TL;DR: KuppingerCole’s 2026 Leadership Compass expands SAP access control evaluation beyond traditional segregation of duties to include threat detection, system hardening, privileged access management, and audit support, reflecting a broader governance model for SAP and non-SAP environments. That shift matters because SAP security is no longer just about role design; it is about continuous control across access, privilege, and assurance.
NHIMG editorial — based on content published by Pathlock: its 2026 Leadership Compass recognition for SAP Access Control and Security
Questions worth separating out
Q: How should teams govern SAP access beyond segregation of duties?
A: Treat SoD as one control, not the control.
Q: Why is privileged access management important in SAP environments?
A: Privileged access in SAP can change configuration, controls, and high-value business data, so misuse has immediate operational impact.
Q: How can organisations reduce risk in SAP and non-SAP access governance?
A: Use a shared identity governance model that covers both application families.
Practitioner guidance
- Map SAP controls to the full access lifecycle Tie provisioning, role changes, emergency access, and offboarding into one governance process so SAP entitlements do not drift outside review cycles.
- Separate SoD analysis from runtime risk control Use Segregation of Duties checks for policy conflicts, but add monitoring for privileged transactions, hardening exceptions, and suspicious admin activity.
- Unify SAP and non-SAP identity evidence Build a single audit trail that links identity, role, transaction, and privilege events across SAP and adjacent business applications.
What's in the full analysis
Pathlock's full article covers the operational detail this post intentionally leaves for the source:
- The vendor framing behind its Overall Leader position in the KuppingerCole Leadership Compass
- The specific product capabilities referenced in SAP access control, threat detection, hardening, and PAM
- The analyst commentary on interoperability, ecosystem support, and AI-driven assurance
- The business summary of Pathlock's coverage across SAP and non-SAP environments
👉 Read Pathlock's analysis of SAP access control and security leadership →
SAP access control beyond SoD: what practitioners need to know?
Explore further
Broader SAP security is now an identity governance problem, not a point-control problem. The article reflects a market reality that SAP access can no longer be managed through SoD alone. Once threat detection, hardening, PAM, and audit support are in scope, the control plane becomes cross-functional and identity-led. That means practitioners should stop treating SAP as a special-case compliance island and govern it as part of the full identity estate.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should auditors look for in modern SAP access control programmes?
A: Auditors should look for evidence that access decisions are explainable across roles, privileges, and transactions. They should expect records showing who had access, who used it, under what conditions, and how exceptions were handled. If the programme cannot produce that chain, compliance may exist on paper but not in practice.
👉 Read our full editorial: SAP access control is expanding beyond SoD and audit checks