Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Business application risk management: what IGA teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: KuppingerCole’s 2026 Leadership Compass puts business application risk management in the context of cross-system entitlement control across SAP, Salesforce, Workday, Oracle, and Microsoft Dynamics, highlighting wide application coverage, interoperability, and ecosystem support as evaluation criteria. The practical implication is that IGA programmes now need stronger entitlement governance across heterogeneous business applications, not just directory-centric access control.

NHIMG editorial — based on content published by Pathlock: 2026 Leadership Compass recognition for business application risk management

Questions worth separating out

Q: How should security teams govern entitlements across multiple business applications?

A: Security teams should govern entitlements through a shared policy layer that normalises access across ERP, CRM, HR, and finance systems.

Q: Why do segregation of duties controls fail in heterogeneous application estates?

A: Segregation of duties fails when controls are evaluated inside each application separately instead of across the business process.

Q: What signals show that entitlement governance is too fragmented?

A: Fragmentation shows up when review evidence is manual, entitlement reports differ by application, and policy exceptions are handled ad hoc.

Practitioner guidance

  • Map entitlement coverage across all core LoB systems Inventory the applications where business risk is created, including ERP, CRM, HR, and finance platforms.
  • Normalize SoD rules across application families Translate segregation of duties controls into a common policy model so toxic combinations are detected across platforms, not only within a single suite.
  • Use transaction data to prioritise risky access Combine entitlement data with transactional identity context so reviewers can focus on actual business activity rather than static role names.

What's in the full analysis

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

  • The specific analyst criteria behind the Overall Leader designation and how Product, Innovation, and Market were scored.
  • The report language on broad application coverage, interoperability, and ecosystem support across enterprise LoB environments.
  • The transaction-level identity data approach Pathlock says it uses to support compliance and access governance.
  • The download path for the full 2026 Leadership Compass report.

👉 Read Pathlock's overview of the 2026 Leadership Compass for business application risk management →

Business application risk management: what IGA teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Business application risk management is now a governance layer, not an application feature. The report reflects a market shift away from treating access control as a per-system administration task. Once enterprises run core processes across SAP, Salesforce, Workday, Oracle, and Microsoft Dynamics, the control problem becomes cross-platform entitlement governance. Practitioners should treat this as an IGA architecture issue, not a point-solution selection exercise.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which helps explain why cross-system entitlement governance remains incomplete in many programmes.

A question worth separating out:

Q: Who should own access risk decisions in business application governance?

A: Access risk decisions should sit with control owners who understand the business process, not just with application administrators. The governance team can define policy and evidence, but risk acceptance should remain explicit and auditable.

👉 Read our full editorial: Business application risk management now centers on cross-system IGA



   
ReplyQuote
Share: