Notifications
Clear all
Topic starter
27/06/2026 1:01 pm
TL;DR: Rising demand for visibility, entitlement control, and auditability across connected enterprise environments was reflected in two KuppingerCole Analysts Leadership Compass reports covering SAP Access Control and Security and Business Application Risk Management, according to Nexis, as the underlying shift is that access governance is no longer system-by-system work, but cross-application risk management.
NHIMG editorial — based on content published by Nexis: Analysts Nexis Included in Two Recent KuppingerCole Analysts Leadership Compass Reports
Questions worth separating out
Q: How should organisations govern access across SAP and business applications?
A: They should use a shared governance model that covers roles, entitlements, approvals, certifications, and exceptions across both SAP and business applications.
Q: Why does access governance become harder in hybrid enterprise environments?
A: Because identity and entitlement state becomes fragmented across platforms, owners, and review processes.
Q: What breaks when entitlement visibility is incomplete?
A: Certification becomes unreliable, audit evidence becomes inconsistent, and access decisions are easier to defend politically than technically.
Practitioner guidance
- Map entitlement governance across SAP and non-SAP applications Inventory where access decisions are made, reviewed, and evidenced across the enterprise application stack.
- Normalise identity and entitlement data for certification workflows Create a shared model for user, role, and entitlement records so reviewers can understand access consistently across systems.
- Tie review cadence to application risk and access criticality Use more frequent or deeper review cycles for systems where entitlement misuse would affect financial controls, regulated processes, or sensitive business operations.
What's in the full analysis
Nexis' full article covers the operational detail this post intentionally leaves for the source:
- The specific KuppingerCole report contexts behind the SAP access control and business application risk categories.
- The vendor's own explanation of how its platform positions itself across transparency, review, and governance workflows.
- The exact market language used to describe access-related risk across interconnected enterprise environments.
- The additional product and capability references linked from the article's executive view pages.
👉 Read Nexis' analysis of SAP access control and business application risk →
SAP access control and business app risk: what changes now?
Explore further
27/06/2026 2:10 pm
Access governance has become a cross-application discipline, not a system-specific control. The article reflects a real market shift: SAP remains important, but the governance problem now extends into business applications where access risk is distributed and harder to observe. That changes the centre of gravity for IGA, PAM, and business application owners. Practitioners should treat entitlement governance as an enterprise control model, not a product or platform silo.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how quickly confidence drops once governance extends beyond human identities.
A question worth separating out:
Q: Who should own access governance when multiple business systems are involved?
A: Ownership should be shared between identity governance teams, application owners, and control owners for high-risk access. Central teams need the standards and evidence model, while business owners need to validate whether access still fits the process. Without that split, accountability becomes diffuse and access reviews lose authority.
👉 Read our full editorial: Access governance across SAP and business apps is getting harder
