Notifications
Clear all
Topic starter
04/06/2026 2:56 pm
TL;DR: Traditional access management answers who can act, but ERP and business-critical environments increasingly need proof that each transaction was appropriate, continuous, and compliant, according to Pathlock’s webinar on Nexus. The governance gap is shifting from access certification to transaction-level assurance, especially where AI widens compliance blind spots.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams govern high-risk ERP transactions beyond access reviews?
A: Security teams should separate entitlement from execution.
Q: Why do traditional IAM controls fall short in multi-ERP environments?
A: Traditional IAM controls often stop at provisioning, role design, and periodic recertification.
Practitioner guidance
- Map controls to transaction outcomes Identify the ERP actions that need proof of appropriateness, such as postings, approvals, master-data changes, and sensitive overrides.
- Separate entitlement review from execution evidence Keep access recertification for who may operate, but add transaction evidence for what was actually done, when, and under which policy condition.
- Review AI-influenced workflows for control gaps Trace where AI is assisting approvals, routing, or exception handling in business-critical applications and identify the point where human sign-off no longer reflects the real decision path.
What to expect at the briefing
Pathlock's full webinar covers the operational detail this post intentionally leaves for the source:
- Live discussion of how Pathlock Nexus evaluates transactions in motion across ERP workflows
- Speaker perspectives from Pathlock and Protiviti on compliance gaps in multi-ERP environments
- Practical framing for how AI creates assurance gaps that access reviews do not close
- Webinar recording access for teams that need the implementation context after the live session
👉 Register for Pathlock’s live webinar on certified transaction governance →
Certified access to certified transaction: what changes on June 25, 2026?
Explore further
04/06/2026 3:07 pm
Certified access is no longer a sufficient governance boundary for ERP. The control problem is shifting from entitlement to execution, because compliance failures often happen in the transaction, not the login. Access tells you who could act; transaction governance tells you whether the action itself was defensible. For practitioners, that means identity architecture must be evaluated against business event flow, not only against account state.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Should organisations prioritise transaction governance or access certification first?
A: Organisations should keep access certification, but prioritise transaction governance where the business impact is highest. If a system handles postings, approvals, or sensitive master data, proving execution appropriateness matters more than proving static entitlement alone. The right order is risk-based, starting with the most consequential workflows.
👉 Read our full editorial: Continuous transaction governance for ERP identity control
