You need to enable JavaScript in order to use the AI chatbot tool powered by ChatBot

Why Segregation of Duties Breaks When One AI Agent Can Approve and Execute

Share via:
blog-cms-banner-bg
Little-Known Negotiation Hacks to Get the Best Deal on Slack
cta-bg-blogDownload Your Copy

HIPAA Compliance Checklist for 2025

Download PDF

Your SOX controls assume segregation of duties means different people in different roles. 

  • The person who requests a purchase order isn't the person who approves it. 
  • The engineer who writes the code isn't the one who deploys it. 

That assumption holds because humans work inside org charts, and org charts separate people.

An AI agent isn't inside an org chart. One agent connected to your approval workflow, your provisioning system, and your payment processor can receive a request, approve it, and execute it in seconds, with no one else involved.

This piece covers exactly where that collapse happens, why it's harder to catch than a human breaking the same rule, and what segregation of duties looks like once AI agents are in the workflow.

TL;DR

  • Segregation of duties assumes three separate roles: initiation, authorization, and execution. A single AI agent can hold all three at once.
  • This is already happening in access provisioning, procurement, license reclaim, and data routing workflows, not as an edge case but as the default setup.
  • Static policy rules don't restore segregation of duties. A rule written months ago can't authorize a transaction it never anticipated.
  • Agent-driven SoD collapse is harder to detect than a human violation because it leaves one entity ID in the log instead of two.
  • Fixing it means putting a human back in the authorization step, scoping what agents can do alone, and keeping an audit trail that separates who initiated an action from who authorized it.

1. What Segregation of Duties Actually Controls, and the Assumption AI Agents Break

Segregation of duties is a preventive control. It distributes a sensitive transaction across separate parties so no single actor can complete the whole thing alone.

The Three Roles Segregation of Duties Keeps Apart

  • Initiation: identifying that something should happen and generating the request
  • Authorization: independently evaluating whether it should happen and approving it
  • Execution: carrying out the approved action

Any entity holding all three roles on the same transaction is a segregation of duties violation. That's true in accounting, in IT access management, in procurement, and now in AI-driven automation.

Comparison showing segregation of duties for human roles versus AI agents, where one agent can hold initiate, approve, and execute permissions that would normally be separated across people.

The Assumption That Breaks

Segregation of duties was designed around a specific kind of actor, and AI agents don't match it:

What SoD assumes What an AI agent actually is
One actor holds one role at a time One agent can be connected to every step of a workflow simultaneously
Approval requires a separate human to log in and act An agent with access to the approval step can execute it as part of the same run
The initiator and approver sit in different parts of the org An agent's permission scope is defined by whatever API keys and OAuth tokens it was built with, often broader than any single human role

The result is that segregation of duties, a control built on human role boundaries, has nothing to enforce a boundary against when the actor is a single automated process.

One Agent. Three Roles. Zero Segregation of Duties.

Find every agent holding conflicting permissions right now.
Download Checklist

2. Why This Is Already a Problem in Your Environment

This is already showing up in workflows most teams assume are under control, and it's the clearest form AI agent segregation of duties collapse takes today.

Four Places One Agent Ends Up Approving Its Own Requests

Diagram showing an AI agent automating actions across access, spend, license, and data workflows, highlighting that configured rules can scale actions without creating independent approval.

a) Access provisioning agents

Agent receives an access request, checks it against a permission policy, and provisions the access itself. 

  • What's missing: no second party reviews whether the request is contextually appropriate, only whether it technically matches the policy
  • The gap in practice: a recently transferred employee requesting their old department's data can pass the policy check and still be the wrong outcome

b) Procurement and spend agents

Agent receives a purchase request under a delegated threshold, checks the budget, approves it, submits the PO, all as one actor.

