TL;DR: ERP environments are part of a wider IAM attack surface problem, with visibility, observability, and remediation presented as the levers that reduce exposure across connected and disconnected systems, according to Zluri. The underlying issue is that identity control breaks down when access, applications, and shadow activity are not consistently observable.
At a glance
What this is: This is a Zluri-published IAM and ERP security report focused on visibility gaps, observability, and remediation across the IAM attack surface.
Why it matters: It matters because ERP estates often sit inside broader identity sprawl, where incomplete visibility weakens controls for NHI, human access, and emerging autonomous workflows alike.
By the numbers:
- Zluri reports that the report is based on a survey of 100+ IT leaders from various industries.
- Gartner Peer Insights shows Zluri rated 4.7 based on 10 reviews as of 19th Nov 2025.
- Zluri says its SaaS Management Platform has 26 ratings on Gartner Peer Insights.
👉 Read Zluri's report on reducing your IAM attack surface with visibility and remediation
Context
ERP environments concentrate business-critical access, but the security problem is not ERP itself. The issue is that identity, access, and application relationships become difficult to see once data and permissions spread across connected and disconnected systems, which expands the IAM attack surface.
For identity teams, that means ERP risk should be read as an observability and governance problem as much as an application control issue. When access paths are not visible end to end, recertification, segregation of duties, and remediation all slow down, leaving IAM programmes blind to where exposure is actually accumulating.
Key questions
Q: How should security teams reduce ERP-related IAM attack surface risk?
A: Start by building a complete inventory of ERP-linked identities, integrations, and permissions, then validate which access paths are still needed. The goal is not just better reporting. It is to remove stale access, close hidden connectors, and make remediation measurable so exposure does not persist after discovery.
Q: Why do disconnected systems make ERP access harder to govern?
A: Disconnected systems break the control chain between entitlement, approval, and enforcement. When access data is split across tools, teams lose visibility into who has access, why they have it, and whether it is still justified. That creates blind spots that weaken reviews, SoD checks, and remediation.
Q: What breaks when visibility into ERP access is incomplete?
A: Incomplete visibility breaks ownership, review quality, and remediation speed. Teams can no longer reliably identify stale permissions, shadow connectors, or conflicts between policy and practice. The result is a governance programme that looks active on paper but leaves real access paths untouched.
Q: How can IAM teams tell whether remediation is actually reducing ERP risk?
A: Track how quickly findings are closed, how many exceptions remain open, and whether stale access is being removed rather than reapproved. If remediation only produces more reports and few closures, the programme is observing risk without reducing it. That is a control failure, not a maturity signal.
Technical breakdown
IAM attack surface visibility in ERP estates
The IAM attack surface is the full set of accounts, entitlements, applications, connectors, and identity paths that can be abused. ERP systems become risky when access is distributed across integrations, shadow tools, and disconnected records that cannot be reconciled into one control view. Visibility is the first technical requirement because you cannot govern what you cannot enumerate. In practice, gaps emerge when identity data, application inventories, and access events live in separate tools with no shared control plane.
Practical implication: build a complete inventory of ERP-linked identities, permissions, and integrations before attempting policy enforcement.
Why observability matters more than periodic review
Observability means continuously understanding how identities behave, not just checking whether they were approved at a point in time. In ERP-heavy environments, approval history alone misses drift, stale access, orphaned integrations, and abnormal privilege changes. This is where many IAM programmes overestimate control coverage. A periodic review can confirm that a permission once existed, but it cannot show whether it is still justified, actively used, or now exposed through a new connector or workflow path.
Practical implication: pair access reviews with event-level monitoring so changes in ERP access can be detected as they happen.
Remediation closes the gap between discovery and control
Remediation is the operational step that converts visibility into reduced risk. Discovery without closure only creates better reporting on the same exposure. In ERP environments, remediation often requires revoking stale access, removing unused integrations, enforcing segregation of duties, and reconciling entitlements across systems that do not share a common identity model. The central failure mode is delay: the longer the gap between finding and fixing, the longer exposed access remains exploitable.
Practical implication: define ownership and service-level targets for closing ERP access findings, not just for detecting them.
NHI Mgmt Group analysis
Visibility is the control that determines whether ERP risk can be governed at all. ERP environments are rarely insecure because of a single weak setting. They become hard to govern when identities, applications, and access paths are fragmented across systems that cannot be seen together. That leaves IAM teams managing partial truth instead of control state. The practitioner conclusion is simple: if ERP access cannot be enumerated coherently, it cannot be governed coherently.
