Security teams should govern low-code automation as an identity problem, not only a development problem. Each workflow should have a named owner, a narrowly scoped execution identity, and a clear approval path for data access and downstream actions. If the automation can touch multiple systems, entitlement reviews should include the full integration chain, not just the app creator.
Why This Matters for Security Teams
Low-code automation in SAP BTP often gets treated as a productivity concern, but the security impact is really about identity, privilege, and control over business actions. When citizen developers can connect workflows to finance, HR, or customer systems, the real risk is not the code itself. It is the execution identity behind the workflow, the entitlements that identity inherits, and the downstream systems it can reach.
That is why governance has to align to NHI control, not only application review. Current guidance from Ultimate Guide to NHIs shows why lifecycle ownership, rotation, and offboarding matter for service-like identities, while the NIST Cybersecurity Framework 2.0 reinforces the need for governed access and accountability across the environment. In SAP BTP, the same workflow may be reused across teams, copied into new spaces, or connected to additional APIs without a fresh security review.
In practice, many security teams discover risky automation only after a workflow has already been reused across multiple business processes and inherited broader access than intended.
How It Works in Practice
Governing SAP BTP automation starts with naming the owner of the workflow, then separating that ownership from the identity that actually executes it. The workflow should run under a narrowly scoped technical identity, not the creator’s personal access, and that identity should be treated like any other NHI: inventoried, reviewed, and revoked when the automation is retired. The Top 10 NHI Issues page is a useful reminder that excessive privilege and weak lifecycle controls are recurring failure modes, not edge cases.
Security teams should require a review of the full integration chain before approval. In SAP BTP, that means mapping the workflow to the source system, the API or connector used, the target system, and any intermediate secrets, tokens, or destination configurations. If the automation can trigger approvals, move data, or create downstream records, the review should include those actions as part of the entitlement scope. The lifecycle guidance for NHIs is especially relevant here because low-code automations often outlive the original business need.
- Assign a business owner and a technical custodian for every workflow.
- Use a dedicated execution identity with least privilege and separate secrets.
- Review connectors, API destinations, and delegated permissions together.
- Require approval for production activation, not just app publication.
- Monitor runtime logs for unexpected system access or privilege expansion.
Security review should also be tied to change management. When a workflow adds a new connector, new data field, or new approval path, that is effectively a new identity risk and should trigger re-approval. These controls tend to break down when teams copy workflows across BTP spaces because the original owner, approval trail, and access assumptions do not follow the automation cleanly.
Common Variations and Edge Cases
Tighter workflow control often increases delivery friction, so organisations need to balance developer agility against the cost of overexposure. That tradeoff is real in SAP BTP environments where business teams expect fast automation and security teams need clear traceability.
There is no universal standard for every SAP BTP pattern yet, so guidance is still evolving for mixed models such as attended automations, shared service accounts, and workflows that call external SaaS tools. For lower-risk use cases, current guidance suggests lighter approvals may be acceptable if the workflow only reads non-sensitive data and cannot make changes. For high-impact processes, such as payroll, procurement, or customer record updates, the bar should be much higher.
Security teams should also watch for hidden privilege inheritance. A low-code app may look harmless in the builder, but if it runs under an integration user with broad backend permissions, the effective risk is much larger than the UI suggests. That is why audit teams should evaluate not only the workflow definition, but also the execution context, secret storage, and offboarding process. The regulatory and audit perspective for NHIs helps frame this as an ongoing control problem, not a one-time approval.
In SAP BTP environments with frequent sandbox-to-production promotion, governance breaks down when ownership changes faster than the access review cycle can keep up.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Low-code workflows need owned, inventoried execution identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to workflow and connector governance. |
| CSA MAESTRO | GOV-2 | Agentic-style orchestration governance fits multi-step SAP automation. |
Treat multi-step automations as governed workloads and require runtime accountability for every downstream action.
Related resources from NHI Mgmt Group
- How should security teams govern non-human identities in cloud environments?
- How should security teams govern eSignature workflows in low-code automation platforms?
- How should security teams prioritise NHI remediation in cloud environments?
- How should security teams govern non-human identities at scale?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
