Business application risk management: what IGA teams need to know

TL;DR: KuppingerCole’s 2026 Leadership Compass puts business application risk management in the context of cross-system entitlement control across SAP, Salesforce, Workday, Oracle, and Microsoft Dynamics, highlighting wide application coverage, interoperability, and ecosystem support as evaluation criteria. The practical implication is that IGA programmes now need stronger entitlement governance across heterogeneous business applications, not just directory-centric access control.

NHIMG editorial — based on content published by Pathlock: 2026 Leadership Compass recognition for business application risk management

Questions worth separating out

Q: How should security teams govern entitlements across multiple business applications?

A: Security teams should govern entitlements through a shared policy layer that normalises access across ERP, CRM, HR, and finance systems.

Q: Why do segregation of duties controls fail in heterogeneous application estates?

A: Segregation of duties fails when controls are evaluated inside each application separately instead of across the business process.

Q: What signals show that entitlement governance is too fragmented?

A: Fragmentation shows up when review evidence is manual, entitlement reports differ by application, and policy exceptions are handled ad hoc.

Practitioner guidance

• Map entitlement coverage across all core LoB systems Inventory the applications where business risk is created, including ERP, CRM, HR, and finance platforms.
• Normalize SoD rules across application families Translate segregation of duties controls into a common policy model so toxic combinations are detected across platforms, not only within a single suite.
• Use transaction data to prioritise risky access Combine entitlement data with transactional identity context so reviewers can focus on actual business activity rather than static role names.

What's in the full analysis

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• The specific analyst criteria behind the Overall Leader designation and how Product, Innovation, and Market were scored.
• The report language on broad application coverage, interoperability, and ecosystem support across enterprise LoB environments.
• The transaction-level identity data approach Pathlock says it uses to support compliance and access governance.
• The download path for the full 2026 Leadership Compass report.

👉 Read Pathlock's overview of the 2026 Leadership Compass for business application risk management →

Business application risk management: what IGA teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →