What Is Segregation of Duties?
Segregation of Duties (SoD) is a control principle requiring that no single identity hold two or more permissions that, combined, would let it complete a sensitive process end-to-end without independent oversight. The classic example: the same identity shouldn’t be able to both create a vendor record and approve payments to that vendor, since together those two permissions enable fraud with no second party involved.
SoD policies are typically encoded as rule sets inside an IGA platform, defining which roles or entitlements can’t be held simultaneously, and are checked automatically whenever a new access request or role assignment would create a conflict. Regulatory frameworks like SOX require documented SoD controls for financial systems specifically.
The limitation is the same one that runs through most governance controls: an SoD rule can only evaluate the roles and entitlements the governance platform actually tracks. An identity that holds a conflicting permission through a path IGA never captured, a nested group, a local account, a shared credential, can violate SoD in practice while the policy engine reports no violation at all, because it never saw the conflicting grant in the first place.