Pathlock Nexus and the shift to continuous ERP control governance

At a glance

What this is: Pathlock Nexus is positioned around continuous ERP governance across identities, controls, and transactions, with the central claim that static audit checks no longer match machine-speed business operations.

Why it matters: For IAM, IGA, and PAM teams, the message is that ERP access governance now has to account for non-human identities and transaction context, not just periodic entitlement review.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

👉 Read Pathlock's analysis of continuous ERP control governance with Pathlock Nexus

Context

ERP controls are no longer only about who can log in. They now have to govern which identities can initiate, approve, and complete business transactions across cloud ERP systems, automation flows, and AI-assisted operations. In that environment, periodic review models miss risk that emerges from the sequence of actions, not just the entitlement on paper.

Pathlock's framing reflects a wider identity governance problem: transaction speed is outrunning assurance speed. That makes ERP access control, non-human identity governance, and continuous monitoring part of the same control plane rather than separate workflows. The starting position described here is increasingly typical for large multi-ERP estates, not an edge case.

Key questions

Q: How should security teams govern AI agents and bots in ERP systems?

A: Treat AI agents and bots as governed non-human identities with explicit ownership, least privilege, and lifecycle controls. If they can initiate or approve transactions, they also need continuous monitoring, time-bound access, and audit-ready evidence. The goal is to constrain business impact, not just authenticate the identity.

Q: Why do static ERP access reviews miss so much risk?

A: Static reviews miss sequence-based risk because a permission that looks acceptable in isolation may become dangerous when combined with transaction order, business context, and automation. In ERP environments, the real control failure is often the path an identity can take through multiple actions, not the individual entitlement alone.

Q: What breaks when transaction controls are only tested after the fact?

A: After-the-fact testing lets fraud, compliance violations, and privilege misuse execute before anyone can intervene. In fast-moving ERP environments, the system may already have created vendors, approved invoices, or released payments by the time audit evidence is reviewed. Continuous evaluation is what closes that gap.

Q: When should organisations move from periodic audit to continuous assurance?

A: They should move as soon as business processes depend on bots, AI agents, or high-volume ERP automation that can execute sensitive transactions faster than manual review can keep up. If the control objective is to stop bad transactions rather than merely document them, continuous assurance becomes necessary.

How it works in practice

Why transaction-first ERP security changes the control model

A transaction-first model evaluates the business action itself, not only the access that enabled it. In ERP environments, a single entitlement can support many different workflows, and the same user, bot, or AI agent may trigger different risk outcomes depending on vendor creation, invoice approval, payroll release, or payment execution. That is why control testing has to move from periodic sampling to runtime evaluation. The technical shift is toward correlating identity, role, context, and transaction sequence so controls can detect when a permitted action becomes a risky business event.

Practical implication: Practitioners should map high-risk ERP transactions to the identities that can execute them and monitor those paths continuously.

How non-human identities change ERP access governance

Non-human identities in ERP are not just service accounts. They include RPA bots, AI agents, and system credentials that can execute business actions without a human at the keyboard. That expands the governance surface because ownership, lifecycle, and privilege boundaries must be defined for identities that do not follow employee-style joiner-mover-leaver patterns. When those identities can approve or create transactions, conventional recertification alone is not enough. The control problem becomes one of ownership, traceability, and bounded authority across machine-driven business processes.

Practical implication: Teams should assign explicit ownership and lifecycle controls to every non-human identity that can touch ERP transactions.

Continuous controls monitoring versus periodic audit evidence

Continuous controls monitoring is designed to evaluate a transaction as it happens, then persist evidence for later audit and investigation. That is different from checking a sample after the fact, because the risk in AI-driven ERP environments often comes from combinations of actions that are individually valid but collectively unsafe. Real-time evaluation also helps separate operational exceptions from control failures, which matters in complex multi-ERP estates. The architectural requirement is correlation across identity, application, and log sources so that assurance can follow the transaction path end to end.

Practical implication: Build control monitoring around transaction streams and evidence retention, not only quarterly review cycles.

NHI Mgmt Group analysis

Transaction-first governance is becoming the correct control lens for modern ERP risk. The core problem is no longer just entitlement sprawl. It is that business value is created and lost inside high-speed transactions that need to be evaluated as they happen. For IAM and PAM teams, that means access control and transaction assurance can no longer be separate disciplines.

Non-human identities now sit inside the ERP control plane, not outside it. AI agents, bots, and service accounts are increasingly the actors that create vendors, approve invoices, and release payments. That makes lifecycle ownership, privilege boundaries, and evidence collection essential for NHI governance in ERP environments. Practitioners should treat these identities as first-class governed actors, not technical exceptions.

