Home / ADManager Plus / Blog / What is segregation of duties, and why is it so important for compliance?

What is segregation of duties, and why is it so important for compliance?

Segregation of duties (SoD), also called separation of duties, is a concept which states that critical tasks must be divided among multiple users and no single individual should have complete control of all the steps in a sensitive process. It eliminates the risk of fraudulent activities and creates a system of checks and balances that limit the damage an individual can cause, irrespective of their intention.

While the concept originated in the financial industry, it has become one of the most important principles in modern identity governance and administration (IGA). It helps organizations prevent privileged access abuse, implement internal controls, and maintain compliance with regulatory standards.

The four pillars of segregation of duties

SoD divides the duties of an operation into four main functional categories:

1. Authorization

The person who authorizes a transaction or process must not be the same person who initiates or records it. Only certain individuals should have the authority to authorize spending, pay vendors, or make journal entries.

2. Custody

Whoever holds physical or digital control over assets—such as cash, inventory, system passwords, or sensitive information—must not be the same person who approves or records transactions involving those assets.

3. Record keeping

The individual who writes entries in the ledger or ERP systems must not also handle assets or approve transactions. Keeping records separate from approval and custody creates an independent account of what happened.

4. Reconciliation

Auditing and reconciliation activities must be handled by someone independent of those who authorized, held, or recorded the transactions.

Segregation of duties in accounting vs. IGA

In accounting, SoD means that the person who enters invoices into a payment system is not the same person who approves those invoices for payment. The employee who creates a vendor account should not also be the one who authorizes payments to that vendor. These separations exist to prevent embezzlement and financial fraud.

In IGA, the same logic applies across the identity layer. Instead of financial transactions, the concern is with identity life cycle events and applies to users who provision accounts, approve access requests, modify group memberships, review entitlements, and manage the audit logs that record all of the above. In large enterprises managing thousands of identities across Active Directory, Microsoft Entra ID, and enterprise applications, the risk of a single administrator having end-to-end control over any one of these functions is the IGA equivalent of the same accountant drafting and signing their own checks.

Why is segregation of duties important?

IT teams sit at the intersection of access provisioning, identity life cycle management, and compliance, making them exposed to risks and responsible for addressing them.

Preventing toxic role combinations and privilege abuse

In IGA environments, toxic role combinations are the specific pairings of entitlements that should never co-exist within a single identity. When a technician is someone who can both configure access policies and certify compliance with those policies, the independence that certification is designed to provide is eliminated. SoD enforces boundaries that prevent these combinations from existing in the first place.

Managing identity life cycle risk across JML automation

The joiner-mover-leaver (JML) automation is where violations most commonly accumulate in IT environments. When a user joins, they are provisioned with role-appropriate access and when they move to a new team or function, new access is added; but old entitlements are rarely removed in the same action. Over time, a single identity can hold the residual permissions of every role they have ever occupied, creating toxic combinations that no single provisioning event ever intentionally created. This leads to privilege creep, a condition common in organizations without automated governance controls.

Supporting audit readiness and regulatory compliance

Regulations such as SOX, HIPAA, the GDPR, or the PCI DSS mandate organizations to implement SoD. They require demonstrable separation of critical identity functions and the documented evidence to prove it. An IT team that cannot show auditors how duties are divided across provisioning, approval, and review workflows is already exposed, regardless of how well the underlying technical controls are configured.

How to implement segregation of duties

SoD enforcement is an ongoing governance practice, not a one-time configuration. It requires role architecture decisions, provisioning workflow design, automated governance tooling, and sustained access review discipline.

Map identity workflows and identify high-risk role combinations

Start by mapping the identity life cycle workflows to identify where end-to-end control by a single identity creates risk. These include user account provisioning and deprovisioning; access request initiation and approval; group membership management and authorization; role definition and assignment; audit log access and change execution; and identity configuration and compliance certification.

For each workflow, identify which steps must be separated and which specific role pairings would constitute a toxic combination. Build this into a SoD matrix, a structured grid that maps roles against each other to surface incompatible access pairings. The matrix becomes both a design reference for role configuration and an audit reference demonstrating that a SoD policy is formally defined.

