Broad access is risky, but conflicting access is worse because it lets one person complete an entire sensitive process without challenge. The problem is not only what the identity can do, but whether the identity can authorise its own work. That is why SoD controls focus on separation of duties, not just least privilege.
Why Conflicting Access Rights Raise Fraud Risk
Broad access increases exposure, but conflicting access rights create a different failure mode: one identity can initiate, approve, and conceal a sensitive action without an independent check. That turns an access problem into an integrity problem. Separation of duties is meant to break that chain, which is why current guidance treats conflicting permissions as a higher fraud indicator than wide access alone.
For non-human identities, this matters because service accounts, API keys, and workflow agents often operate faster than human review can intervene. The Ultimate Guide to NHIs — Key Challenges and Risks notes that 97% of NHIs carry excessive privileges, which means many environments already have the raw access required for misuse. The fraud risk rises sharply when the same identity can both request and complete a transaction. In practice, many security teams encounter that control gap only after an anomalous transfer, false invoice, or unauthorised approval has already been executed.
OWASP’s OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 both reinforce that permission design must support accountability, not just access enablement.
How It Works in Practice
The practical issue is not simply “too much access,” but whether the identity can complete a workflow without a second, independent authority. In a finance or provisioning process, that may mean the same NHI can create a vendor, submit a payment, and update the record that proves the payment was legitimate. Even when RBAC looks clean on paper, conflicting rights can bypass the human assumptions behind the role model.
Security teams reduce that risk by combining SoD with transaction-aware controls: separate identities for request, approval, and execution; JIT credentials for only the task being performed; and short-lived secrets that expire when the job ends. For autonomous workloads, workload identity becomes the important primitive, because the control decision should be based on what the agent is allowed to do right now, not on a broad standing role. This is where intent-based or context-aware authorisation is gaining traction, although there is no universal standard for this yet.
- Assign distinct identities to create, approve, and release steps.
- Use policy checks at request time, not just at role assignment time.
- Rotate or revoke secrets as soon as the workflow completes.
- Log the full action chain so one identity cannot silently self-approve.
NHIMG research also shows why this matters at scale: the 52 NHI Breaches Analysis and Ultimate Guide to NHIs both point to common patterns of overprivilege, weak visibility, and poor revocation discipline. These controls tend to break down when one shared automation account is reused across finance, ops, and deployment pipelines because the workflow itself becomes the access boundary.
Common Variations and Edge Cases
Tighter separation of duties often increases operational overhead, requiring organisations to balance fraud resistance against automation speed and staffing cost. That tradeoff is real, especially where high-volume workflows need near-real-time execution. Best practice is evolving, but the direction is clear: the more sensitive the action, the less acceptable it is for one identity to both initiate and finalise it.
There are edge cases. In low-risk technical tasks, strict dual-control may add more friction than value. In highly automated environments, some teams use compensating controls such as threshold approvals, immutable audit trails, and policy-as-code to reduce false positives while preserving accountability. For agentic systems, the challenge gets harder because autonomous behaviour is not fully predictable; an AI agent can chain tools, reuse tokens, and move across systems in ways a static RBAC model did not anticipate.
The emerging pattern is to treat standing access as the exception and JIT authorisation as the default for high-impact actions. Guidance from the OWASP NHI Top 10 and the NIST Cybersecurity Framework 2.0 supports that direction, while implementation details still vary by environment. The biggest breakdown occurs in shared service accounts with no per-action telemetry, because no control can prove separation after the fact if the logs only show one opaque identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | SoD failures often stem from overprivileged NHI credentials. |
| OWASP Agentic AI Top 10 | AG-04 | Autonomous agents need runtime authorisation, not static roles. |
| NIST AI RMF | AI RMF governance supports accountability for autonomous actions. |
Separate NHI duties and remove standing privileges from identities that can both request and approve.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