  • What's missing: the financial control requiring a requester and an approver to be different people never engages
  • The gap in practice: requests can be structured just under the threshold and approved individually, a pattern a human reviewer would catch, and a rule-checking agent won't

c) License reclaim agents

Automation detects 30 days of inactivity, sends a notice, and treats non-response as implicit approval to remove the license

  • What's missing: the "authorization" step is the absence of a human, not a decision by one
  • The gap in practice: a user on leave or filtering their inbox loses access, with no one actually approving that outcome

d) Data routing and workflow agents

Agent pulls internal data from a source system and routes it outward, to another application, an external system, or a distribution list, based on a rule a business user configured

  • What's missing: each routing decision is functionally an authorization decision, made hundreds of times a day, with zero human review
  • The gap in practice: sensitive data can move to the wrong destination, and the routing rule never flags it, because the rule was never built to catch that.

"We Have Rules for This" Doesn't Solve It

The agent is only executing rules a human has already configured, so authorization is already baked into the policy. That defense doesn't hold up.

The rule vs. the transaction: segregation of duties never required a human to write the rule. It requires a human to authorize the transaction. Those are two different things. 

  • Why the gap survives policy: a policy configured months ago can't anticipate every context a specific request shows up in. Per-transaction human authorization exists to catch exactly the cases where a rule applies technically, but the outcome is wrong contextually.
  • Where this shows up beyond access: static rules built for "this role gets this access" stop being reliable once the requester isn't a predictable human role. Spend fails the same way: a rule letting an agent draw against a budget can burn through it as fast as a misconfigured query drains a token allocation, because nothing is checking the transaction, only the rule

The bottom line: an agent running 500 license decisions a day against a configured policy is providing scale without any of the oversight that segregation of duties is supposed to guarantee

Why Nobody Notices Until the Audit

Human segregation of duties violations get caught because they leave a pattern: two different user IDs on one transaction, which most GRC tools are built to flag. AI agent SoD collapse looks nothing like that.

Human SoD violation AI agent SoD collapse
Audit log signature Two different user IDs on one transaction One entity ID across every step
Intent Usually deliberate Usually nobody's decision, just how connections were configured
Volume One violation, one transaction One gap, multiplied across every transaction the agent processes
Discoverability Flagged by standard GRC exception rules Reads as a normal automated workflow, not an exception

Most AI agents also get built bottom-up, outside formal procurement or security review. 

A Gartner survey of 302 cybersecurity leaders found that 69% of organizations suspect or have evidence that employees are using prohibited public GenAI, largely without IT ever reviewing it first. 

That means the agents most likely to collapse segregation of duties are frequently the ones IT and compliance don't know exist. A human SoD violation leaves two names in the log. An AI agent SoD collapse leaves one.

Standard GRC Rules Won't Flag This. Your Checklist Should.

Close the access gaps that automated workflows quietly create.
Download Checklist

3. Three Ways to Put a Human Back in the Approval Step

The principle behind segregation of duties changes how the separation gets implemented.

a) Human-in-the-loop authorization

How it works: the agent handles initiation and, once approved, execution. A human handles authorization in between

For example, the agent detects an inactive account and prepares the deprovisioning action, but a person confirms it before it runs

b) Scoped autonomy

How it works: define narrow conditions under which an agent can act without a human step, limited to low-risk, low-impact, easily reversible actions. Everything outside that scope requires authorization

For example, an agent removing a license for an inactive user with no active projects and under $50 a month in spend can run autonomously. An agent with access to a sensitive role cannot

c) A separate audit trail

How it works: even where autonomous execution is permitted, the log records who or what initiated the action, whether a human authorized it or the agent acted unilaterally, and the basis for that decision

For example, when an auditor asks about a specific transaction, the answer includes an explicit authorization event, not just an execution event

4. How CloudEagle.ai Gives Compliance Teams Visibility Into Agent Connections

CloudEagle.ai doesn't enforce segregation of duties at the agent level. What it does is give security and compliance teams the visibility to find where the risk sits before an audit finds it for them.

Four-step framework for AI agent governance: maintain a complete agent inventory, map connections before transactions run, preserve ownership through employee turnover, and schedule recurring access reviews.

 

a) Agent inventory that actually exists: 

Most agents get built without a central record, so nobody knows what's running until an incident or an audit forces the question.

How CloudEagle.ai solves it:

  • Discovers every AI agent and non-human identity connected to your environment
  • Surfaces each one with its connected systems and permission scope
  • Keeps the inventory live instead of a point-in-time snapshot

CloudEagle.ai non-human identity inventory showing identities across connected environments, identity types, live status and ownership details, plus drill-down access to assigned roles, resources, and permissions.

The starting point for any segregation of duties assessment needs is already there, not reconstructed under the deadline.

b) Connection mapping before the transaction runs: 

An agent can sit on both sides of a sensitive workflow, initiating a request and also controlling its approval, with nobody noticing until it's too late.

How CloudEagle.ai solves it:

  • Maps every system each agent is connected to
  • Flags agents touching both sides of a SoD-sensitive boundary, like a request system and its approval step
  • Surfaces these connections before a transaction runs, not after

AI agent access details showing connected systems, roles, access levels, and segregation-of-duties risks, with options to review and revoke access before a transaction occurs.

Those agents get identified for review before they process a transaction, not after it's already happened.

c) Ownership that survives employee turnover: 

An agent's creator can leave the company, and the agent keeps running with no one accountable for what it can access.

How CloudEagle.ai solves it:

  • Assigns a human owner to every discovered agent
  • Flags any agent left without an owner on record
  • Keeps that owner accountable for certification and decommissioning decisions going forward

Non-human identity dashboard showing accountable owners for each AI agent, highlighting unassigned agents and providing actions to reassign ownership or decommission them.

There's always someone accountable for certifying whether the agent's connections are still appropriate.

d) A review cadence that doesn't depend on memory

Without a forcing function, agent access reviews happen inconsistently or not at all.

How CloudEagle.ai solves it:

  • Certifies agent connections on the same recurring cadence as human access reviews
  • Runs that cadence automatically instead of relying on someone to remember
  • Surfaces ownerless or over-scoped agents as part of the same cycle

Ownerless or over-scoped agents surface automatically, on schedule, instead of during an incident.

Access Reviews dashboard showing recurring certification cycles, named review owners, due dates, and automatically surfaced overdue reviews so access reviews stay on schedule.

This is the human accountability layer that segregation of duties assumes exists. 

CloudEagle.ai doesn't decide whether an agent's permissions are appropriate, but it gives teams the inventory their SoD controls depend on and makes sure someone is assigned to make that call and has to answer for it on a recurring schedule.

5. What SOX, SOC 2, and ISO 27001 Actually Require

None of the three major frameworks has AI agent-specific guidance yet, but auditors are already applying existing segregation of duties requirements to agent workflows, and most organizations don't have a ready answer.

Framework Requirement What it means for agents
SOX Section 404 / PCAOB standards Segregation of duties is a key internal control. PCAOB notes IT often achieves it through security controls, and excess access can break it down. Automation moves where segregation of duties gets enforced. It doesn't remove the requirement.
SOC 2 CC6.2 Authorize new users, revoke access when no longer authorized. An agent that provisions or removes its own access isn't a documented authorization event.
SOC 2 CC6.3 Access changes must be based on roles, citing least privilege and segregation of duties directly. An agent combining request and approval on the same access change doesn't meet it.
ISO 27001 Annex A 5.3 (formerly A.6.1.2) Conflicting duties must be segregated. Doesn't distinguish human actors from automated ones.

None of these standards were written with AI agent segregation of duties in mind, which is exactly why auditors are stretching existing SoD controls to cover a gap the frameworks haven't caught up to yet.

6. FAQs

1. What happens when AI agents interact with each other? 

One agent's output becomes another's input with no human review between them, which can chain a segregation of duties gap across multiple systems at once.

2. When segregation of duties can't be fully achieved in an online system, which functions should be separated first? 

Separate authorization from execution first. That's the step most likely to be automated away entirely.

