Which approach best implements separation of duties in an IAM program?

Separation of duties is about distributing responsibilities so no single person can complete a critical action end to end. In an IAM program, this means dividing tasks among different roles, requiring more than one person’s involvement for sensitive actions, and keeping privileges limited to what’s necessary. The approach that best implements this is to split critical tasks across multiple roles, require dual approvals for sensitive actions, limit admin capabilities, and monitor for policy violations. This setup creates multiple checkpoints and ensures that no single individual can both initiate and approve high-risk changes, making fraud or errors harder to carry out and easier to catch. Granting all admin rights to one person defeats these protections by centralizing power and removing necessary checks. Assigning the same person to approve all sensitive actions after a brief wait still concentrates authority in a single individual, merely adding a delay rather than real separation of duties. Disabling monitoring eliminates the ability to detect violations, undermining accountability and oversight. Together, splitting duties and enforcing dual approvals with proper oversight best achieves the goal of separation of duties.