Because the core issue is concentrated authority, not accounting specifically. When one identity can both act and verify its own actions, the control loses independence. That same failure mode shows up in human access approvals, privileged workflows, and NHI governance where a single principal can own the entire process.
Why This Matters for Security Teams
segregation of duties matters in IAM because identity controls are only trustworthy when no single principal can create, approve, and execute access without independent review. That is true for finance, but it is equally important in admin provisioning, privileged workflows, and non-human identity governance. Once one account can both request and certify access, policy enforcement becomes self-approval rather than control.
This is why current guidance in the NIST Cybersecurity Framework 2.0 emphasises accountable access management, not just permission assignment. It also helps explain why NHIMG research shows how often identity programmes lag behind operational risk: in the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, which makes independent approval even more important when access is granted to service accounts, API keys, and automation roles.
For IAM teams, the practical issue is not only fraud prevention. It is also preventing privilege from becoming concentrated in one workflow, one admin, or one automation path. In practice, many security teams encounter SoD failures only after a provisioning shortcut or automation exception has already been used to bypass review.
How It Works in Practice
In IAM programmes, segregation of duties is applied by splitting control across separate identities, roles, systems, or approvers so that no single path can complete a sensitive action end to end. The strongest implementations combine RBAC, workflow approval, logging, and periodic review, but the control objective is independence, not just documentation. For NHI governance, that often means separating the identity that requests a secret, the identity that issues it, and the identity that can use it.
For example, a CI/CD service account should not be able to approve its own access to production secrets. Likewise, a platform engineer should not be the only person able to grant, use, and validate privileged access for their own change. In environments with automation, the control should extend to infrastructure pipelines, ticketing approvals, and break-glass access. NHIMG guidance on Azure Key Vault privilege escalation exposure shows how privilege concentration can emerge through role misconfiguration, even when teams believe the vault boundary is protecting them.
- Separate request, approval, and execution roles for high-risk access paths.
- Require independent review for privileged human access and NHI credential issuance.
- Use short-lived credentials and explicit revocation so approvals do not become permanent authority.
- Log who approved, who used, and who audited each access event.
Where possible, align with SPIFFE-style workload identity and policy-as-code so the system can prove what the workload is while still forcing independent authorisation for what it may do. These controls tend to break down in highly automated environments where one orchestration account owns provisioning, approval routing, and secret delivery because the separation becomes procedural rather than technical.
Common Variations and Edge Cases
Tighter segregation often increases operational overhead, requiring organisations to balance assurance against delivery speed. That tradeoff is real in IAM, especially where small teams manage cloud infrastructure, DevOps pipelines, or legacy admin estates with limited headcount. In those cases, best practice is evolving toward compensating controls such as stronger monitoring, immutable logs, and time-bound elevation rather than pretending a perfectly clean split is always possible.
There is also a difference between policy design and enforcement. A role matrix may look compliant while a pipeline token, shared vault account, or emergency admin path still allows one person or one system to bypass the separation. This is especially relevant where NHIs are used for deployment, remediation, or access brokerage, because the control must cover the automation layer as well as the human layer. The 2024 Non-Human Identity Security Report reports that 88.5% of organisations say their non-human IAM practices lag behind or are merely on par with human IAM, which helps explain why SoD often weakens once automation enters the workflow.
For sensitive programmes, current guidance suggests treating SoD as both a design requirement and a monitoring requirement. That means reviewing who can approve, who can deploy, and who can rotate credentials after the fact. There is no universal standard for this yet across agentic or fully autonomous systems, but the operating principle remains the same: one identity should not be able to authorise its own privilege.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be governed independently to prevent self-approval. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI privilege concentration creates the same SoD failure mode as human access. |
| NIST AI RMF | AI and automation governance needs independent oversight for accountable decisions. |
Add human or system-level review before autonomous workflows can approve or execute privileged actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