3. Which duty role lets a user interact with an AI agent in the application? 

This depends on your access model, but the role should never combine the ability to configure an agent with the ability to approve its actions.

4. Can agentic AI plan and execute tasks autonomously? 

Yes. That's exactly why segregation of duties needs a defined authorization step, not an assumption that planning and execution stay separate on their own.

See how CloudEagle.ai surfaces AI agent connections and ownership so your compliance team can assess segregation of duties risk before an auditor does: book a demo.

Advertisement for a SaaS Subscription Tracking Template with a call-to-action button to download and a partial graphic of a tablet showing charts.Banner promoting a SaaS Agreement Checklist to streamline SaaS management and avoid budget waste with a call-to-action button labeled Download checklist.Blue banner with text 'The Ultimate Employee Offboarding Checklist!' and a black button labeled 'Download checklist' alongside partial views of checklist documents from cloudeagle.ai.Digital ad for download checklist titled 'The Ultimate Checklist for IT Leaders to Optimize SaaS Operations' by cloudeagle.ai, showing checklist pages.Slack Buyer's Guide offer with text 'Unlock insider insights to get the best deal on Slack!' and a button labeled 'Get Your Copy', accompanied by a preview of the guide featuring Slack's logo.Monday Pricing Guide by cloudeagle.ai offering exclusive pricing secrets to maximize investment with a call-to-action button labeled Get Your Copy and an image of the guide's cover.Blue banner for Canva Pricing Guide by cloudeagle.ai offering a guide to Canva costs, features, and alternatives with a call-to-action button saying Get Your Copy.Blue banner with white text reading 'Little-Known Negotiation Hacks to Get the Best Deal on Slack' and a white button labeled 'Get Your Copy'.Blue banner with text 'Little-Known Negotiation Hacks to Get the Best Deal on Monday.com' and a white button labeled 'Get Your Copy'.Blue banner with text 'Little-Known Negotiation Hacks to Get the Best Deal on Canva' and a white button labeled 'Get Your Copy'.Banner with text 'Slack Buyer's Guide' and a 'Download Now' button next to images of a guide titled 'Slack Buyer’s Guide: Features, Pricing & Best Practices'.Digital cover of Monday Pricing Guide with a button labeled Get Your Copy on a blue background.Canva Pricing Guide cover with a button labeled Get Your Copy on a blue gradient background.

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.
License Count
Benchmark
Per User/Per Year

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.
License Count
Benchmark
Per User/Per Year

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.
Notion Plus
License Count
Benchmark
Per User/Per Year
100-500
$67.20 - $78.72
500-1000
$59.52 - $72.00
1000+
$51.84 - $57.60
Canva Pro
License Count
Benchmark
Per User/Per Year
100-500
$74.33-$88.71
500-1000
$64.74-$80.32
1000+
$55.14-$62.34

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.
Zoom Business
License Count
Benchmark
Per User/Per Year
100-500
$216.00 - $264.00
500-1000
$180.00 - $216.00
1000+
$156.00 - $180.00

Enter your email to
unlock the report

Oops! Something went wrong while submitting the form.

Get the Right Security Platform To Secure Your Cloud Infrastructure

Please enter a business email
Thank you!
The 2023 SaaS report has been sent to your email. Check your promotional or spam folder.
Oops! Something went wrong while submitting the form.

Access full report

Please enter a business email
Thank you!
The 2023 SaaS report has been sent to your email. Check your promotional or spam folder.
Oops! Something went wrong while submitting the form.

Your SOX controls assume segregation of duties means different people in different roles. 

  • The person who requests a purchase order isn't the person who approves it. 
  • The engineer who writes the code isn't the one who deploys it. 

That assumption holds because humans work inside org charts, and org charts separate people.

An AI agent isn't inside an org chart. One agent connected to your approval workflow, your provisioning system, and your payment processor can receive a request, approve it, and execute it in seconds, with no one else involved.

This piece covers exactly where that collapse happens, why it's harder to catch than a human breaking the same rule, and what segregation of duties looks like once AI agents are in the workflow.

