Notifications
Clear all
Topic starter
02/06/2026 7:01 pm
TL;DR: Enterprise risk is now spanning SAP, cloud platforms, infrastructure, and non-human identities, and the article argues that periodic access reviews no longer provide enough context to govern that spread, according to Saviynt. The security question is no longer whether controls exist, but whether identity data, entitlement context, and activity signals are unified enough to manage risk continuously.
NHIMG editorial — based on content published by Saviynt: SAP Identity Security and Business Application Risk Management Are at an Inflection Point
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: How should security teams govern access across SAP and business applications?
A: Security teams should govern access by linking identity, entitlement, and activity data across systems instead of certifying each application separately.
Q: Why do non-human identities complicate enterprise risk management?
A: Non-human identities complicate risk management because they act at machine speed, often hold elevated permissions, and frequently lack the ownership discipline applied to human users.
Q: What breaks when teams rely on periodic access certification alone?
A: Periodic certification breaks down when access changes, interdependencies, and runtime use evolve faster than the review cycle.
Practitioner guidance
- Define enterprise-wide risk boundaries Map where SAP, business applications, cloud platforms, and automation intersect so that access decisions reflect process-level risk rather than isolated system compliance.
- Correlate identity, entitlement, and activity data Build workflows that join identity ownership, role assignments, privilege state, and runtime behaviour before approvals or recertifications are completed.
- Include non-human identities in governance scope Add service accounts, API keys, tokens, certificates, and AI agents to access reviews, ownership checks, and exception handling so they are governed like other high-risk identities.
With only 5.7% of organisations having full visibility into their service accounts, most environments are still operating with blind spots that make enterprise risk look smaller than it is?
👉 Read Saviynt's analysis of identity-driven risk management for SAP and business apps →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
02/06/2026 7:18 pm
Identity-driven risk management is becoming the only workable model for complex enterprise access. The article correctly identifies that risk no longer lives inside one application or one review cycle. In practice, SAP, business applications, infrastructure, and non-human identities form a single risk surface that cannot be governed effectively with siloed controls. Practitioners should treat unified identity context as the prerequisite for any credible enterprise risk programme.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How can organisations reduce identity blast radius in complex environments?
A: Organisations reduce identity blast radius by limiting standing privilege, separating duties across systems, and revoking access that is not actively needed for a task. They should also track who owns each service account or automation path so accountability exists when risk emerges. The smaller the privilege footprint, the easier it is to contain misuse.
👉 Read our full editorial: Identity-driven risk management for SAP and business apps
