What is segregation of duties in the context of AI?

In the AI context, segregation of duties refers to the separation of responsibilities between human actors and automated systems to prevent fraud, errors, or control failures.

Why is AI changing how organizations handle segregation of duties?

AI often automates or combines tasks traditionally performed by separate individuals, necessitating new approaches to governance, oversight, and internal control frameworks.

What are the risks of not updating SoD frameworks for AI?

Failure to update SoD frameworks can lead to control gaps, increased fraud risk, and regulatory non-compliance due to unchecked or misaligned AI-driven processes.

How can organizations redesign SoD matrices to account for AI?

Organizations should evaluate the roles AI plays in critical workflows, introduce human-in-the-loop oversight where needed, and reassess control boundaries and accountability structures.

How can PYA help with AI-related risk and internal control challenges?

PYA’s Technology Risk Advisory team assists organizations in assessing, redesigning, and validating internal control frameworks that accommodate the unique risks and compliance needs of AI integration.

Reshaping Segregation of Duties in the World of AI

July 15, 2025July 15, 2025

PYA Insights

Executive Contacts

Erika Walker

Matt Neilson

Additional Contributors

Maddy Carruthers

While a very simple concept, segregation of duties (SOD) is still as relevant as ever for combating risks in today’s business world, but the way businesses need to implement SOD is changing in light of artificial intelligence (AI).

What is Segregation of Duties?

Segregation of duties is a basic principle of internal control. Separating different duties across an enterprise—a form of checks and balances—is a standard and generally effective way to mitigate financial, operational, and fraud risks. As AI offers businesses new forms of automation, monitoring, and alerts, the way companies implement their controls through segregation of duties is evolving.

While historically companies have considered only segregation of manual tasks, businesses must now establish segregation in automated processes within software applications, general ledger systems, financial systems, and other technologies.

How is Segregation of Duties Impacted by AI?

A classic example of segregation of duties is related to accounts payable (AP). An AP employee who has the authority to manually prepare a check and approve it for payment provides an opportunity for fraudulent payments. Even a company with a solid SOD policy, such as separating the AP tasks, can experience fraudulent behavior. If, instead, a company has an automated AP system that matches invoices to purchase orders and automatically approves payments, the SOD considerations must now focus on access privileges and controls (i.e., who has the ability to manipulate certain data within the AP system).

Inevitably, challenges arise in this new way of approaching SOD. Although AI allows for greater efficiency (i.e., a business no longer requires multiple individuals to constitute SOD), businesses face newfound intricacies in establishing the same types of SOD within information systems and digital applications. Successfully establishing and implementing SOD, therefore, requires knowledge about system configurations and access controls. This may present further challenges for smaller entities that may not have resources dedicated to understanding and managing information technology and AI.

How do I implement SOD using Role-Based Access Controls?

While managing SOD within the context of computerized systems may be complex, PYA offers several feasible ways in which a company may accomplish this goal. To reshape an SOD policy for automated processes, businesses should put a heavy focus on role-based access controls. Below are a few practical ways to establish such controls and support SOD within automated systems:

Start offline. Create a baseline understanding of who needs to perform specific tasks.
Assign access based on job function, rather than assigning access per individual.
Operate under a “least privilege” mentality, assigning access/roles based only on the minimum access/roles a person needs to perform their job.
Consider implementing dual authorizations when appropriate (e.g., multi-step approvals required within the system for purchases over a certain dollar threshold).
Document the details. Ensure you have an audit trail function within the system, evidencing attributes such as timestamps of specific actions.
Conduct regular reviews of users’ access levels and privileges, individual workflows, and overall system functionality.
Educate the users on what SOD is and why it matters.

Clearly, SOD must now be managed differently based on the role of AI in today’s business world. Companies gain many efficiencies from increased use of AI, including those related to managing SOD risks. Management, however, must pivot its considerations and potentially shift resources to achieve a successful SOD method.

As a professional services firm, PYA helps clients with developing risk assessments, identifying areas for improvement in internal controls, and mitigating risk due to error or fraud. If you need assistance with establishing or reviewing internal controls, including those related to segregation of duties, our executives are happy to help.