TL;DR: KuppingerCole’s 2026 Leadership Compass puts business application risk management in the context of cross-system entitlement control across SAP, Salesforce, Workday, Oracle, and Microsoft Dynamics, highlighting wide application coverage, interoperability, and ecosystem support as evaluation criteria. The practical implication is that IGA programmes now need stronger entitlement governance across heterogeneous business applications, not just directory-centric access control.
At a glance
What this is: This analyst recognition positions business application risk management as a cross-system IGA problem, with entitlement governance across enterprise LoB applications as the core issue.
Why it matters: It matters because practitioners cannot manage SoD, entitlements, and audit readiness effectively if their controls stop at the directory or a single application family.
👉 Read Pathlock's overview of the 2026 Leadership Compass for business application risk management
Context
Business application risk management is the discipline of governing entitlements and segregation of duties across the enterprise applications where operational work actually happens. In practice, that means access decisions must span SAP, Salesforce, Workday, Oracle, Microsoft Dynamics, and similar systems instead of assuming one identity layer can control them all.
The underlying governance gap is fragmentation. When entitlements are dispersed across business applications, teams lose consistent visibility into toxic combinations, over-entitlement, and audit exposure. That is why cross-system IGA is becoming the relevant model, not just classic access administration.
For practitioners building out this capability, the relevant baseline is the broader identity governance stack, including lifecycle, entitlement visibility, and policy enforcement. The NHI problem is not separate from this shift, because machine and application identities are governed in the same lifecycle discipline even when the primary article is about human-centric enterprise applications.
Key questions
Q: How should security teams govern entitlements across multiple business applications?
A: Security teams should govern entitlements through a shared policy layer that normalises access across ERP, CRM, HR, and finance systems. The key is not centralising every administration task, but creating consistent discovery, review, and SoD logic so access decisions can be evaluated across the whole business process.
Q: Why do segregation of duties controls fail in heterogeneous application estates?
A: Segregation of duties fails when controls are evaluated inside each application separately instead of across the business process. Toxic combinations often appear only when entitlements are combined across systems, so isolated reviews miss the actual risk.
Q: What signals show that entitlement governance is too fragmented?
A: Fragmentation shows up when review evidence is manual, entitlement reports differ by application, and policy exceptions are handled ad hoc. If teams cannot compare access consistently across systems, the programme is governance-light even if each application has local controls.
Q: Who should own access risk decisions in business application governance?
A: Access risk decisions should sit with control owners who understand the business process, not just with application administrators. The governance team can define policy and evidence, but risk acceptance should remain explicit and auditable.
Technical breakdown
Cross-system entitlement governance across LoB applications
Business application risk management sits above individual application admin models and normalises entitlement control across heterogeneous systems. A modern enterprise rarely lives in one suite, so the governance layer has to reconcile different permission schemas, SoD rules, and audit trails. Without that abstraction, access review becomes a spreadsheet exercise and policy enforcement stays inconsistent. The architectural challenge is not just collecting entitlements, but making them comparable enough to govern.
Practical implication: map entitlement sources across all business-critical applications before you attempt policy enforcement or recertification.
Segregation of duties in cloud-centric enterprise systems
Segregation of duties works only when the governance engine can evaluate access combinations across systems, not inside each one in isolation. Cloud-centric LoB estates often split business processes across ERP, CRM, and HR platforms, so toxic combinations may emerge only when entitlements are combined. That means SoD rules need shared identity context and transaction-aware insight, not just role lists. The report’s emphasis on transactional identity data reflects this operational reality.
Practical implication: build SoD controls that evaluate cross-application combinations, especially where finance, procurement, and HR processes intersect.
AI-driven assurance in identity governance
AI-driven assurance in this context is best understood as pattern recognition over entitlement, transaction, and policy data, not autonomous decision-making. Used well, it helps flag anomalies, prioritise reviews, and reduce manual triage across large application estates. Used poorly, it can mask weak governance by creating the impression that automation has solved policy inconsistency. The important distinction is that AI supports governance evidence, but it does not replace control design or accountability.
Practical implication: use AI to prioritise governance work, but keep entitlement policy ownership and approval authority explicit.
NHI Mgmt Group analysis
Business application risk management is now a governance layer, not an application feature. The report reflects a market shift away from treating access control as a per-system administration task. Once enterprises run core processes across SAP, Salesforce, Workday, Oracle, and Microsoft Dynamics, the control problem becomes cross-platform entitlement governance. Practitioners should treat this as an IGA architecture issue, not a point-solution selection exercise.
Entitlement visibility is the real control boundary in LoB environments. The report’s emphasis on broad coverage and interoperability points to a simple reality: you cannot enforce what you cannot normalise across systems. That makes entitlement discovery, policy mapping, and cross-system review the operational centre of gravity. Teams that still rely on isolated application reports will miss toxic access combinations and recertify the wrong evidence.
AI-driven assurance only matters if it improves governance evidence. The article frames AI as a contributor to Pathlock’s status, but the field-level lesson is broader. In identity governance, AI is useful when it shortens review cycles, surfaces anomalies, and improves access risk prioritisation. It is not useful when it becomes a substitute for control ownership or policy clarity, and practitioners should measure it against evidence quality rather than marketing claims.
Business application risk management converges with NHI governance at the lifecycle layer. The same governance discipline that manages human entitlements across business applications also has to manage service accounts, API credentials, and automation identities elsewhere in the stack. That is the important bridge: lifecycle, review, and entitlement governance are shared control patterns across human and non-human identities. Practitioners should design the programme once and apply it consistently across actor types, not build separate governance philosophies for each system class.
Wide application coverage is becoming a prerequisite for credible IGA claims. The report signals that market evaluation is now tied to whether a platform can span heterogeneous enterprise environments without losing policy consistency. That raises the bar for procurement teams: they should ask whether the control model survives application diversity, not whether a tool works in one reference app. The implication for buyers is to test real estate breadth, not abstract feature lists.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why cross-system entitlement governance remains incomplete in many programmes.
- That visibility gap is why teams should pair entitlement governance with the NHI Lifecycle Management Guide when the same identity programme spans applications, service accounts, and automation.
What this signals
Business application risk management is converging with broader identity governance programmes. As LoB systems multiply, the control model has to shift from app-by-app administration to shared entitlement governance, with consistent review evidence and SoD enforcement across platforms. Teams that still depend on local application controls will find that governance debt accumulates faster than policy cleanup.
Cross-system visibility will become the deciding factor in programme maturity. The organisations that can normalise entitlement data across ERP, CRM, HR, and finance will be able to prove control effectiveness; the rest will only be able to describe intent. That is where identity governance, audit readiness, and access risk reduction begin to converge.
Entitlement governance now needs to account for human and non-human identities together. The same lifecycle discipline that supports business application access also governs service accounts and workload identities elsewhere in the estate. Once programmes start measuring control consistency across actor types, they will find that application risk, secret sprawl, and access reviews are part of one operating model, not three separate ones.
For practitioners
- Map entitlement coverage across all core LoB systems Inventory the applications where business risk is created, including ERP, CRM, HR, and finance platforms. Record which entitlements are governed centrally, which are local-only, and where review evidence breaks across systems.
- Normalize SoD rules across application families Translate segregation of duties controls into a common policy model so toxic combinations are detected across platforms, not only within a single suite. Prioritise finance, procurement, and HR workflows where cross-system privilege overlap is most likely.
- Use transaction data to prioritise risky access Combine entitlement data with transactional identity context so reviewers can focus on actual business activity rather than static role names. This is especially important where broad application support creates large review populations.
- Define governance ownership for AI-assisted assurance Set clear accountability for how anomaly scoring, review prioritisation, and policy recommendations are used in access governance. Keep approval authority with control owners so AI supports evidence quality instead of obscuring it.
Key takeaways
- Business application risk management is fundamentally about cross-system entitlement control, not isolated application administration.
- SoD and access review fail when entitlement data cannot be normalised across heterogeneous enterprise systems.
- Practitioners should treat AI as a governance aid, while keeping policy ownership, review evidence, and accountability explicit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Cross-system entitlement governance aligns with least-privilege access management. |
| NIST Zero Trust (SP 800-207) | Continuous verification matters when access spans heterogeneous business applications. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and excess privilege concerns overlap with non-human identity governance. |
Apply NHI lifecycle and privilege controls wherever service accounts or automation identities touch business applications.
Key terms
- Business Application Risk Management: The governance discipline for controlling access risk across core enterprise applications such as ERP, CRM, HR, and finance systems. It focuses on entitlements, segregation of duties, and audit evidence across multiple platforms rather than inside a single application.
- Segregation of Duties: A control model that prevents one identity from holding incompatible permissions that could enable fraud, error, or unauthorised change. In practice, the control must evaluate access combinations across systems, because risky combinations often only appear when privileges are joined together.
- Cross-System Entitlement Governance: A method for discovering, normalising, and enforcing access policy across heterogeneous applications. It is the operational layer that makes reviews, approvals, and risk decisions consistent when enterprise workflows are distributed across multiple business systems.
- Transactional Identity Data: Identity-related activity data that shows what an identity actually did, not just what it was allowed to do. It strengthens governance by helping teams prioritise reviews, detect unusual access patterns, and connect entitlement decisions to real business behaviour.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Pathlock: 2026 Leadership Compass recognition for business application risk management. Read the original.
Published by the NHIMG editorial team on 2026-04-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