Define and document policies

A formal policy should specify: which role combinations are prohibited at the identity layer; the process for documenting and managing exceptions; compensating controls that apply when separation is not feasible; and how violations will be detected, escalated, and remediated.

Enforce least privilege and granular role delegation

Role-based access control (RBAC) is the technical foundation of SoD in most environments. ADManager Plus addresses this directly through a non-invasive, role-based delegation model that—rather than elevating a technician's native rights—enforces delegated roles within the tool itself. Permissions are role-specific and OU-scoped, ensuring that no identity in the delegation chain holds more access than their defined job function.

Build multi-level approval workflows into access provisioning

When provisioning is informal or approved at high volume, the person raising the request effectively controls both the request and its approval, a direct violation in the provisioning workflow. ADManager Plus' workflow capabilities allow teams to configure structured, multi-level approval workflows for all critical tasks. Conditional assignment rules can route specific request types to designated approvers based on the sensitivity of the action, resulting in a provisioning chain in which the requester and the approver are always separate identities.

Run regular access certification campaigns to detect entitlement drift

An access certification campaign is the process of systematically asking managers, role owners, and access reviewers to validate whether the entitlements held by their team members are still appropriate for their current role and to flag combinations that create conflicts. ADManager Plus' access certification campaigns allow teams to schedule and automate these reviews across Active Directory and Microsoft 365.

Generate compliance-ready audit reports

ADManager Plus provides over 200 built-in reports covering user accounts, group memberships, access permissions, inactive accounts, and all administrative actions taken within the environment. Compliance-specific reports map directly to SOX, HIPAA, GDPR, and PCI DSS requirements, and can be scheduled, auto-generated, and exported in PDF, CSV, XLSX, and HTML formats to meet audit requirements.

Sustaining segregation of duties across the identity life cycle

SoD is not a control you configure once and forget about. Every event, role change, and new access request is an opportunity for entitlement drift to reintroduce the toxic combinations your governance model was designed to prevent. The organizations that stay ahead of that drift are the ones that treat SoD as a continuous governance process instead of a one-time change. ADManager Plus supports this at every layer—from granular role delegation and multi-level approval workflows to automated access certification and compliance reporting—so that governance remains operational as your identity environment grows, not just as it is first configured.

FAQ

1. What is segregation of duties?

Segregation of duties (SoD) is the governance principle that ensures no single identity holds a combination of entitlements allowing them to control a sensitive process—such as provisioning, authorization, execution, and oversight—without independent review. It is enforced through role architecture, provisioning workflow design, access certification, and audit controls.

2. What is the difference between segregation of duties and separation of duties?

The two terms describe the same principle and are used interchangeably in identity governance and administration (IGA). Segregation of duties tends to appear in IGA platforms and compliance documentation while separation of duties is used more broadly across other industries.

3. What are toxic role combinations in IGA?

Toxic role combinations are specific pairings of entitlements that, when held by a single identity, creates end-to-end control over a sensitive process with no independent oversight. Common examples include holding both account provisioning and access approval rights, or combining role definition with role assignment authority.

4. Is segregation of duties a preventive or detective control?

SoD is primarily a preventive control that is built into the role architecture and provisioning workflow to prevent conflicting entitlements from coexisting. Detective controls such as access certification campaigns, audit log reviews, and entitlement monitoring identify violations that have accumulated over time.

5. How does JML automation create segregation of duties violations in IGA?

When users change roles or functions, new entitlements are added but old ones are often not removed. Over time, an identity accumulates access from multiple previous roles, creating toxic combinations that no single provisioning decision intentionally created. Automated access certification is the primary mechanism within IGA for surfacing and remediating this drift.

6. What regulations require segregation of duties enforcement in IGA environments?

SOX, HIPAA, the GDPR, the PCI DSS, and other regulations require organizations to implement SoD. All of these frameworks require not just that internal controls exist, but that organizations can produce documented evidence that those controls are actively maintained and reviewed.