Segregation of duties enforced at request time. Not at audit time.
In banking, the SoD violation that matters is the one that lets the same person initiate a transaction, approve it, and modify the audit log. Most IGA platforms catch it on a quarterly certification — three months after the fraud already happened. STRATUS catches it the moment the access request is submitted, with an immutable evidence chain you can hand directly to your regulator.
The shorter the window between an SoD-violating access grant and the moment the conflict is detected, the smaller the fraud blast radius. Most platforms run that detection on a quarter. STRATUS runs it on a request.
Concrete examples from the pre-built SoD rule library shipped with STRATUS AccessGov. These are real conflicts STRATUS catches at request time — before the access is granted, not after the wire was sent.
Detected at the request layer. Request denied automatically. Compliance reviewer notified. Evidence pack captured even though the grant never happened — proving to the auditor that the control fired.
Request fits the rule library's accepted pattern. Approved with full audit trail. The mitigating control (read-only second role) is captured in the evidence pack for the next external audit.
Origination/underwriting separation is a regulatory requirement (FFIEC, OCC). STRATUS blocks at request time with the mapped policy rationale and regulatory reference in the denial reason. Specific regulatory mappings are validated case-by-case with your compliance counsel.
The classic embezzlement vector — moves money, then makes the books match. STRATUS blocks the combination before the second role is even granted.
SoD rule library shipped at install: wire initiation/approval, loan origination/underwriting, cash/reconciliation, GL posting/audit, custody/clearing. Each rule template includes the mapped regulatory framework (FFIEC, OCC, SOX, COBIT) for compliance reviewer reference — final regulatory mappings validated with your compliance counsel during POC.
Conflicts caught when the access is requested — before the grant. Quarterly certifications still happen (they have to for SOX §404) but they validate the system, not catch the fraud.
Every blocked SoD attempt becomes an Evidence Pack. Every approved grant with a mitigating control becomes an Evidence Pack. Hand it to the auditor; they verify with math, not with our word.
The classic banking fraud vector — terminated employee retains access for hours, walks customer data out, makes a final wire. STRATUS closes the loop in 8 seconds end-to-end (measured: HR event in to evidence pack sealed across AD, Okta, and AWS in a lab environment; customer production timing varies by connector maturity, approval policy, and target-system API behavior), with proof. All over outbound-only mTLS — zero inbound firewall ports.
The complete pre-built SoD rule library — with regulatory citations and configurable mitigating-control templates — is available as part of a 30-Day Proof of Revoke.