Notifications
Clear all
Topic starter
03/06/2026 2:21 pm
TL;DR: SAP clean core certification for Pathlock’s Native Cyber Security and GRC Suite and Application Profiler highlights a familiar migration risk: carrying technical debt, intrusive customisations, and governance gaps into S/4HANA can weaken auditability and upgradeability, according to Pathlock. For IAM and GRC teams, the issue is not certification itself but whether controls stay enforceable without modifying the digital core.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern SAP access during an S/4HANA migration?
A: Security teams should treat migration as a governance redesign exercise, not a lift-and-shift.
Q: Why does clean core matter for identity and access governance?
A: Clean core matters because it changes where controls can live.
Q: What breaks when SoD controls are tied to legacy SAP customisations?
A: SoD controls become brittle, hard to evidence, and easy to lose during upgrades or refactoring.
Practitioner guidance
- Map SoD rules to the S/4HANA target state Revalidate segregation of duties for the new business processes, not the legacy ECC role model.
- Inventory controls that depend on custom SAP extensions List every access review, approval, and audit step that currently relies on bespoke code or transport-specific logic.
- Align audit evidence collection to clean core boundaries Define which logs, reports, and attestation records will prove control operation in the target architecture.
What's in the full announcement
Pathlock's full post covers the operational detail this post intentionally leaves for the source:
- How the certified Pathlock Native Cyber Security and GRC Suite and Application Profiler align to SAP clean core requirements in practice.
- Which SAP environments are covered through RISE with SAP certification and how the integration is validated by SAP ICC.
- How continuous compliance monitoring is maintained without intrusive customisations in the digital core.
- Why the certification matters for organisations balancing upgradeability, auditability, and security during S/4HANA migration.
👉 Read Pathlock's clean core certification announcement for SAP governance teams →
SAP clean core and S/4HANA migration: what changes for governance?
Explore further
03/06/2026 2:27 pm
Clean core is really a governance boundary, not just an SAP architecture choice. Once organisations move from heavily customised ECC environments into S/4HANA, identity and compliance controls can no longer depend on embedded modifications inside the business core. That forces IAM, GRC, and application teams to decide whether control enforcement lives in supported integration layers or dissolves during upgrade cycles. The practitioner conclusion is straightforward: treat clean core as a control-design constraint.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, which is why lifecycle controls should be validated before and after SAP migration phases.
A question worth separating out:
Q: How do compliance teams know whether SAP governance still works after migration?
A: They should test whether access approvals, entitlement reviews, and audit logs are still produced without modifying the core application. If evidence requires manual reconstruction or one-off code, governance is not operationally stable. The right signal is repeatable control evidence generated through supported interfaces across release cycles.
👉 Read our full editorial: SAP clean core certification sharpens governance for S/4HANA migration
