Vendors Mentioned

Key Topics
security
Key Takeaways What you need to know

  1. As AI transforms enterprise applications, organizations face a rapidly expanding access surface area, posing a critical risk due to a lack of visibility into identities and permissions. Comprehensive inventory management is essential to mitigate these risks and enhance security.

  2. Cross-application Segregation of Duties (SoD) is a significant blind spot in risk management. Overlapping permissions across systems like SAP and Oracle can lead to fraud, particularly within critical financial processes, necessitating a holistic view of entitlements across platforms.

  3. Access certifications must evolve from mere documentation to active risk management techniques. Organizations risk exposing themselves to dormant vulnerabilities by certifying access without full context or visibility, especially during crucial SAP migrations.

As enterprise application landscapes become more fragmented and increasingly automated identity and access governance (IAG) has shifted from a compliance exercise to a critical business risk discipline. In a recent SAPinsider Live podcast, I spoke with Manoj Makhija, Director of Professional Services at Pathlock, about why organizations continue to underestimate identity risk and what must change as AI accelerates access, automation, and exposure.

The Most Underestimated Risk: The Expanding Access Surface Area

Makhija emphasized that many organizations still lack a complete inventory of applications, identities, and entitlements across their ecosystem, a problem that has persisted for years and is now compounding with AI-enabled agents. Without a full system of record, enterprises cannot effectively manage risk because they don’t know what or who they’re securing.

One of the most consistent challenges Makhija sees across enterprises is the lack of a complete view into applications, identities, and access rights. Despite years of digital transformation, many organizations still don’t have a reliable system of record for access.

Explore related questions
Ask SAPi
what is this?

“Do I have a full system of record? Do I actually know what identities and access I’m controlling risk on?”
— Manoj Makhija, Pathlock

As AI agents are introduced, each with credentials and privileges, the access surface area expands rapidly. This gap becomes even more dangerous as organizations adopt AI and agent-based automation. Each Makhija points out that “with AI and agentic AI in the mix, this problem isn’t going away. It’s only going to increase.” According to Makhija, this is not a future-state concern, it is happening now, at scale, and at machine speed.

Cross-Application SoD: Where the Real Risk Lives

Another major blind spot is cross-application segregation of duties (SoD). While individual systems may appear compliant, risk often emerges when entitlements are combined across SAP, Oracle, and third-party SaaS platforms. Makhija noted that traditional tools still ask, “Who has access to what?” when the more dangerous question is, “What can someone actually do across the full landscape?”.

This is especially critical for finance processes such as vendor creation, invoice submission, and payment approval—where cross-system visibility is essential to prevent fraud.

Without cross-application SoD rule sets, organizations miss the compound risk created by overlapping permissions, particularly in critical finance and procure-to-pay processes.

Certifications Without Context Create Dormant Risk

Makhija also challenged the way organizations approach access certifications. Too often, certifications are treated as documentation exercises rather than active risk management. Manual reviews, stale spreadsheets, and lack of usage data result in organizations certifying access they don’t understand, in systems they can’t fully see.

“We are certifying access we don’t understand in systems we can’t see across for a reality that stopped being accurate the moment the last reorg happened.”

— Manoj Makhija, Pathlock

Unused administrative roles and dormant entitlements introduce silent exposure, risk that remains invisible until it’s exploited.

SAP Transformations: A Once-in-a-Decade Opportunity

With many organizations migrating from ECC to S/4HANA, Makhija stressed that SAP transformations represent a rare chance to eliminate years of accumulated access model debt. Sharing, “migration is your one clean window to retire 10-plus years of access model debt. Don’t defer it.”

Equally important, organizations must apply continuous controls monitoring (CCM) before cutover, not after, especially when ECC and S/4HANA run in parallel. He shares why before cutover is so critical, “Auditors don’t give you a grace period because you’re doing a migration. GRC has to be a go-live requirement.”

Identity Governance in an AI-First World

Looking ahead, Makhija challenged the assumption that AI-driven risk is a long-term concern. In reality, AI agents are already drafting contracts, triggering workflows, and approving transactions.

“The IGA playbook was built for humans at human speed. Agents operate at machine speed across multiple systems simultaneously. The old playbook doesn’t apply.”

— Manoj Makhija, Pathlock

As AI agents begin to outnumber human users, governance models must evolve bridging IGA and GRC to enable preventative, data-driven controls.

Listen to the full SAPinsider Live podcast featuring Manoj Makhija:

More Resources

See All Related Content
Live from Las Vegas 2026 James Rapp, Office of the CTO, SAPIn this podcast, James Rapp, Office of the CTO at SAP, shares insights on how organizations are navigating SAP migration and cloud strategy in the era of AI and data-driven transformation. He highlights the role of SAP BTP as a foundation for innovation, SAP Business Data Cloud (BDC) for unified and governed data, and the […]
1 minute read
A business team meets in a conference room, reflecting the SAP S/4HANA migration strategy discussions that can lead to Selective Data Transition decisions.
Why One SAP Customer Paused Its SAP S/4HANA Transition Before Moving ForwardA consumer products company paused its SAP S/4HANA migration after early work showed the original brownfield plan no longer fit the business. Working with cbs Corporate Business Solutions, the company moved toward Selective Data Transition, showing how disciplined reassessment can reduce legacy complexity and support stronger outcomes.
4 minute read
From ECC to SAP S/4HANA: Success Driven by a Smart Data Migration StrategySAP is ending support for legacy platforms in 2027, so organizations still on older SAP systems must urgently plan their S/4HANA migration, with success depending less on a technical upgrade and more on proactive, cross-functional data strategy, governance, and careful execution to avoid costly delays, disruption, and failed implementations.
5 minute read
People pass through a secure building entrance, illustrating access governance and SAP IDM migration planning.
SAP IDM 8.0 End of Life Creates Migration and Governance DecisionsSAP IDM 8.0 end of life gives customers a defined migration window, but the decision extends beyond tool replacement. SAP teams need to assess where identity workflows, access governance, audit evidence, and partner platforms fit in the future governance model.
3 minute read

Featured Insiders

Become a Member

Unlimited access to thousands of resources for SAP-specific expertise that can only be found here.

Sign Up

Become a Partner

Access exclusive SAP insights, expert marketing strategies, and high-value services including research reports, webinars, and buyers' guides, all designed to boost your campaign ROI by up to 50% within the SAP ecosystem.

Sign Up

Events

14May
Mastering SAP Collaborate – Singapore 2026Singapore
View All

Insider Newsletter

Always have access to the latest insights with articles, Q&As, whitepapers, webinars, and podcasts. Gain the inside edge. The SAPinsider Weekly helps you stay SAP savvy. Access exclusive bonus materials, discounts, and more.

Get the Newsletter