Business application security: what IAM teams are missing

TL;DR: Enterprises often secure the perimeter well while leaving business applications under-governed, creating a gap where sensitive data, financial workflows, and elevated access concentrate, according to Delinea. That gap is an IAM and governance problem, not just an application issue, because ownership, access review, and segregation of duties controls often stop at departmental boundaries.

NHIMG editorial — based on content published by Delinea: Closing the security doughnut, why CISOs need to prioritize business application security

By the numbers:

• Organizations lose 5% of their revenue to fraud each year, and the average fraud loss per case is $1.7M, according to the Association of Certified Fraud Examiners.

Questions worth separating out

Q: How should security teams govern access in business applications with different owners?

A: Treat business applications as governed systems, not departmental exceptions.

Q: Why do business applications create hidden identity risk even when perimeter security is strong?

A: Because the highest-risk actions often happen inside the application, not at the perimeter.

Q: How do organisations know whether application access governance is working?

A: Look for fewer unresolved SoD conflicts, lower volumes of over-provisioned access, complete review coverage for privileged accounts, and a clear audit trail for sensitive data changes.

Practitioner guidance

• Map access to business-critical functions Inventory entitlements in ERP, HCM, CRM, procurement, and finance systems, then map each permission to the business action it enables.
• Build SoD rules at the lowest permission level Define segregation of duties conflicts at the lowest securable object or permission level to reduce false positives.
• Separate administrative access from standard user review Review elevated privileges on a distinct cadence and require explicit business justification for each admin account.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance for analysing segregation of duties risk inside business applications
• Operational review patterns for administrative access and user access recertification
• How to track changes to critical data for investigation and audit evidence
• Automation tips for running SoD checks across multiple applications faster than manual review

👉 Read Delinea's analysis of the business application security gap and control model →

Business application security: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →