Start by defining prohibited access combinations for the processes that matter most, then connect those rules to provisioning, approval, and certification workflows. Automate checks across cloud, SaaS, ERP, and on-premise systems so conflicts are blocked or routed before access becomes active. The control only works when the policy engine sees the full entitlement picture.
Why This Matters for Security Teams
segregation of duties automation is not just a workflow upgrade. In hybrid estates, the same person or service can touch cloud IAM, SaaS admin consoles, ERP roles, CI/CD secrets, and on-premise directories, so a manual review often misses combinations that only become risky when stitched together. That gap is why identity governance needs continuous entitlement correlation, not periodic spreadsheet checks. NHI Mgmt Group research shows that only 5.7% of organisations have full visibility into their service accounts, which is exactly the kind of blind spot that lets toxic access combinations survive review cycles. For broader governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.
The practical risk is that conflicting access is often created by legitimate automation: a ticket system approves one role, a cloud policy grants another, and a local admin group adds the final privilege. Without a single policy engine seeing all of it, segregation of duties becomes a retrospective audit exercise rather than a preventive control. In practice, many security teams encounter toxic combinations only after an exception has already been abused, rather than through intentional prevention.
How It Works in Practice
The most reliable pattern is to define prohibited combinations first, then enforce them at every point where access can change. That means the SoD rule set must be evaluated during provisioning, approval, role change, and certification, not just at quarterly review time. Current guidance suggests using a central policy decision point that ingests entitlements from cloud IAM, SaaS, ERP, directories, and PAM, then blocks or routes requests when a conflict is detected. The NIST Cybersecurity Framework 2.0 remains useful here because it frames access control, continuous monitoring, and governance as connected duties rather than separate projects.
For NHI-heavy environments, the control should also include service accounts, API keys, and automation identities, since those often carry durable privileges that humans never see. The Ultimate Guide to NHIs is a good reference point for lifecycle and visibility design. A workable implementation usually includes:
- One source of truth for entitlements across human and non-human identities.
- Policy-as-code rules for mutually exclusive duties, with exceptions time-bound and approved.
- Pre-provisioning checks in IAM and post-provisioning drift detection in certification workflows.
- Escalation paths to PAM or JIT access when conflicting duties are unavoidable for a task.
- Audit evidence that records the exact combination that triggered allow, deny, or route-for-review decisions.
Where organisations mature fastest is where the policy engine is embedded into the identity workflow, not bolted on after the fact. These controls tend to break down when every major platform has its own entitlement model because the SoD engine cannot evaluate the full picture in real time.
Common Variations and Edge Cases
Tighter segregation of duties often increases operational friction, requiring organisations to balance fraud prevention and change velocity against approval latency. In hybrid environments, that tradeoff is most visible in emergency access, third-party administration, and legacy ERP systems that cannot enforce modern policy natively. Best practice is evolving, but there is no universal standard for exceptions: some organisations use JIT elevation with automatic expiry, while others rely on compensating detective controls when business continuity requirements override strict prevention.
Another edge case is nested or inherited access. A user may appear clean at the role level yet still inherit conflict through group membership, delegated admin, or a synced directory object. That is why hybrid SoD automation must evaluate effective access, not just assigned access. When the environment includes SaaS apps with limited API visibility, the control often degrades into partial coverage unless the platform can ingest external audit logs and entitlement exports. For that reason, security teams should treat legacy systems, outsourced admin models, and shadow IT as high-risk exceptions rather than normal operating conditions. Current guidance suggests documenting those exceptions explicitly, then reviewing whether the platform can be wrapped with PAM, JIT, or compensating monitoring. Without that discipline, the control becomes inconsistent exactly where the largest privileges tend to accumulate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | SoD must cover service accounts and other NHI credentials with excessive privilege. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and enforced across hybrid systems. |
| NIST Zero Trust (SP 800-207) | ZTA principle | Dynamic policy evaluation fits zero trust access decisions at request time. |
Continuously review NHI entitlements and block conflicting privilege combinations before activation.
Related resources from NHI Mgmt Group
- How should security teams enforce segregation of duties in IAM workflows?
- How should security teams prioritise NHI remediation in cloud environments?
- How should security teams govern non-human identities in cloud environments?
- How should security teams implement ephemeral credentials in hybrid environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
