control, not just review existence. A certification step that rubber-stamps prior approvals is not segregation of duties, only choreography.
In practice, the hardest edge case is emergency privilege, because incident pressure pushes teams to relax separation exactly when adversaries benefit most from weak controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access approvals and entitlement control are central to segregating IAM duties. |
| OWASP Non-Human Identity Top 10 | NHI-03 | SoD limits misuse of NHI credentials and prevents one actor from controlling the full path. |
| NIST AI RMF | Agentic or automated IAM decisions need accountable governance and oversight. |
Assign human accountability for automated access decisions and review exceptions under a formal governance process.
Related resources from NHI Mgmt Group
- How should security teams enforce segregation of duties in SAP environments?
- How do security teams align AI governance with existing IAM and data security programmes?
- Why does shadow AI create a governance gap for IAM and security teams?
- How should security teams prioritise NHI remediation in cloud environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
