Identity GlossaryLast updated July 17, 2026

Segregation of Duties (SoD)

A neutral definition of segregation of duties: the control that prevents any single identity from holding two conflicting permissions, like requesting and approving the same payment.

What Is Segregation of Duties?

Segregation of Duties (SoD) is a control principle requiring that no single identity hold two or more permissions that, combined, would let it complete a sensitive process end-to-end without independent oversight. The classic example: the same identity shouldn’t be able to both create a vendor record and approve payments to that vendor, since together those two permissions enable fraud with no second party involved.

SoD policies are typically encoded as rule sets inside an IGA platform, defining which roles or entitlements can’t be held simultaneously, and are checked automatically whenever a new access request or role assignment would create a conflict. Regulatory frameworks like SOX require documented SoD controls for financial systems specifically.

The limitation is the same one that runs through most governance controls: an SoD rule can only evaluate the roles and entitlements the governance platform actually tracks. An identity that holds a conflicting permission through a path IGA never captured, a nested group, a local account, a shared credential, can violate SoD in practice while the policy engine reports no violation at all, because it never saw the conflicting grant in the first place.

Share

How Segregation of Duties Enforcement Works

SoD enforcement typically runs through five stages.

1

Conflict Rule Definition

Defining which roles or entitlements are mutually exclusive for a given identity to hold.

2

Pre-Assignment Checks

Evaluating a new access request against conflict rules before it’s ever granted.

3

Ongoing Conflict Detection

Periodically re-scanning existing access for conflicts that emerged after the fact.

4

Exception & Mitigation Workflows

Handling legitimate cases where a conflict is approved anyway, with a documented compensating control.

5

Audit Evidence

Producing a record of every conflict check, exception, and resolution for compliance review.

Frequently Asked Questions

See the Identity System of Record in Action

Hydden discovers, reconciles, and continuously governs every identity (human, machine, and agentic) across your enterprise.

© 2026 Hydden Inc. All rights reserved.Privacy PolicyTerms of Service