The real attack surface is the identity graph around ERP, not the ERP banner itself. ERP platforms often sit inside a broader mesh of SaaS tools, connectors, service accounts, and human approval flows. That graph creates hidden dependency chains that traditional inventory methods miss. The result is not just more access, but more untracked paths into business data. Practitioners should treat ERP governance as graph visibility work, not application administration.
Reduce the time between discovery and remediation or accept persistent exposure. Many identity programmes can identify issues faster than they can close them. In ERP estates, that lag is especially costly because access often spans finance, HR, procurement, and operational workflows. A finding that remains open is still live exposure. The practitioner conclusion is to manage remediation as a measurable control outcome, not a background task.
Shadow activity in ERP should be treated as a governance signal, not noise. When disconnected systems, local exceptions, or untracked connectors accumulate, they indicate the identity programme has lost line of sight. That is not just an operational inconvenience. It is a sign that entitlement decisions are drifting away from the policy model. Teams should read repeated exceptions as evidence that the access model no longer matches the environment.
For identity leaders, ERP security is a lifecycle problem as much as a visibility problem. Joiner, mover, leaver processes, recertification, and segregation of duties all fail when identity records are incomplete or stale. The field implication is that ERP control maturity depends on whether lifecycle governance and observability operate on the same dataset. Practitioners should align lifecycle enforcement with discovered reality, not assumed system ownership.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For teams dealing with workload identity and secret sprawl, the Guide to NHI Rotation Challenges helps connect discovery, rotation, and lifecycle closure.
What this signals
Identity visibility only matters if it shortens the time to control closure. In practice, many IAM programmes can spot exposure before they can eliminate it. That matters in ERP-heavy estates because access sprawl, stale integrations, and exception handling all create lingering control debt. Teams should measure whether their governance pipeline reduces open findings, not just how many it detects.
When access, application, and entitlement data are fragmented, segmentation and review become reporting exercises rather than enforcement tools. The next maturity step is to align inventory, observability, and remediation in one operating model so lifecycle decisions are based on live system state rather than assumptions.
The governance signal is not how many controls exist, but whether they are fast enough to close the gap between discovery and remediation. That is the difference between an identity programme that documents exposure and one that actually reduces it.
For practitioners
- Map the ERP identity graph end to end Inventory user accounts, service accounts, integrations, and admin pathways across connected and disconnected systems so the attack surface is visible before remediation starts.
- Tie access review to live usage signals Use access reviews alongside event logs and connector telemetry so entitlement decisions reflect current behaviour, not just historical approval records.
- Assign owners to every unresolved entitlement Create a closure workflow for each excess permission or stale connector, with a named control owner and a target date for removal or justification.
- Reconcile ERP access with segregation of duties rules Check ERP permissions against SoD policy after every major change in role, integration, or application ownership to catch hidden conflicts early.
Key takeaways
- ERP security becomes an IAM attack surface problem when access, integrations, and identity records are fragmented across systems.
- Visibility without remediation leaves exposure intact, so control maturity should be measured by closure speed as well as detection.
- IAM leaders should treat ERP governance as a lifecycle and observability discipline, not just an application administration task.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | ERP access review and privilege control map directly to least-privilege governance. |
| NIST Zero Trust (SP 800-207) | AC-6 | Zero trust requires continuous verification, which ERP visibility gaps undermine. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unreconciled service and integration accounts behave like unmanaged non-human identities. |
Inventory ERP-linked non-human identities and rotate or retire access that lacks clear ownership.
Key terms
- IAM Attack Surface: The IAM attack surface is the full set of identities, entitlements, applications, connectors, and approval paths that could be abused to gain or expand access. In practice, it is broader than a user list or a permissions report because it includes hidden dependencies and stale trust relationships.
- Identity Visibility: Identity visibility is the ability to see who or what has access, where that access lives, and how it changes over time. It is the prerequisite for governance because access reviews, SoD checks, and remediation all fail when the underlying identity state is incomplete or fragmented.
- Remediation Closure: Remediation closure is the point at which a discovered access issue is actually fixed, not just logged. It matters because exposure only falls when stale accounts, excess permissions, or risky connectors are removed, justified, or re-scoped in the live environment.
- Segregation of Duties: Segregation of duties is a control that prevents one identity from holding conflicting permissions that enable fraud, error, or unauthorized change. In ERP environments, it depends on accurate entitlement data and current role mapping, otherwise conflicts remain hidden inside disconnected records.
What's in the full article
Zluri's full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns from 100+ IT leaders that show how practitioners are using ERP and IAM controls in real environments.
- The report's own framing of visibility, observability, and remediation as the practical levers for reducing IAM attack surface.
- Additional context on IVIPs and how they unify identity visibility across connected and disconnected systems.
- The underlying Gartner material cited by Zluri, useful if you need the analyst context behind the report's positioning.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-10-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org