Separation of duties is an organizational principle that distributes critical tasks across multiple people so that no single individual can complete a security-relevant process alone. The principle reduces the risk of fraud, errors, and abuse of authority.
Classic examples: the person who initiates a payment must not approve it. The person who requests access rights must not grant them. The person who writes code must not deploy it to production alone. ISO 27001 Annex A (A.5.3) explicitly requires separation of duties. In smaller organizations where strict separation is not feasible due to staffing, additional controls compensate: dual-control principle, audit logs, and regular reviews.