Change is accelerating for security and controls professionals, especially within SAP environments. Cloud adoption and AI are redefining operating models, while regulatory pressure raises the bar for control and oversight.
Organizations face crucial decisions about where to invest time and money as well as how responsibility for risk is shared across the business. The choices made in 2026 will shape resilience, compliance, and scalability for years to come.
This blog brings together predictions and insights from Turnkey Consulting’s experts to offer a practical view of how governance and access are evolving — and how to respond.
“Governance processes become scalable at last”: Carsten Hufnagel, Managing Director
“I think 2026 marks a decisive turning point for SAP security, GRC, and IAM. In large SAP landscapes, complex data models and numerous relevant tables inevitably lead to extensive custom code, which slows down projects significantly. Anyone who continues to accept months of analysis and development phases risks falling behind the pace of evolving threat landscapes and regulatory demands.
I am firmly convinced that without the consistent use of AI, GRC will not achieve the speed required in the coming years. SAP Joule and comparable technologies must be capable of understanding the SAP data model autonomously, interpreting business requirements precisely, and automatically generating complete technical controls from them. For me, this is the key step to radically reducing time-to-control and finally making governance processes scalable.
I also see a fundamental paradigm shift in IAM. Traditional role models and recertification processes often create only an illusion of security. Decision-makers frequently approve access rights without fully understanding their real implications. AI‑driven analyses, as well as policy and attribute‑based access models, offer far greater transparency, currency, and risk accuracy — and this is exactly the level of precision companies will urgently need.
In short: AI will become a foundational requirement for future-proof SAP security, GRC, and IAM. I see our role as being the partner who not only understands these technologies, but also translates them into practical, robust solutions for our customers.”
“Making discovery and change management essential”: Aparna Rallabhandi, Principal Consultant - Identity
“One of the consistent lessons I have taken from many project deliveries is that some practices simply cannot be compromised.
At the top of that list is doing proper business analysis and discovery. When discovery is rushed or treated as a formality, delivery becomes harder, requirements keep shifting, scope increases, and teams end up fixing issues that could have been avoided with the right groundwork.
How we communicate change is just as important, because transformation is more than technology or new processes — it is fundamentally about people. If stakeholders are not brought into the journey, resistance grows, adoption slips, and the benefits never land as intended. Change management should be an ongoing effort to explain the why, address concerns, and create clarity along the way.
Rigorous discovery and clear change communication are non-negotiable priorities for future projects. They create the foundation for smoother delivery and reduce friction later. Every time these steps have been done well, the outcomes have been far stronger. This must be remembered in 2026 and beyond.”
“Turning Firefighter into a strategic tool”: Mathieu Bertrand, Director
“For 2026, SAP Firefighter governance — especially in SAP Cloud ERP Private (RISE) environments — needs a rethink.
I consistently see the same weaknesses reappear in cloud transformations: logs that are generated but not reviewed, emergency access roles that are far too broad, audits that remain complex and manual, and unclear boundaries between business, IT, and AMS provider access.
In many cases, Firefighter becomes the default entry point for all sensitive activities, which masks deeper issues in access design and control without addressing them properly.
What makes this particularly important is that SAP Cloud ERP Private adds a new layer of complexity. Cloud infrastructure, shared responsibility models, remote administration, and increased reliance on external providers amplify the risks of poorly governed privileged access. At the same time, these environments are far better suited to modern Privileged Access Management (PAM) solutions than traditional on-premise SAP landscapes.
This creates a real opportunity to treat Firefighter redesign projects as parts of a broader, enterprise-wide strategy. Organizations that take this approach can move toward stronger automation, clearer accountability, and more effective preventive control, rather than relying solely on detective reviews after the fact.
By integrating SAP emergency access into a global PAM framework, companies can reduce audit complexity, limit over-privileged access, and align SAP security with how cloud platforms are already being secured elsewhere in the enterprise. By the end of 2026, this shift may well become a prerequisite for scalable and auditable SAP cloud security.”
“Adopting AI is not the hard part — deploying it with discipline is”: Rene Nakache, Director
“AI is starting to reshape how people interact with ERP, and especially SAP. We’re moving from ‘click-through transactions and tickets’ to conversations, recommendations, and automation. That’s powerful…and risky if we don’t control it.
