Manual reviews struggle because access changes faster than review cycles and the number of entitlement combinations grows faster than human teams can reconcile them. Once access spans SaaS, ERP, and privileged workflows, stale evidence becomes a governance problem in itself. Continuous monitoring is the only practical way to keep decisions aligned to current access.
Why Manual SoD Reviews Lose Reliability
Manual segregation of duties reviews depend on people comparing entitlements against policy snapshots that are already ageing by the time the review starts. That works poorly when access is changing through SaaS provisioning, ERP workflows, API tokens, and privileged elevation paths that never sit still long enough for a quarterly attestation to stay accurate. NIST’s NIST Cybersecurity Framework 2.0 stresses continuous governance and risk awareness because point-in-time reviews cannot keep pace with dynamic access.
For modern IAM programmes, the problem is not only volume. It is the mismatch between human review cadence and machine-speed entitlement churn. NHIMG research shows that only 5.7% of organisations have full visibility into service accounts in the Ultimate Guide to NHIs, which means reviewers often assess incomplete evidence before deciding whether a conflict exists. In practice, many security teams discover SoD drift only after a business process has already been approved or an audit has already questioned the control, rather than through timely prevention.
How It Works in Practice
Manual SoD reviews fail when the review model assumes access is static, but the environment is not. A reviewer may see a user or workload assigned to two incompatible roles, yet miss the fact that one role is granted only during a narrow job window, while the other is inherited through a nested group, a ticketing workflow, or a temporary privileged session. That is why current guidance suggests combining role analysis with event-based access telemetry rather than relying on spreadsheets alone.
Practitioners usually need three things working together:
- authoritative entitlement data from IAM, PAM, ERP, and SaaS systems;
- near-real-time change signals for provisioning, deprovisioning, and privilege elevation;
- policy logic that evaluates whether a conflict exists at the moment access is used, not only when a review is scheduled.
This is where continuous control monitoring becomes more reliable than manual attestations. NIST’s identity and risk guidance supports this shift, and the NIST CSF 2.0 is useful for mapping review workflows to ongoing monitoring and response. NHIMG’s Azure Key Vault privilege escalation exposure research also shows how seemingly narrow permissions can become escalation paths when role boundaries are weak. The operational goal is to detect SoD violations as they emerge, then route them for exception handling or automatic revocation.
These controls tend to break down when identity data is fragmented across disconnected systems and no single source can reliably show current role, session, and privilege state.
Common Variations and Edge Cases
Tighter SoD enforcement often increases operational overhead, requiring organisations to balance stronger control against slower business workflows and more exception handling. That tradeoff is real, especially where finance, procurement, and IT administration all depend on the same users or service accounts.
Some environments can still use manual review effectively for low-risk, low-change populations, but best practice is evolving toward continuous validation for anything with privileged access, production data, or automated execution rights. The hardest edge case is hybrid access: a human reviewer may approve a role as safe in isolation, while the real risk comes from combination effects across systems. There is no universal standard for this yet, but policy-as-code and continuous monitoring are increasingly the practical answer.
Another common failure mode is overreliance on periodic certifications after a quarterly access review. That process can miss short-lived toxic combinations, especially when access is granted and revoked inside the same review cycle. NHIMG’s research on NHI lifecycle and offboarding gaps shows how long-lived access residues persist far beyond intended use, which is exactly the kind of condition manual reviews struggle to catch. For programmes with heavy automation, the safer assumption is that SoD risk is a live state, not a once-a-quarter checkbox.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SoD reviews are access governance controls aligned to least privilege and access management. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Manual reviews miss stale or overprivileged non-human access that this control aims to reduce. |
| NIST AI RMF | Govern and monitor dynamic decision-making where access risk changes faster than review cycles. |
Tie SoD checks to PR.AC-4 and continuously validate entitlements instead of relying on periodic attestations.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
