Identity-driven risk management for SAP and business apps

At a glance

What this is: This is an analysis of how enterprise risk management is shifting from application-by-application controls to continuous identity-driven governance across SAP, business applications, cloud, and non-human identities.

Why it matters: For IAM and NHI practitioners, it matters because fragmented access reviews miss cross-system risk patterns, especially where service accounts, automation, and AI-driven activity combine across platforms.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read Saviynt's analysis of identity-driven risk management for SAP and business apps

Context

Enterprise risk has moved beyond single-application governance. SAP controls, business application risk management, cloud entitlements, and non-human identities now interact in ways that periodic reviews cannot fully capture, which is why the primary keyword here is identity-driven risk management rather than application compliance.

That matters for NHI governance because service accounts, automation, and AI-driven activity can create access paths that look acceptable inside one system but become risky when combined across several systems. The article’s core claim is that identity now functions as the control plane for enterprise risk, a position that aligns with broader NHI lifecycle and visibility concerns.

Key questions

Q: How should security teams govern access across SAP and business applications?

A: Security teams should govern access by linking identity, entitlement, and activity data across systems instead of certifying each application separately. The goal is to identify toxic combinations, cross-system approval paths, and privilege accumulation that only appear when workflows are analysed end to end. That requires continuous context, not a once-a-quarter snapshot.

Q: Why do non-human identities complicate enterprise risk management?

A: Non-human identities complicate risk management because they act at machine speed, often hold elevated permissions, and frequently lack the ownership discipline applied to human users. When service accounts and AI agents are outside lifecycle control, they can preserve access long after the business need has changed. That creates hidden paths for misuse, abuse, and audit failure.

Q: What breaks when teams rely on periodic access certification alone?

A: Periodic certification breaks down when access changes, interdependencies, and runtime use evolve faster than the review cycle. A system can look compliant on paper while the actual process path remains risky because entitlement combinations have shifted elsewhere. Teams end up confirming stale states instead of managing current exposure.

Q: How can organisations reduce identity blast radius in complex environments?

A: Organisations reduce identity blast radius by limiting standing privilege, separating duties across systems, and revoking access that is not actively needed for a task. They should also track who owns each service account or automation path so accountability exists when risk emerges. The smaller the privilege footprint, the easier it is to contain misuse.

Technical breakdown

Cross-application access risk and separation of duties

Cross-application risk appears when access that is acceptable in one system creates an abuse path in another. In SAP-heavy environments, separation of duties issues are no longer limited to a single application boundary because procurement, finance, HR, and infrastructure controls are interdependent. Traditional certifications see entitlements as static snapshots, but risk often emerges from how access is combined and used over time. That is why entitlement data needs contextual correlation across systems, not just local policy checks. For NHI governance, the same pattern applies to service accounts and automation that move between apps, APIs, and cloud services.

Practical implication: Map toxic combinations across systems, not just within them, before approving or certifying access.

Why identity has become the enterprise control plane

Identity-driven governance treats identity as the layer that ties access, activity, and entitlement context together. This is a response to environments where controls live in multiple products but risk is created by their interaction. Identity governance, privileged access management, posture management, and non-human identity governance are converging because no single control type can see the whole picture. For practitioners, the technical shift is from isolated control enforcement to continuous correlation of who or what has access, what they can do, and how that access is actually used.

Practical implication: Build a unified identity data model that can evaluate human and non-human access in one place.

Non-human identities and AI-driven activity in risk management

Non-human identities complicate governance because they are numerous, highly privileged, and often under-observed. Service accounts, tokens, and automated processes can act continuously and across systems, which makes periodic review weak as a control strategy. AI-driven activity adds another layer because decision-making may be dynamic, opaque, and faster than human approval cycles. The technical issue is not just volume. It is that identity context, credential lifecycle state, and runtime behaviour all have to be evaluated together to prevent hidden access pathways.

Practical implication: Extend governance and monitoring to non-human identities with lifecycle, privilege, and runtime controls.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-driven risk management is becoming the only workable model for complex enterprise access. The article correctly identifies that risk no longer lives inside one application or one review cycle. In practice, SAP, business applications, infrastructure, and non-human identities form a single risk surface that cannot be governed effectively with siloed controls. Practitioners should treat unified identity context as the prerequisite for any credible enterprise risk programme.

Cross-application risk is the governance gap most teams still under-estimate. Separation of Duties problems, entitlement conflicts, and misuse often emerge only when data from multiple systems is correlated. That means a compliant state in one system can still be an unsafe state across the business process. Teams should stop equating local compliance with enterprise safety and instead measure risk across workflows.

