Yes, because cloud migration amplifies any weakness already present in access reviews, evidence collection, and control monitoring. If the control model is manual or narrow before migration, those weaknesses usually scale with the environment. Governance modernisation should happen alongside application change, not after the new footprint is already live.
Why This Matters for Security Teams
Modern ERP programmes rarely fail because the cloud target is inherently unsafe. They fail when legacy access governance, evidence collection, and control ownership are carried forward unchanged. Cloud apps amplify those gaps: privileged roles multiply, service accounts proliferate, and manual reviews become too slow to prove who can do what. The most reliable starting point is to modernise governance before migration, using control expectations that can survive change, not just document it.
That is why NHI controls matter alongside ERP planning. The same patterns that create exposure in cloud identities appear in ERP integrations, automation, and API keys, and they are often missed until auditors or incident responders ask for proof. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Regulatory and Audit Perspectives both show why unmanaged machine access becomes a governance problem, not just an operations one. NIST’s NIST Cybersecurity Framework 2.0 reinforces the same point: access, monitoring, and governance need to be demonstrable, not implied.
In practice, many security teams encounter ERP identity sprawl only after the cloud rollout has already turned a local weakness into a repeatable audit finding.
How It Works in Practice
Practical modernisation starts with the control model, not the application cutover. ERP governance should define who owns each access path, how privileged access is approved, what evidence is required, and how non-human identities are reviewed. That includes batch jobs, integration users, API tokens, and admin service accounts. If those identities are still governed through shared spreadsheets or annual-only reviews, cloud migration will expose the weakness immediately.
A more durable approach is to align ERP governance with lifecycle control. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because it frames creation, rotation, use, and retirement as one continuous control chain. For organisations with large integration estates, the Snowflake breach is a reminder that exposed credentials and weak identity governance can be far more damaging than the application itself. Teleport’s 2026 Infrastructure Identity Survey found that 67% of organisations still rely heavily on static credentials, which is a clear warning sign for ERP environments moving into cloud application stacks.
- Inventory human and non-human access before migration, including service accounts, middleware, and automation users.
- Replace one-time approvals with recurring review cycles tied to role, owner, and business process.
- Require evidence for privileged access, credential rotation, and exception handling before go-live.
- Separate application change control from identity control so ownership does not disappear during cutover.
NIST guidance supports this kind of risk-based control mapping, especially where ERP customisations and integrations create more identities than the business can manually track. These controls tend to break down when migration is running at pace and account ownership is spread across finance, IT, and the implementation partner because no single team can prove end-to-end accountability.
Common Variations and Edge Cases
Tighter governance often increases implementation effort, so organisations have to balance audit readiness against programme speed. That tradeoff is real, especially when an ERP replacement is tied to finance deadlines or business transformation milestones. Best practice is evolving, but there is no universal standard for automatically transferring legacy access into cloud applications without revalidation.
One common exception is short-lived project access. Temporary migration users, consultants, and test integrations may justify accelerated provisioning, but they still need expiry dates, owner approval, and revocation evidence. Another edge case is shared platform tooling, where a single control may cover multiple ERP modules. In those environments, the safest pattern is to document the identity boundary explicitly and then enforce it through Azure Key Vault privilege escalation exposure style secret handling discipline, even when the ERP vendor offers convenience shortcuts.
For broader governance planning, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives helps teams align cloud migration evidence with control expectations before the new system is live. Current guidance suggests that the safest sequence is to modernise access review, secret rotation, and ownership tracking first, then migrate. Delaying that work usually creates a cloud-shaped version of the same old control gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers NHI credential rotation and lifecycle gaps exposed by cloud ERP migration. |
| NIST CSF 2.0 | PR.AC-4 | Access governance and least privilege are central to cloud ERP control redesign. |
| NIST CSF 2.0 | DE.CM-8 | Continuous monitoring is needed when ERP identities and controls move to cloud apps. |
Inventory ERP machine identities and enforce rotation, expiry, and revocation before cutover.
Related resources from NHI Mgmt Group
- Should organisations prioritise external exposure or internal credential governance first?
- How should teams govern Oracle ERP Cloud access beyond native controls?
- When do Oracle ERP Cloud controls become too narrow for audit and risk needs?
- How should security teams prioritise NHI remediation in cloud environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