TL;DR

  • Segregation of duties assumes three separate roles: initiation, authorization, and execution. A single AI agent can hold all three at once.
  • This is already happening in access provisioning, procurement, license reclaim, and data routing workflows, not as an edge case but as the default setup.
  • Static policy rules don't restore segregation of duties. A rule written months ago can't authorize a transaction it never anticipated.
  • Agent-driven SoD collapse is harder to detect than a human violation because it leaves one entity ID in the log instead of two.
  • Fixing it means putting a human back in the authorization step, scoping what agents can do alone, and keeping an audit trail that separates who initiated an action from who authorized it.

1. What Segregation of Duties Actually Controls, and the Assumption AI Agents Break

Segregation of duties is a preventive control. It distributes a sensitive transaction across separate parties so no single actor can complete the whole thing alone.

The Three Roles Segregation of Duties Keeps Apart

  • Initiation: identifying that something should happen and generating the request
  • Authorization: independently evaluating whether it should happen and approving it
  • Execution: carrying out the approved action

Any entity holding all three roles on the same transaction is a segregation of duties violation. That's true in accounting, in IT access management, in procurement, and now in AI-driven automation.

Comparison showing segregation of duties for human roles versus AI agents, where one agent can hold initiate, approve, and execute permissions that would normally be separated across people.

The Assumption That Breaks

Segregation of duties was designed around a specific kind of actor, and AI agents don't match it:

What SoD assumes What an AI agent actually is
One actor holds one role at a time One agent can be connected to every step of a workflow simultaneously
Approval requires a separate human to log in and act An agent with access to the approval step can execute it as part of the same run
The initiator and approver sit in different parts of the org An agent's permission scope is defined by whatever API keys and OAuth tokens it was built with, often broader than any single human role

The result is that segregation of duties, a control built on human role boundaries, has nothing to enforce a boundary against when the actor is a single automated process.

One Agent. Three Roles. Zero Segregation of Duties.

Find every agent holding conflicting permissions right now.
Download Checklist

2. Why This Is Already a Problem in Your Environment

This is already showing up in workflows most teams assume are under control, and it's the clearest form AI agent segregation of duties collapse takes today.

Four Places One Agent Ends Up Approving Its Own Requests

Diagram showing an AI agent automating actions across access, spend, license, and data workflows, highlighting that configured rules can scale actions without creating independent approval.

a) Access provisioning agents

Agent receives an access request, checks it against a permission policy, and provisions the access itself. 

  • What's missing: no second party reviews whether the request is contextually appropriate, only whether it technically matches the policy
  • The gap in practice: a recently transferred employee requesting their old department's data can pass the policy check and still be the wrong outcome

b) Procurement and spend agents

Agent receives a purchase request under a delegated threshold, checks the budget, approves it, submits the PO, all as one actor.

  • What's missing: the financial control requiring a requester and an approver to be different people never engages
  • The gap in practice: requests can be structured just under the threshold and approved individually, a pattern a human reviewer would catch, and a rule-checking agent won't

c) License reclaim agents

Automation detects 30 days of inactivity, sends a notice, and treats non-response as implicit approval to remove the license

  • What's missing: the "authorization" step is the absence of a human, not a decision by one
  • The gap in practice: a user on leave or filtering their inbox loses access, with no one actually approving that outcome

d) Data routing and workflow agents

Agent pulls internal data from a source system and routes it outward, to another application, an external system, or a distribution list, based on a rule a business user configured

  • What's missing: each routing decision is functionally an authorization decision, made hundreds of times a day, with zero human review
  • The gap in practice: sensitive data can move to the wrong destination, and the routing rule never flags it, because the rule was never built to catch that.

"We Have Rules for This" Doesn't Solve It

The agent is only executing rules a human has already configured, so authorization is already baked into the policy. That defense doesn't hold up.

The rule vs. the transaction: segregation of duties never required a human to write the rule. It requires a human to authorize the transaction. Those are two different things. 

  • Why the gap survives policy: a policy configured months ago can't anticipate every context a specific request shows up in. Per-transaction human authorization exists to catch exactly the cases where a rule applies technically, but the outcome is wrong contextually.
  • Where this shows up beyond access: static rules built for "this role gets this access" stop being reliable once the requester isn't a predictable human role. Spend fails the same way: a rule letting an agent draw against a budget can burn through it as fast as a misconfigured query drains a token allocation, because nothing is checking the transaction, only the rule

The bottom line: an agent running 500 license decisions a day against a configured policy is providing scale without any of the oversight that segregation of duties is supposed to guarantee

Why Nobody Notices Until the Audit

Human segregation of duties violations get caught because they leave a pattern: two different user IDs on one transaction, which most GRC tools are built to flag. AI agent SoD collapse looks nothing like that.

Human SoD violation AI agent SoD collapse
Audit log signature Two different user IDs on one transaction One entity ID across every step
Intent Usually deliberate Usually nobody's decision, just how connections were configured
Volume One violation, one transaction One gap, multiplied across every transaction the agent processes
Discoverability Flagged by standard GRC exception rules Reads as a normal automated workflow, not an exception

Most AI agents also get built bottom-up, outside formal procurement or security review. 

A Gartner survey of 302 cybersecurity leaders found that 69% of organizations suspect or have evidence that employees are using prohibited public GenAI, largely without IT ever reviewing it first. 

That means the agents most likely to collapse segregation of duties are frequently the ones IT and compliance don't know exist. A human SoD violation leaves two names in the log. An AI agent SoD collapse leaves one.

Standard GRC Rules Won't Flag This. Your Checklist Should.

Close the access gaps that automated workflows quietly create.
Download Checklist

3. Three Ways to Put a Human Back in the Approval Step

The principle behind segregation of duties changes how the separation gets implemented.

a) Human-in-the-loop authorization

How it works: the agent handles initiation and, once approved, execution. A human handles authorization in between

For example, the agent detects an inactive account and prepares the deprovisioning action, but a person confirms it before it runs

b) Scoped autonomy

How it works: define narrow conditions under which an agent can act without a human step, limited to low-risk, low-impact, easily reversible actions. Everything outside that scope requires authorization

For example, an agent removing a license for an inactive user with no active projects and under $50 a month in spend can run autonomously. An agent with access to a sensitive role cannot

c) A separate audit trail

How it works: even where autonomous execution is permitted, the log records who or what initiated the action, whether a human authorized it or the agent acted unilaterally, and the basis for that decision

For example, when an auditor asks about a specific transaction, the answer includes an explicit authorization event, not just an execution event

4. How CloudEagle.ai Gives Compliance Teams Visibility Into Agent Connections

CloudEagle.ai doesn't enforce segregation of duties at the agent level. What it does is give security and compliance teams the visibility to find where the risk sits before an audit finds it for them.

Four-step framework for AI agent governance: maintain a complete agent inventory, map connections before transactions run, preserve ownership through employee turnover, and schedule recurring access reviews.

 

a) Agent inventory that actually exists: 

Most agents get built without a central record, so nobody knows what's running until an incident or an audit forces the question.

How CloudEagle.ai solves it:

  • Discovers every AI agent and non-human identity connected to your environment
  • Surfaces each one with its connected systems and permission scope
  • Keeps the inventory live instead of a point-in-time snapshot

CloudEagle.ai non-human identity inventory showing identities across connected environments, identity types, live status and ownership details, plus drill-down access to assigned roles, resources, and permissions.

The starting point for any segregation of duties assessment needs is already there, not reconstructed under the deadline.

b) Connection mapping before the transaction runs: 

An agent can sit on both sides of a sensitive workflow, initiating a request and also controlling its approval, with nobody noticing until it's too late.

