Start with the business processes that create the most fraud or control risk, then map the duties, approvals, and entitlements involved in each process. Turn those mappings into a ruleset of toxic access combinations, define who reviews exceptions, and attach the checklist to provisioning and review workflows so it is used consistently, not only during audits.
Why This Matters for Security Teams
An effective segregation of duties checklist is not just an audit artifact. It is a control design tool that helps teams prevent one identity from creating, approving, and activating a high-risk action without independent review. That matters because control failures often happen in ordinary operational workflows, where entitlement sprawl, emergency access, and weak exception handling quietly erode separation. NIST’s NIST Cybersecurity Framework 2.0 treats access governance as a foundational risk activity, and the same logic applies here.
For NHI-heavy environments, the risk is sharper. NHIs often carry broad privileges, and NHI Mgmt Group notes that Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. A SoD checklist that only names job titles will miss service accounts, API keys, automation roles, and pipeline identities that can combine duties in ways humans never see. In practice, many security teams encounter toxic access only after a workflow has already been used to move data, approve payment, or change production access.
How It Works in Practice
Build the checklist from the process outward, not from the org chart inward. Start with the workflows that carry the most fraud, privilege, or change-control risk, then break each workflow into discrete duties such as request, approve, provision, execute, and review. For each duty, identify the human roles, NHI types, systems, and entitlements involved. The objective is to define toxic combinations, such as the same principal being able to request access, approve it, and then use it to complete the sensitive action.
Use a ruleset that can be operationalised in IAM, PAM, and workflow tooling. A practical checklist usually includes:
- The specific process step and business owner
- The identities allowed to perform each step
- The entitlements or secrets required at each step
- Which combinations are prohibited
- What qualifies as a compensating control
- Who can approve an exception and for how long
For NHIs, the checklist should include service accounts, CI/CD identities, workload tokens, and API keys, not just employees. That means mapping duties to workload identity and secret issuance, then making sure the same identity cannot both generate and approve a high-risk credential path. The Ultimate Guide to NHIs is especially useful when teams need to connect SoD to lifecycle controls such as rotation, offboarding, and visibility. NIST’s NIST Cybersecurity Framework 2.0 can anchor the governance side by tying SoD to access review, monitoring, and corrective action.
The checklist becomes effective when it is embedded into provisioning, ticketing, and periodic review workflows, so toxic access is blocked or flagged before it is granted. These controls tend to break down when emergency access is handled outside the normal workflow because compensating reviews are often inconsistent or delayed.
Common Variations and Edge Cases
Tighter segregation of duties often increases approval overhead, so organisations have to balance fraud reduction against delivery speed and operational resilience. That tradeoff is real, especially in teams that run 24/7 operations or automation-heavy platforms where a single identity may support multiple tasks.
Best practice is evolving for hybrid human-plus-automation environments. For high-volume processes, current guidance suggests using risk-tiered SoD rules rather than a single universal matrix. Low-risk combinations can use standard approvals, while high-risk actions require stronger review, JIT access, or independent sign-off. This is especially important for NHIs because secrets and tokens can be copied, reused, and chained across tools much faster than a person can intervene.
There is no universal standard for every SoD control set yet, but practitioners generally reduce false positives by scoping rules to the actual process boundary, not the entire application. That means treating build pipelines, production deployers, and data export jobs as separate duty domains. It also means revisiting exceptions regularly, because temporary access that is never revoked becomes permanent by accident. NHI Mgmt Group’s Ultimate Guide to NHIs is a strong reference for tying these exceptions back to lifecycle governance and offboarding discipline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SoD checklists enforce least privilege and separation in access decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | SoD breaks when NHI privileges and secrets are not rotated or constrained. |
| NIST AI RMF | SoD governance supports accountable decision-making for autonomous or automated actors. |
Assign clear owners, review paths, and escalation rules for every high-risk duty combination.
Related resources from NHI Mgmt Group
- How can IAM teams reduce segregation-of-duties exceptions without slowing the business?
- How should teams check segregation of duties in SAP without spreadsheets?
- How should security teams implement segregation of duties monitoring at scale?
- How should security teams build a segregation of duties matrix that reflects real access?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
