James was a competent engineer with full access to everything. He had built most of the platform; he ran most of the deployments; he was on call most weekends. He held the keys to the kingdom — literally, in some cases — because the kingdom had grown faster than the team and James was the only person who knew where everything lived.
The arrangement worked. It worked, in fact, for two years. Then James went on holiday, the certificate expired, the renewal mechanism (which only James knew about) didn't fire, and an external service went down for eleven hours while the team tried to reconstruct what James kept in his head. That's the moment trias politica entered the conversation.
Three branches, quietly.
Trias politica — the separation of powers — is a quietly elegant idea borrowed from political philosophy. Montesquieu's argument was that liberty depends on dividing legislative, executive and judicial functions between different people, so that no one branch could entrench itself unchecked.
For IT services, the analogy translates cleanly:
- Legislative. Those who design the controls — the architects, the security team, the policy authors.
- Executive. Those who operate the controls — the engineers, the support team, the on-call rota.
- Judicial. Those who verify the controls — the auditors, the compliance function, the post-incident reviewers.
When the same person plays all three roles, the system is brittle. Not malicious — brittle. James wasn't a bad actor; he was a single point of failure with good intentions.
What separation buys you.
Three things, mostly:
- Resilience. If any one person goes on holiday (or quits, or gets hit by a bus), the system continues to function.
- Honesty. The person designing a control is not the person operating it, so the control has to make sense to a second pair of eyes. This raises the standard.
- Auditability. The judicial branch has someone to question, not just records to inspect.
The practical minimum.
You don't need three large departments to practise this. The minimum, for a small team, looks like:
- Two named engineers can deploy to production; either can refuse a deployment from the other.
- A third person reviews access logs once a month and reports to the service owner.
- An external party (internal audit or external review) verifies the practice annually.
Separation of duties beats one heroic admin. Always. Eventually.
What James learned.
After the eleven-hour outage, James did three things. He documented the certificate renewal. He shared his access with a colleague. He stopped being on call every weekend. The platform got more reliable. James got more rest. The audit got easier. None of it required new technology — only the recognition that one heroic admin was the system's biggest vulnerability, dressed up as its biggest asset.