Separation of Duties (for AI)
No single system — including AI — should have authority to both propose a decision and execute it without independent validation.
What it means
Separation of duties (SoD) is a control principle that requires critical actions to involve more than one actor or system, preventing any single party from having end-to-end control over a process. In financial controls, for example, the person who approves a payment cannot also be the one who initiates it.
Applied to AI systems, SoD means that the system which generates an AI recommendation cannot also be the system that executes it without independent validation. The AI proposes; a separate, independent enforcement layer validates; then execution occurs. This separation prevents the AI system's reasoning process from having unchecked authority over the outcome.
SoD for AI is especially important in regulated domains where SoD requirements already exist for human processes. Introducing AI into these processes must preserve, not circumvent, SoD controls.
Why enterprise executives need to understand this
CISOs and compliance officers require SoD controls as part of regulatory compliance (SOX, PCI DSS, banking regulations). When AI agents are introduced into processes that have existing SoD requirements, the architecture must ensure that SoD is preserved. An AI agent that both generates and executes a payment recommendation without independent validation would violate SoD requirements under most regulatory frameworks.
How Corules implements this
Corules enforces SoD by serving as the independent validation layer between AI proposal and execution. The AI agent (proposer) submits the proposed action to Corules (the independent validator), which evaluates it against compiled policy rules. The business system (executor) only receives the action if Corules returns ALLOW. The AI agent cannot bypass the validation step or influence its outcome — it is architecturally separated.
Frequently Asked Questions
Can AI satisfy SoD requirements in SOX-regulated processes?
It depends on implementation. If the AI agent both generates and executes decisions without independent validation, SoD is violated. If an independent enforcement layer (like Corules) validates AI proposals before execution — with no ability for the AI to bypass validation — SoD can be architecturally preserved and demonstrably so.
See Separation of Duties (for AI) in production
Corules implements every concept in this glossary. Join enterprise teams enforcing policy at runtime — no credit card required.
Request access