As part of organizational security assessments, application-level vulnerability testing typically requires an evaluation of the application's capacity to facilitate the segregation of duties. Specifically, tests are guided by regulatory criteria or enforcement, such as PCI-DSS, GDPR, HIPAA, or SOX.