Dynamics 365 access governance exposes the gap between controls and AI

At a glance

What this is: This is a curated set of Delinea resources on Dynamics 365 access governance, with the key finding that identity controls are being stretched by AI adoption and business application risk complexity.

Why it matters: It matters to IAM and NHI practitioners because Dynamics environments often contain service accounts, integrations, and privileged workflows that become opaque without continuous access governance.

By the numbers:

• Delinea's 2026 Identity Security Report confirms that AI adoption is rapidly outpacing identity controls.
• For over 20 years, organizations have relied on Fastpath, now part of Delinea, for strong internal controls, such as Segregation of Duties (SoD), in Microsoft Dynamics and across other critical business applications to reduce risk and maintain compliance.
• Fastpath solutions integrate with Dynamics 365 Finance & Supply Chain, Business Central, Customer Engagement, and with Dynamics AX and Dynamics GP.

👉 Read Delinea’s Dynamics 365 access governance resources and report

Context

Microsoft Dynamics access governance is the control problem behind many ERP security gaps. Once finance, supply chain, and customer systems rely on integrations, delegated permissions, and application accounts, conventional role reviews stop being enough to explain who can do what and why.

Delinea’s resource set ties that governance problem to a broader trend: AI adoption is moving faster than identity control design. For IAM and NHI teams, the practical question is whether access review, SoD, and telemetry can keep pace with operational systems that now include both human administrators and non-human access paths.

Key questions

Q: How should teams govern access in Dynamics 365 environments?

A: Start with business transactions, not directory roles. Define the high-risk actions that create fraud, compliance, or data exposure, then test whether any identity can combine them in a harmful way. Add telemetry so reviews use actual activity, and treat service accounts and integrations as first-class identities.

Q: Why do enterprise applications complicate IAM more than standard user directories?

A: Enterprise applications embed process logic, approvals, and data paths that directory IAM does not understand. A role may look harmless in a catalog but still enable risky combinations inside the application. That is why governance has to align entitlements with business operations, not just with group membership.

Q: What is the difference between access review and access governance?

A: Access review checks whether a permission still looks appropriate. Access governance defines the policy, evidence, and control logic that decides whether access should exist in the first place. In high-value business applications, governance must include SoD, telemetry, and exception handling, not only periodic certification.

Q: Should organisations treat service accounts like user accounts in Dynamics controls?

A: No. Service accounts should be governed as non-human identities with distinct ownership, purpose, rotation, and review requirements. They often have broader or less visible access than people, so the controls need to focus on lifecycle, usage, and blast radius rather than simple identity attributes.

Background and context

Why Dynamics 365 governance depends on segregation of duties

Segregation of Duties, or SoD, prevents one identity from controlling an end-to-end business process such as creating a vendor, approving payment, and reconciling the ledger. In Dynamics 365 and related ERP systems, the risk is not only excessive privilege but also privilege combinations that create fraud or error paths. SoD analysis therefore has to work at the object and transaction level, not just by broad role name. That is why access governance for business applications is often more granular than standard IAM role administration.

Practical implication: map high-risk business actions and test for conflicting access before users or service accounts receive production entitlements.

Telemetry and access analytics change how license and risk control work

Telemetry data helps governance teams see usage patterns, unused entitlements, and anomalous access across business applications. In Dynamics 365 environments, that matters because dormant privileges and stale licenses can hide both cost and risk. Access analytics can show whether an entitlement is actually exercised, whether an account is still needed, and whether a privilege set is broader than the business process requires. This is a governance signal, not just an optimization metric.

Practical implication: use activity evidence to drive access review, license reduction, and removal of stale privileged access.

How business-application risk management differs from generic IAM

Business-application risk management focuses on the actual operations an ERP or CRM platform can perform, including approvals, journal entries, configuration changes, and data export paths. Generic IAM often knows who has a role, but not whether that role creates audit exposure when combined with another entitlement or a workflow exception. That distinction matters in Dynamics because access risk often emerges from process design, not only from directory permissions. Governance therefore needs contextual analysis tied to application behavior.

Practical implication: evaluate access risk using application-specific control models, not only directory-level entitlement lists.

