A controlled location in a standard application where custom UI or logic can be added without rewriting the full page. In Fiori elements, extension points help teams fill genuine business gaps while preserving the framework’s standard navigation, messaging, and lifecycle behaviour.
Expanded Definition
An extension point is a deliberate insertion point in a standard application where approved custom UI, logic, or behaviour can be added without altering the underlying product. In SAP Fiori elements and similar framework-driven interfaces, extension points preserve the standard shell while allowing business-specific needs to be met. That distinction matters because an extension point is not a free-form code override: it is a governed customisation surface that should remain compatible with the framework lifecycle, upgrade path, and messaging model. Definitions vary across vendors, but the common pattern is the same: the platform exposes a stable contract, and the custom addition must respect that contract. For security and governance teams, the key question is whether the customisation stays inside the supported extension model or drifts into unsupported modification. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces controlled change, asset governance, and resilience expectations around application components. The most common misapplication is treating an extension point like a place to embed unreviewed business logic, which occurs when teams bypass the framework’s supported extension mechanism to rush delivery.
Examples and Use Cases
Implementing extension points rigorously often introduces a tradeoff between agility and control, requiring organisations to weigh faster business delivery against tighter upgrade discipline and review overhead.
- A Fiori elements page exposes a custom toolbar action at an approved extension point so users can trigger a business-specific workflow without forking the page.
- A development team adds a validation rule at a framework-supported hook while keeping standard navigation and message handling intact, reducing regression risk.
- An enterprise uses an extension point to inject role-aware content for a specific business unit, but documents the change so it can be retested after every release.
- Security reviewers map each extension point to change records and code owners to ensure only approved logic is attached to the standard application.
For governance context, the Ultimate Guide to NHIs highlights how uncontrolled customisation can expand attack surface when access, lifecycle, or offboarding are not tightly managed. In platform terms, the same discipline that protects NIST Cybersecurity Framework 2.0 objectives also helps teams keep extension points maintainable across releases.
Why It Matters in NHI Security
Extension points matter in NHI security because they often become the place where identity-dependent logic, API calls, or privileged UI actions are introduced. If the customisation layer is not governed, teams can accidentally hard-code secrets, weaken authorisation checks, or create hidden dependencies that outlive the original business need. That creates operational risk during patching, migration, and offboarding, especially when service accounts or automation credentials are involved. NHIMG research shows that 97% of NHIs carry excessive privileges, which broadens the impact of any weakly controlled extension or embedded automation path. The broader lesson is that a harmless-looking UI hook can become an identity control failure if it is used to launch actions that exceed the intended role or lifecycle of the NHI behind it. A useful control mindset is to review extension points as part of application ownership, entitlement review, and release governance, not as a purely developer convenience issue. The Ultimate Guide to NHIs provides the operational backdrop for that discipline, especially where lifecycle and privilege management intersect with custom integrations. Organisations typically encounter the risk only after an upgrade breaks the extension or an incident reveals that a custom hook had been executing with unchecked authority, at which point extension point governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS | Extension points must preserve secure data handling and controlled system behaviour. |
| OWASP Agentic AI Top 10 | Custom logic hooks can introduce unsafe tool use or privilege amplification in agentic flows. | |
| OWASP Non-Human Identity Top 10 | NHI-07 | Extension points can conceal risky integrations and unmanaged identity-dependent logic. |
Treat every extension as a governed change and revalidate security controls after each release.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