How CloudEagle.ai solves it:

  • Maps every system each agent is connected to
  • Flags agents touching both sides of a SoD-sensitive boundary, like a request system and its approval step
  • Surfaces these connections before a transaction runs, not after

AI agent access details showing connected systems, roles, access levels, and segregation-of-duties risks, with options to review and revoke access before a transaction occurs.

Those agents get identified for review before they process a transaction, not after it's already happened.

c) Ownership that survives employee turnover: 

An agent's creator can leave the company, and the agent keeps running with no one accountable for what it can access.

How CloudEagle.ai solves it:

  • Assigns a human owner to every discovered agent
  • Flags any agent left without an owner on record
  • Keeps that owner accountable for certification and decommissioning decisions going forward

Non-human identity dashboard showing accountable owners for each AI agent, highlighting unassigned agents and providing actions to reassign ownership or decommission them.

There's always someone accountable for certifying whether the agent's connections are still appropriate.

d) A review cadence that doesn't depend on memory

Without a forcing function, agent access reviews happen inconsistently or not at all.

How CloudEagle.ai solves it:

  • Certifies agent connections on the same recurring cadence as human access reviews
  • Runs that cadence automatically instead of relying on someone to remember
  • Surfaces ownerless or over-scoped agents as part of the same cycle

Ownerless or over-scoped agents surface automatically, on schedule, instead of during an incident.

Access Reviews dashboard showing recurring certification cycles, named review owners, due dates, and automatically surfaced overdue reviews so access reviews stay on schedule.

This is the human accountability layer that segregation of duties assumes exists. 

CloudEagle.ai doesn't decide whether an agent's permissions are appropriate, but it gives teams the inventory their SoD controls depend on and makes sure someone is assigned to make that call and has to answer for it on a recurring schedule.

5. What SOX, SOC 2, and ISO 27001 Actually Require

None of the three major frameworks has AI agent-specific guidance yet, but auditors are already applying existing segregation of duties requirements to agent workflows, and most organizations don't have a ready answer.

Framework Requirement What it means for agents
SOX Section 404 / PCAOB standards Segregation of duties is a key internal control. PCAOB notes IT often achieves it through security controls, and excess access can break it down. Automation moves where segregation of duties gets enforced. It doesn't remove the requirement.
SOC 2 CC6.2 Authorize new users, revoke access when no longer authorized. An agent that provisions or removes its own access isn't a documented authorization event.
SOC 2 CC6.3 Access changes must be based on roles, citing least privilege and segregation of duties directly. An agent combining request and approval on the same access change doesn't meet it.
ISO 27001 Annex A 5.3 (formerly A.6.1.2) Conflicting duties must be segregated. Doesn't distinguish human actors from automated ones.

None of these standards were written with AI agent segregation of duties in mind, which is exactly why auditors are stretching existing SoD controls to cover a gap the frameworks haven't caught up to yet.

6. FAQs

1. What happens when AI agents interact with each other? 

One agent's output becomes another's input with no human review between them, which can chain a segregation of duties gap across multiple systems at once.

2. When segregation of duties can't be fully achieved in an online system, which functions should be separated first? 

Separate authorization from execution first. That's the step most likely to be automated away entirely.

3. Which duty role lets a user interact with an AI agent in the application? 

This depends on your access model, but the role should never combine the ability to configure an agent with the ability to approve its actions.

4. Can agentic AI plan and execute tasks autonomously? 

Yes. That's exactly why segregation of duties needs a defined authorization step, not an assumption that planning and execution stay separate on their own.

See how CloudEagle.ai surfaces AI agent connections and ownership so your compliance team can assess segregation of duties risk before an auditor does: book a demo.

CloudEagle.ai recognized in the 2025 Gartner® Magic Quadrant™ for SaaS Management Platforms
Download now
gartner chart
5x
Faster employee
onboarding
80%
Reduction in time for
user access reviews
30k
Workflows
automated
$15Bn
Analyzed in
contract spend
$2Bn
Saved in
SaaS spend

Streamline SaaS governance and save 10-30%

Book a Demo with Expert
CTA image