Business owners should make the access decision because they understand what each entitlement means in practice, while IT should provide the workflow, evidence, and reporting. If IT owns the decision without business context, reviewers are likely to approve access they do not fully understand.
Why This Matters for Security Teams
ERP access reviews fail when the reviewer cannot judge whether an entitlement is operationally necessary, temporary, or excessive in the context of a real business process. That is why business ownership matters: the person accountable for the process can tell the difference between legitimate duties and privilege creep, while IT can only see the technical permission. NHI Management Group’s Ultimate Guide to NHIs shows why this distinction matters across identity governance, lifecycle control, and offboarding.
Security teams often assume access review is a simple attestation exercise, but ERP environments tie entitlements to finance, procurement, HR, and supply chain workflows where context changes rapidly. Current guidance suggests that IT should operate the control, not make the substantive approval decision. That aligns with the OWASP Non-Human Identity Top 10 emphasis on governance gaps and the need for accountable ownership around privilege decisions. In practice, many organisations discover weak access review quality only after audit findings, fraud exposure, or a business incident has already exposed the mismatch between technical and operational ownership.
How It Works in Practice
The cleanest model is a split responsibility model. IT, IAM, or GRC teams run the access review campaign, define the evidence set, and route items to the right reviewers. Business owners then validate whether each ERP role, transaction code, approval path, or privileged function is still required for the job. This works because the business owner understands the workflow impact, while IT understands how the entitlement is provisioned and logged.
In practice, the review should be anchored to actual usage, role design, and segregation-of-duties risks. That means reviewers should see enough context to answer simple operational questions: who uses the access, what process it supports, whether it is redundant, and whether a lower-risk role would work. The NHI Lifecycle Management Guide is useful here because it frames access as part of an identity lifecycle, not a one-time checkbox.
- IT prepares the entitlement inventory and usage evidence.
- Business owners confirm whether access still matches a real business need.
- Control owners enforce escalation when reviewers do not respond.
- Audit teams verify that approvals are recorded and exceptions are time-bound.
For control design, zero trust and least privilege still apply. NIST SP 800-207 supports continuous verification, while identity governance controls should be tied to role ownership and evidence-based review. Where ERP systems are highly customised, entitlements may be too granular for generic IT review, so business process owners need the final say on necessity. These controls tend to break down when ERP roles are shared across departments and no single business owner can credibly attest to the access.
Common Variations and Edge Cases
Tighter business ownership often increases review burden, so organisations need to balance approval quality against reviewer fatigue. In mature environments, business owners approve entitlement necessity and IT only flags technical risk, but that model depends on clear role definitions and enough training to avoid rubber-stamping.
There is no universal standard for exactly how much decision power IT should retain. Best practice is evolving, but the current consensus is that IT may reject incomplete evidence, enforce policy, and document outcomes, while the business owner should decide whether the access has a valid operational purpose. If a role spans multiple processes, the accountable owner may need to be a process owner rather than a department head.
Edge cases include emergency access, shared service accounts, and delegated finance workflows. Those cases need time-bound approvals, stronger logging, and explicit exception handling because the normal reviewer may not be the person who understands the risk. For the broader risk picture, NHI Mgmt Group notes that 52 NHI Breaches Analysis illustrates how quickly weak ownership and excessive privilege can turn into real exposure. The practical test is simple: if a reviewer cannot explain why the access exists in business terms, the access should not stay approved.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access is best approved by the business owner who knows the process need. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Excessive or stale privilege during review maps to poor identity governance. |
| NIST AI RMF | GOV | Governance clarifies accountable human decision-making for access risk. |
Define ownership, escalation, and accountability for ERP access reviews under AI RMF governance principles.