Non-human identities are now part of enterprise risk, not a separate edge case. Service accounts, automation, and AI-driven activity interact with business applications in ways that traditional IGA programmes were never designed to handle. Identity blast radius: the effective range of damage a compromised identity can create across systems, processes, and approvals. Practitioners should reduce this blast radius by design, not after an incident forces the issue.

Periodic certification is no longer enough for environments that change continuously. Snapshot reviews can confirm who had access at a point in time, but they do not explain how risk was created or whether access was used outside its intended purpose. Continuous monitoring, entitlement context, and runtime visibility are now basic requirements. Teams should use certifications as a control, not as a governance strategy.

The market is moving toward convergence because fragmented identity tooling cannot keep up. The article reflects a broader industry pattern: governance, PAM, posture, and non-human identity controls are collapsing into a single operational problem. That does not mean one product solves everything. It does mean practitioners should evaluate whether their operating model can correlate identities, privileges, and activity across the full estate.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For lifecycle controls, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns.

What this signals

The governance signal for practitioners is clear: if identity is the control plane, then cross-system visibility becomes a prerequisite for auditability and response. With only 5.7% of organisations having full visibility into their service accounts, most environments are still operating with blind spots that make enterprise risk look smaller than it is.

Identity blast radius: the practical measure teams should start tracking is how far a compromised identity can move across SAP, business applications, and infrastructure before detection. That means ownership, privilege scope, and runtime use must be reviewed together, and frameworks such as the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 become more relevant as operating guides than as reference material.

For most organisations, the next programme shift is from periodic approvals to continuous decisioning. If the current governance model cannot explain how access is used across systems, it will not survive the growth of automation, AI-driven activity, and third-party integrations that now define the enterprise identity perimeter.

For practitioners

• Define enterprise-wide risk boundaries Map where SAP, business applications, cloud platforms, and automation intersect so that access decisions reflect process-level risk rather than isolated system compliance.
• Correlate identity, entitlement, and activity data Build workflows that join identity ownership, role assignments, privilege state, and runtime behaviour before approvals or recertifications are completed.
• Include non-human identities in governance scope Add service accounts, API keys, tokens, certificates, and AI agents to access reviews, ownership checks, and exception handling so they are governed like other high-risk identities.
• Replace point-in-time reviews with continuous controls Use monitoring and policy checks that surface toxic combinations and anomalous use between review cycles, especially for sensitive finance and business processes.
• Tighten privilege around business-critical workflows Apply least privilege and just-in-time access to accounts that can change financial records, approvals, or cross-system entitlements, then verify those controls regularly.

Key takeaways

• Identity-driven risk management is now the only credible way to govern risk that spans SAP, business apps, cloud, and automation.
• Cross-application entitlement conflicts and non-human identities create exposure that periodic certifications will routinely miss.
• Practitioners should unify identity, privilege, and runtime data so that risk is measured across workflows, not inside individual systems.

Key terms

• Identity-Driven Risk Management: An approach that treats identity as the main control surface for enterprise risk across applications, infrastructure, and automation. It combines entitlement, activity, and ownership data so practitioners can see how risk forms across systems rather than inside one product boundary.
• Cross-Application Risk: Risk that emerges only when access and workflow data from multiple systems are evaluated together. A user or service account may appear compliant in one application while still creating a toxic combination or fraud path when combined with privileges in another system.
• Non-Human Identity: A machine identity used by services, scripts, workloads, integrations, or AI agents to authenticate and perform actions. These identities often outnumber human users and require lifecycle, ownership, and privilege controls because they can be persistent, high impact, and hard to observe.
• Identity Blast Radius: The amount of damage a compromised identity can cause before it is contained. It depends on privilege scope, system reach, and how quickly access can be revoked or narrowed, making it a useful way to think about containment in complex identity estates.

What's in the full analysis

Saviynt's full blog post covers the operational detail this post intentionally leaves for the source:

• KuppingerCole report framing for SAP Access Control versus broader business application risk management
• Vendor-specific examples of cross-application entitlement management across SAP and non-SAP systems
• Positioning details on how the platform claims to unify identity governance, PAM, and risk analytics
• The article’s cited analyst quotes and category-by-category leadership context

👉 Saviynt's full post covers the analyst report framing, capability breakdown, and category context

Deepen your knowledge

Identity-driven risk management for SAP and business applications is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme across human and non-human identities, it is a practical place to start.