Because auditors use Segregation of Duties (SOD) reports to validate access controls, organizations spend time analyzing SoDs and limiting user access. They spend even more time managing access request escalations, executing mitigations, and designing and managing complex roles.
Given the cost and complexity, does static SOD reporting make sense? Is there a better way?
Absolutely. Organizations can now avoid complexity and costs by taking a balanced approach that considers not only what a user could do but also what they did do. Roles can be simplified, access can be more lenient, escalations for exceptional access will happen less often and be less disruptive, the organization can be more secure with less risk, and audits can become less costly and more easily passed.