TL;DR: ERP environments are part of a wider IAM attack surface problem, with visibility, observability, and remediation presented as the levers that reduce exposure across connected and disconnected systems, according to Zluri. The underlying issue is that identity control breaks down when access, applications, and shadow activity are not consistently observable.
NHIMG editorial — based on content published by Zluri: Reduce Your IAM Attack Surface Using Visibility, Observability, and Remediation
By the numbers:
- Zluri reports that the report is based on a survey of 100+ IT leaders from various industries.
- Gartner Peer Insights shows Zluri rated 4.7 based on 10 reviews as of 19th Nov 2025.
- Zluri says its SaaS Management Platform has 26 ratings on Gartner Peer Insights.
Questions worth separating out
Q: How should security teams reduce ERP-related IAM attack surface risk?
A: Start by building a complete inventory of ERP-linked identities, integrations, and permissions, then validate which access paths are still needed.
Q: Why do disconnected systems make ERP access harder to govern?
A: Disconnected systems break the control chain between entitlement, approval, and enforcement.
Q: What breaks when visibility into ERP access is incomplete?
A: Incomplete visibility breaks ownership, review quality, and remediation speed.
Practitioner guidance
- Map the ERP identity graph end to end Inventory user accounts, service accounts, integrations, and admin pathways across connected and disconnected systems so the attack surface is visible before remediation starts.
- Tie access review to live usage signals Use access reviews alongside event logs and connector telemetry so entitlement decisions reflect current behaviour, not just historical approval records.
- Assign owners to every unresolved entitlement Create a closure workflow for each excess permission or stale connector, with a named control owner and a target date for removal or justification.
What's in the full article
Zluri's full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns from 100+ IT leaders that show how practitioners are using ERP and IAM controls in real environments.
- The report's own framing of visibility, observability, and remediation as the practical levers for reducing IAM attack surface.
- Additional context on IVIPs and how they unify identity visibility across connected and disconnected systems.
- The underlying Gartner material cited by Zluri, useful if you need the analyst context behind the report's positioning.
👉 Read Zluri's report on reducing your IAM attack surface with visibility and remediation →
IAM attack surface visibility in ERP estates: what teams need now?
Explore further
Visibility is the control that determines whether ERP risk can be governed at all. ERP environments are rarely insecure because of a single weak setting. They become hard to govern when identities, applications, and access paths are fragmented across systems that cannot be seen together. That leaves IAM teams managing partial truth instead of control state. The practitioner conclusion is simple: if ERP access cannot be enumerated coherently, it cannot be governed coherently.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can IAM teams tell whether remediation is actually reducing ERP risk?
A: Track how quickly findings are closed, how many exceptions remain open, and whether stale access is being removed rather than reapproved. If remediation only produces more reports and few closures, the programme is observing risk without reducing it. That is a control failure, not a maturity signal.
👉 Read our full editorial: Visibility gaps are widening the IAM attack surface in ERP estates