Business application risk management beyond SAP: what changes now?

TL;DR: As enterprises extend access governance from SAP into Salesforce, Workday, Oracle, Microsoft Dynamics, and other business-critical applications, entitlement management and segregation-of-duties controls become harder to coordinate across SaaS and hybrid estates, according to Pathlock. The governance challenge is no longer application-specific, but programme-wide: audit readiness, compliance, and access risk must be managed consistently across diverse business systems.

NHIMG editorial — based on content published by Pathlock: Leadership Compass for Business Application Risk Management

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

Questions worth separating out

Q: How should security teams govern business application access across SaaS and hybrid estates?

A: They should standardise entitlement definitions, approval paths, and review evidence across all critical applications, then apply the same governance baseline to SaaS and on-prem systems.

Q: Why does segregation of duties become harder outside SAP?

A: Because conflicting actions are encoded differently in each application, so the same business risk may sit in roles, permissions, workflow objects, or delegated administration.

Q: What do IAM and IGA teams get wrong about business application governance?

A: They often treat each application as a separate governance island and assume local controls are enough.

Practitioner guidance

• Map business roles across every critical application Create a shared entitlement model for SAP and non-SAP systems so reviewers can compare like-for-like access across the estate.
• Automate SoD conflict detection across platforms Configure rules so conflicting access is checked across application families, not only inside one product.
• Centralise access evidence for audit use Pull approvals, reviews, role changes, and revocations into a single evidence trail that can be traced across IAM, GRC, and application logs.

What's in the full report

Pathlock's full analyst report covers the operational detail this post intentionally leaves for the source:

• Vendor-side comparison criteria for business application risk management across SAP and non-SAP environments
• Product capability breakdowns for entitlement governance, SoD analysis, and compliance automation
• Market leadership and innovation commentary from KuppingerCole Analysts
• Implementation context for supporting SaaS and hybrid deployments

👉 Read Pathlock's analyst report on business application risk management →

Business application risk management beyond SAP: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →