Business application risk governance is expanding beyond SAP

At a glance

What this is: This analyst report looks at how business application risk management is moving beyond SAP to cover broader entitlement and segregation-of-duties governance across enterprise application estates.

Why it matters: It matters because IAM, IGA, PAM, and compliance teams need a single governance model that can span human access, service identities, and application risk without fragmenting controls by platform.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read Pathlock's analyst report on business application risk management

Context

Business application risk management is the discipline of controlling who can do what inside the systems that run finance, operations, HR, and customer workflows. In this report, the governance problem is no longer confined to SAP. As application estates spread across SaaS and hybrid environments, entitlement management, segregation-of-duties analysis, and audit evidence all have to work across multiple platforms at once.

That shift matters for identity programmes because the control plane changes from a single enterprise application to a distributed business stack. IAM and IGA teams have to reconcile access risk across applications with different role models, different logs, and different review cycles, while still producing the evidence auditors expect.

Key questions

Q: How should security teams govern business application access across SaaS and hybrid estates?

A: They should standardise entitlement definitions, approval paths, and review evidence across all critical applications, then apply the same governance baseline to SaaS and on-prem systems. The goal is not identical technical controls in every product, but comparable accountability for access decisions, exceptions, and removals across the full business stack.

Q: Why does segregation of duties become harder outside SAP?

A: Because conflicting actions are encoded differently in each application, so the same business risk may sit in roles, permissions, workflow objects, or delegated administration. Without a common mapping model, SoD checks become inconsistent and important conflicts remain hidden across the wider application estate.

Q: What do IAM and IGA teams get wrong about business application governance?

A: They often treat each application as a separate governance island and assume local controls are enough. That approach misses cross-application entitlement drift, weak evidence chains, and conflicting access combinations that only appear when the whole estate is reviewed together.

Q: Who is accountable when access risk spans multiple business applications?

A: Accountability should sit with the business owner for the process, supported by IAM, IGA, and application teams that maintain the access model and evidence trail. If no one owns the end-to-end risk, certification becomes a paperwork exercise instead of a control.

Technical breakdown

Why segregation of duties gets harder across LoB applications

Segregation of duties, or SoD, is the control that prevents one identity from accumulating conflicting permissions that could enable fraud, error, or unauthorised change. In a single platform, SoD rules can be expressed around a stable entitlement model. In multi-vendor estates, the same business function may be represented by different roles, custom permissions, or workflow objects in each application. That makes cross-application conflict detection a mapping problem as much as a governance problem. Automation helps, but only if the identity team can normalise access semantics across systems that were never designed to share one policy model.

Practical implication: build a common SoD control model before expanding reviews across application families.

Entitlement management in SaaS and hybrid estates

Entitlement management is the process of discovering, approving, reviewing, and revoking access rights tied to business applications. In SaaS and hybrid environments, entitlements are distributed across application-native roles, integration accounts, and delegated administration paths. The operational challenge is not simply seeing access, but keeping entitlement records aligned with business ownership and change events. When application sprawl grows, stale access and excessive privilege can persist in one system even after governance has improved elsewhere. That creates uneven risk and weakens audit defensibility.

Practical implication: tie entitlement inventories to business owners and automate review triggers across all critical applications.

Audit readiness across business-critical application landscapes

Audit readiness depends on being able to prove who had access, why they had it, who approved it, and when it was reviewed or removed. In business application risk management, the evidence trail is often fragmented across application logs, IAM systems, ticketing tools, and spreadsheets. The more diverse the stack, the harder it becomes to show consistent governance for access exceptions, privileged changes, and SoD remediation. This is why access governance for business applications has become a programme-level discipline rather than a system-by-system task.

Practical implication: centralise evidence capture so reviewers can trace access decisions end to end.

Threat narrative

Attacker objective: The objective is to gain business process control or create governance gaps that weaken detection, prevention, and audit defensibility.

1. Entry occurs when excessive or poorly governed business application entitlements allow an identity to reach systems it should not fully control.
2. Escalation follows when conflicting roles, privileged approvals, or unmanaged application-specific permissions let that identity perform incompatible actions.
3. Impact appears as fraud opportunity, audit failure, compliance exposure, or operational disruption across finance, HR, and adjacent business processes.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Business application risk management is now an identity governance problem, not an SAP problem. Once access control spans Salesforce, Workday, Oracle, Microsoft Dynamics, and SaaS integrations, the old model of treating SAP as the centre of gravity stops working. The governance challenge is cross-application consistency: different role structures, different review cadences, and different evidence sources. Practitioners should read this as a programme redesign signal, not a product category refresh.

