TL;DR: Enterprises often secure the perimeter well while leaving business applications under-governed, creating a gap where sensitive data, financial workflows, and elevated access concentrate, according to Delinea. That gap is an IAM and governance problem, not just an application issue, because ownership, access review, and segregation of duties controls often stop at departmental boundaries.
NHIMG editorial — based on content published by Delinea: Closing the security doughnut, why CISOs need to prioritize business application security
By the numbers:
- Organizations lose 5% of their revenue to fraud each year, and the average fraud loss per case is $1.7M, according to the Association of Certified Fraud Examiners.
Questions worth separating out
Q: How should security teams govern access in business applications with different owners?
A: Treat business applications as governed systems, not departmental exceptions.
Q: Why do business applications create hidden identity risk even when perimeter security is strong?
A: Because the highest-risk actions often happen inside the application, not at the perimeter.
Q: How do organisations know whether application access governance is working?
A: Look for fewer unresolved SoD conflicts, lower volumes of over-provisioned access, complete review coverage for privileged accounts, and a clear audit trail for sensitive data changes.
Practitioner guidance
- Map access to business-critical functions Inventory entitlements in ERP, HCM, CRM, procurement, and finance systems, then map each permission to the business action it enables.
- Build SoD rules at the lowest permission level Define segregation of duties conflicts at the lowest securable object or permission level to reduce false positives.
- Separate administrative access from standard user review Review elevated privileges on a distinct cadence and require explicit business justification for each admin account.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for analysing segregation of duties risk inside business applications
- Operational review patterns for administrative access and user access recertification
- How to track changes to critical data for investigation and audit evidence
- Automation tips for running SoD checks across multiple applications faster than manual review
👉 Read Delinea's analysis of the business application security gap and control model →
Business application security: what IAM teams are missing?
Explore further
Business application security is where IAM governance meets financial control. The article correctly exposes a common enterprise blind spot: applications that hold financial, employee, and customer data are often governed by business ownership assumptions rather than by consistent identity controls. That model breaks down when entitlement risk, administrative access, and approval workflows sit outside central review. Practitioners should treat application access governance as a core control surface, not a local system issue.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- In the same study, 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which shows how quickly hidden access becomes operational risk.
A question worth separating out:
Q: Who should be accountable for business application security findings?
A: Accountability should sit with both the business owner and the identity governance function. The business owner defines acceptable access and approval risk, while IAM or IGA teams enforce the control model, maintain evidence, and escalate unresolved conflicts. Without shared accountability, application risk is pushed between teams and left unowned.
👉 Read our full editorial: Business application security gaps are widening in enterprise IAM