NHI Mgmt Group analysis

Dynamics 365 access governance is now an operational control plane, not an audit afterthought. ERP and CRM platforms concentrate financial authority, change rights, and data visibility in ways that make access decisions business-critical. Once service accounts, delegated admins, and workflow identities are involved, the line between IAM and NHI governance disappears. Practitioners should treat Dynamics access governance as a continuous control function, not a periodic certification exercise.

AI adoption is widening the gap between visible users and invisible access paths. The source material explicitly ties AI growth to identity control strain, and that pattern extends to enterprise application stacks where machine-driven actions are hard to classify in standard role models. The issue is not just more access, but more opaque access. Practitioners should expect governance to shift toward activity evidence, not entitlement assumptions.

Access risk in Dynamics systems is increasingly a policy problem, not a tooling problem. The core challenge is defining which combinations of actions, accounts, and exceptions are acceptable inside a business process. That requires SoD logic, telemetry, and application context working together. Teams that keep access governance at the directory layer will miss the risk that lives inside the ERP workflow itself.

Fastpath-style resource packaging reflects a market reality: practitioners want control evidence, not abstract guidance. The practical value of this material is in showing how access risk, compliance, and license enforcement connect inside a single operational environment. That points to a broader category shift in which governance tooling must prove decisions at the application level. Practitioners should evaluate whether their current stack can do that across both human and non-human identities.

Identity governance for enterprise applications must now assume non-human participants by default. Integration accounts, automation, and AI-assisted workflows are no longer edge cases in Dynamics environments. They are part of the normal control surface. Practitioners should design reviews, SoD checks, and telemetry baselines so they can govern both people and machine identities in the same process.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why identity governance has to cover delegated access paths as well as direct logins.
• For a broader operating model, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle control patterns that apply to service accounts and integrations.

What this signals

The signal for practitioners is that application governance is becoming inseparable from identity governance. Dynamics environments expose how quickly access risk moves from human role management into service accounts, workflow automation, and delegated administration, which means control owners need one policy model for both people and NHIs.

Identity blast radius: the real risk is no longer a single over-privileged account, but the set of business actions it can unlock across an ERP workflow. Practitioners should shrink that blast radius by combining SoD, activity evidence, and application-specific policy checks, then align the programme with NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 where relevant.

For practitioners

• Map SoD conflicts to business transactions Identify the specific Dynamics 365 actions that should never be held by the same identity, then test roles and exceptions against those combinations before production approval.
• Use telemetry to remove dormant access Tie access review to observed use, then revoke entitlements and licenses that show no legitimate activity over a defined review window.
• Separate human and non-human access paths Document service accounts, integrations, and delegated admins as distinct control classes so they are reviewed differently from end users.
• Validate controls at the application layer Check whether the ERP workflow itself permits risky combinations of approvals, exports, and configuration changes, rather than relying only on directory roles.

Key takeaways

• Dynamics 365 governance fails when teams review roles without testing the business actions those roles can combine.
• Telemetry, SoD, and application context matter because NHI-style access paths hide inside ERP workflows.
• Practitioners should treat Dynamics access governance as continuous control design, not periodic certification alone.

Key terms

• Segregation Of Duties: Segregation of Duties is the practice of splitting critical business actions across different identities so one actor cannot complete a sensitive process alone. In ERP systems, it helps prevent fraud, error, and unauthorized change by checking combinations of permissions instead of single roles.
• Business Application Risk Management: Business Application Risk Management is the discipline of identifying and controlling access risk inside ERP, CRM, and other operational platforms. It looks at the real actions an application allows, then evaluates whether combinations of entitlements, workflow steps, and exceptions create audit or security exposure.
• Non-Human Identity: A Non-Human Identity is any machine or software identity that can authenticate and act in an environment, including service accounts, integrations, tokens, and automation. These identities often have persistent, high-value access and require lifecycle, ownership, and usage controls that differ from human account management.
• Access Telemetry: Access telemetry is evidence of how identities actually use permissions over time, including logins, transactions, and privileged operations. It turns access governance from a static entitlement check into an operational control process that can identify dormant rights, unusual activity, and unnecessary license consumption.

Deepen your knowledge

Dynamics 365 access governance and NHI lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to govern ERP integrations, service accounts, and privileged workflows, it is worth exploring.

This post draws on content published by Delinea: DynamicsCon and DynamicsMinds resources on strengthening security controls in Dynamics 365. Read the original.