Segregation of duties breaks when business intent is spread across disconnected entitlement models. SoD was designed for environments where conflicting actions could be identified within a reasonably stable application schema. That assumption fails in multi-vendor estates because equivalent privileges are represented differently across platforms and integration layers. The implication is that compliance teams must stop assuming control equivalence across systems and start governing the business outcome instead.

Audit readiness becomes fragile when governance evidence is fragmented by application. The report reflects a market that is moving toward automation and analytics because manual access review cannot keep up with mixed SaaS and hybrid estates. That is not merely an efficiency issue. It is a signal that the control environment is becoming too distributed for spreadsheet-driven certification to remain credible. Practitioners should expect auditors to ask for cross-system evidence, not just system-by-system attestations.

Named concept: entitlement drift across business applications. This is the slow mismatch between what an identity is allowed to do in one application and what the programme assumes it can do across the estate. As enterprises add more LoB systems, entitlement drift creates hidden control gaps even when individual applications look well governed. The practical conclusion is that governance must be measured at the portfolio level, not only inside each product.

Automation and advanced analytics are becoming baseline requirements for business application governance. The report points to the need for better scale, but the deeper issue is that access governance now depends on correlation across systems, not just control within them. That shifts the market toward platforms that can map business roles, review exceptions, and surface SoD conflicts across heterogeneous estates. Practitioners should re-evaluate whether their current tools can operate across the full application stack.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That visibility gap sits alongside another finding: only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For the broader governance picture, see NHI Lifecycle Management Guide for lifecycle controls that help close access, review, and offboarding gaps across machine identities.

What this signals

Entitlement drift across business applications will become the next review blind spot. As organisations push governance beyond SAP, the practical risk is not just more applications. It is more places where the same business privilege is represented differently. Teams should expect role mapping, exception handling, and evidence collection to become the limiting factors in audit readiness.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, identity programmes are already operating with incomplete access context. That makes cross-application governance harder, because external connections and delegated access often sit outside the cleanest entitlement records. Teams should treat visibility as a prerequisite for SoD and access certification, not as a reporting nice-to-have.

Portfolio-level governance is becoming the only credible model for business application risk. The operating assumption that each product can be managed in isolation is breaking down. Practitioners should prepare for more centralised policy models, more automation in review workflows, and more demand for evidence that spans the full application estate.

For practitioners

• Map business roles across every critical application Create a shared entitlement model for SAP and non-SAP systems so reviewers can compare like-for-like access across the estate. Prioritise applications that carry financial, HR, or customer data risk, and document where role naming or permission structures do not align.
• Automate SoD conflict detection across platforms Configure rules so conflicting access is checked across application families, not only inside one product. Include delegated admin paths, integration accounts, and exception workflows in the analysis so hidden privilege combinations are not missed.
• Centralise access evidence for audit use Pull approvals, reviews, role changes, and revocations into a single evidence trail that can be traced across IAM, GRC, and application logs. This reduces the burden of reconstructing access history during audits and incident reviews.
• Reassess governance coverage for SaaS and hybrid estates Verify that entitlement reviews, SoD logic, and privileged access oversight extend to cloud-delivered applications and not just legacy ERP. Where controls are still system-specific, define a common governance baseline and test it against the highest-risk applications first.

Key takeaways

• Business application risk is no longer confined to one platform, so governance has to span the full enterprise application stack.
• Segregation of duties, entitlement review, and audit evidence become materially harder when access is spread across heterogeneous SaaS and hybrid systems.
• Practitioners should move toward portfolio-level access governance, with common role mapping, automated conflict detection, and centralised evidence capture.

Key terms

• Segregation of Duties: Segregation of duties is an access control principle that prevents one identity from holding conflicting permissions that could enable fraud, error, or unauthorised change. In business applications, it requires consistent conflict mapping across roles, workflows, and privileged functions so governance can prove separation of responsibility.
• Entitlement Management: Entitlement management is the process of discovering, approving, reviewing, and removing access rights in business systems. It covers the full lifecycle of permissions, including application roles, delegated access, and exceptions, and it becomes more difficult as estates span multiple vendors and deployment models.
• Audit Readiness: Audit readiness is the ability to produce reliable evidence of who had access, why it was granted, who approved it, and when it was reviewed or revoked. In identity governance, it depends on complete records across IAM, GRC, and application logs rather than ad hoc spreadsheets or manual reconstruction.
• Entitlement Drift: Entitlement drift is the gradual mismatch between the access an identity has in one system and the access model the programme assumes across the wider environment. It often appears as inconsistent role design, stale exceptions, or untracked delegated access across multiple business applications.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: Leadership Compass for Business Application Risk Management. Read the original.