Continuous assurance is replacing periodic audit as the practical standard for ERP controls. Periodic reviews still matter for compliance, but they are too slow to catch sequence-based risk in dynamic environments. The control model has to correlate identity, transaction, and policy context in real time. That shift validates Zero Trust thinking inside business applications, where trust must be re-evaluated at execution time.

Identity blast radius now depends on transaction reach, not only account privilege. A single bot or agent may have limited entitlement on paper and still create outsized exposure if it can chain actions across procurement, finance, and payroll. This is where conventional role design breaks down. Security leaders should measure the downstream business effect of each identity, then reduce standing authority accordingly.

The market is moving toward unified governance across human, NHI, and application controls. ERP security can no longer be managed as a niche compliance layer. It is becoming part of the broader identity security stack, where governance, detection, and assurance converge. That direction should push practitioners to re-evaluate whether their current tooling can observe and control transaction outcomes, not just login events.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
• That same research found only 1.5 out of 10 organisations are highly confident in securing NHIs, which helps explain why transaction-heavy environments struggle to keep pace with automation.
• For a broader identity control baseline, see Ultimate Guide to NHIs for lifecycle, visibility, rotation, and offboarding patterns that align with continuous governance.

What this signals

Identity blast radius is now a transaction problem as much as an access problem. In ERP estates, the question is no longer only who can enter the system, but which identities can move money, create obligations, or release operational change. That means programme owners should measure downstream transaction reach for every privileged human and non-human identity, then treat excessive reach as a governance defect. The control objective shifts from periodic approval to continuous containment.

With 72% of organisations reporting or suspecting a breach of non-human identities, the operational assumption should be that machine identities are already part of the threat model, not a future risk. That is why ERP governance has to connect entitlement review, transaction monitoring, and evidence retention in one workflow. Teams that split those responsibilities will keep finding gaps between policy and execution.

Continuous assurance is the programme pattern to watch. As automation spreads across finance and operations, the strongest identity programmes will correlate activity across ERP, IAM, PAM, and NHI controls rather than layering separate reviews. For teams using NIST Cybersecurity Framework 2.0 and Zero Trust principles, this is the point where monitoring becomes a control, not just a detective output. The practical implication is simple: build evidence at the moment of execution, not after the quarter closes.

For practitioners

• Map transaction-critical identities Inventory the users, bots, service accounts, and AI agents that can create, approve, or release ERP transactions, then assign explicit owners for each identity and workflow.
• Replace sampling with continuous controls monitoring Instrument controls so they evaluate transactions in real time, then retain evidence for audit, investigation, and exception handling across SAP, Oracle, Workday, and related systems.
• Reduce toxic access combinations Use SoD analysis and role cleanup to remove combinations that let one identity both initiate and approve the same high-risk business process.
• Tie privileged access to time-bound approvals Require emergency access to be approved, time-limited, and fully logged so elevated ERP permissions do not remain available after the task is complete.
• Measure business impact per control failure Quantify the financial and operational impact of control violations so remediation priorities reflect actual exposure, not just policy severity.

Key takeaways

• ERP security now depends on governing transactions, not just permissions.
• Non-human identities can drive the same financial and compliance exposure as human users when their transaction reach is not tightly bounded.
• Continuous assurance is becoming the operational answer to machine-speed ERP risk, because periodic audit cannot keep up with automated business flow.

Key terms

• Transaction-first governance: A control model that evaluates the business transaction itself, not only the account or role behind it. In ERP environments, it ties identity, context, and execution path together so that risk is judged by what actually happened, not by entitlement in isolation.
• Non-human identity governance: The discipline of assigning ownership, lifecycle control, and privilege boundaries to machine identities such as bots, service accounts, and AI agents. In practice, it treats those identities as accountable actors that can create real business risk if their access is not continuously managed.
• Continuous controls monitoring: A method of evaluating transactions as they occur and preserving evidence for later audit, investigation, or remediation. It is stronger than periodic sampling because it can catch risk in the moment of execution, when automated business processes can move too quickly for manual review.
• Identity blast radius: The downstream business impact an identity can create if it is misused, overprivileged, or compromised. In ERP systems, blast radius depends not just on permissions but on the sequence of transactions the identity can execute across finance, procurement, and operations.

Deepen your knowledge

ERP transaction governance and non-human identity control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment is moving toward continuous assurance, the course is a useful starting point for structuring that change.

This post draws on content published by Pathlock: Pathlock Nexus and the shift to continuous ERP control governance. Read the original.