How can segregation of duties conflicts be identified in IT change management to reduce cyber risk?

Segregation of duties in change management rests on splitting responsibility across multiple people so no single individual can both initiate and approve a critical change, or otherwise move it through the full lifecycle alone. To identify conflicts, examine who has which permissions (the access matrices or RBAC definitions) and how the change process flows (the workflows). Look for situations where the same person could initiate a change and also approve it, or where approvals, implementation, and testing could be handled by the same individual. Testing the controls by reviewing real change records across IT, security, and operations helps reveal where dual or four-eyes controls are missing and where inconsistent role definitions allow overlap. This approach gives you a concrete method: map roles to steps, review actual approvals and logs, and verify that critical changes require independent reviews from different functions. It also supports the practical safeguards like requiring a different approver than the initiator and enforcing cross-functional checks for high-risk changes. Relying only on automated approvals removes necessary human oversight, delegating all approvals to external vendors can bypass internal control structures, and focusing on user satisfaction does not address security risk.