Notifications
Clear all
Topic starter
02/06/2026 8:50 pm
TL;DR: Pathlock says modern ERP environments now require continuous, transaction-first assurance because AI agents, bots, and service accounts execute critical business actions at machine speed across SAP, Oracle, Workday, and 150+ applications. The governance shift is bigger than monitoring more logs, because identity, privilege, and transaction context now have to be evaluated together in real time.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams govern AI agents and bots in ERP systems?
A: Treat AI agents and bots as governed non-human identities with explicit ownership, least privilege, and lifecycle controls.
Q: Why do static ERP access reviews miss so much risk?
A: Static reviews miss sequence-based risk because a permission that looks acceptable in isolation may become dangerous when combined with transaction order, business context, and automation.
Q: What breaks when transaction controls are only tested after the fact?
A: After-the-fact testing lets fraud, compliance violations, and privilege misuse execute before anyone can intervene.
Practitioner guidance
- Map transaction-critical identities Inventory the users, bots, service accounts, and AI agents that can create, approve, or release ERP transactions, then assign explicit owners for each identity and workflow.
- Replace sampling with continuous controls monitoring Instrument controls so they evaluate transactions in real time, then retain evidence for audit, investigation, and exception handling across SAP, Oracle, Workday, and related systems.
- Reduce toxic access combinations Use SoD analysis and role cleanup to remove combinations that let one identity both initiate and approve the same high-risk business process.
The control objective shifts from periodic approval to continuous containment?
👉 Read Pathlock's analysis of continuous ERP control governance with Pathlock Nexus →
Explore further
02/06/2026 8:52 pm
Transaction-first governance is becoming the correct control lens for modern ERP risk. The core problem is no longer just entitlement sprawl. It is that business value is created and lost inside high-speed transactions that need to be evaluated as they happen. For IAM and PAM teams, that means access control and transaction assurance can no longer be separate disciplines.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
- That same research found only 1.5 out of 10 organisations are highly confident in securing NHIs, which helps explain why transaction-heavy environments struggle to keep pace with automation.
A question worth separating out:
Q: When should organisations move from periodic audit to continuous assurance?
A: They should move as soon as business processes depend on bots, AI agents, or high-volume ERP automation that can execute sensitive transactions faster than manual review can keep up. If the control objective is to stop bad transactions rather than merely document them, continuous assurance becomes necessary.
👉 Read our full editorial: Pathlock Nexus and the shift to continuous ERP control governance