My view is simple: adopting AI is not the hard part; deploying it with discipline is. We need to master where AI runs, what it can access, and what it is allowed to output. In practice, that means treating SAP data as a high-value asset, where we classify what truly matters, restrict access to the minimum, and monitor usage continuously.
Just as importantly, companies must protect what creates value — customer data, pricing, financials, production, and HR — and make sure it stays inside the enterprise boundary. AI can accelerate decisions, but it should never become the fastest way for sensitive data to ‘accidentally’ leave the company.”
“Unlocking AI benefits without unlocking AI risks”: Cavan Arrowsmith, Sales Director
“From what I see with senior leaders, AI is viewed as both a negative and positive disruptor. Many organizations are making staffing cuts citing the operational efficiency gains that embracing AI will provide, and in the consulting industry, some graduate programs are being frozen due to AI disruption. The likely consequence of these shifts is that operational GRC and Security teams will be expected to utilize and exploit the benefits of AI in their day-to-day lives.
There are risks attached to this. Untrusted or unauthorized use of AI platforms that have not been risk and security tested independently could become the next source of an organization's breach. This could either be from leaking sensitive or personal data, or by revealing security weaknesses to publicly accessible AI.
Furthermore, many organizations lack the guardrails that allow them to embrace AI safely and perform their jobs efficiently or aren’t sure which ones to use. Often, they rely too heavily on AI to support capacity challenges but don’t cast a critical eye over the responses or outputs. For example, if you ask AI very in-depth, subject matter expert level questions (e.g. ‘what types of controls respond to a particular risk?’), the foundational answer will likely help inspire to a certain extent. But copy and pasting into a report ready for board presentation doesn't mean the author understands the subject matter and may cause misdirection of strategy if people trust the author implicitly.
In my view, tools like AI should be viewed as personal assistants, helping run and support tasks where you are not the strongest, where you lack capacity in that moment, or you are challenged on a deadline. However, you must always make sense of the output yourself, truly critiquing the responses and answers and validating with independent research. Look for support across your SME peer network, SME consultancies, and trusted authoritative sources like ISACA or IIA.”
“Treat agentic AI identities just the same as human ones”: Robert Lister, Senior Manager
“In 2026, one of the fastest-growing sources of privileged risk will not be human administrators, but agentic AI identities.
Organizations are deploying more and more autonomous AI agents to execute tasks, call APIs, manage infrastructure, and interact with business systems. These agents are increasingly being spun up dynamically, assigned credentials, and granted broad access with limited visibility or lifecycle control. In practice, many of these agents already operate with standing privileges that exceed those of human users.
The risk is structural. Agentic AI accounts are non-human, short-lived, and often created outside traditional IAM processes. This makes them easy to over-privilege and hard to audit. And when an agent is compromised, misconfigured, or repurposed, it can execute actions at machine speed with no human friction, turning credential sprawl into an attack accelerator rather than just a hygiene issue.
The solution is to treat agentic AI identities as first-class privileged identities. That means onboarding agents through PAM, issuing just-in-time credentials, enforcing session isolation and policy-based expiration, and recording all actions for forensic traceability.”
“Making the big strategic choice on GRC”: Simon Persin, Global Practice Director | RSC
“This year, I’ve seen clients using SAP GRC technology face a strategic choice. Do you stick with a private cloud option, with GRC 2026 coming to general availability, aligned to your current investment in Access Control, Process Control, and so on — or do you migrate to a public cloud SaaS option with SAP Cloud IAG, RAM, and ETD as a service?
Understanding the best strategic fit alongside your wider SAP and technology strategy, and the best functional fit, will be a key decision for 2026. For many clients, there is an SAP-first technology strategy in place. But even if the choice is SAP, there is still confusion about which flavor of SAP has the focus of investment for GRC solutions, and what functionality will be available and when.
There are alternative third-party options available, but these tend to compete on one aspect of the GRC requirement. Although the third-party tools deliver parity and often greater depth of functional innovation in specific areas, rarely is there a single answer that is able to compete across the breadth of capability offered by SAP.
The key question to ask yourself is therefore ‘what am I trying to achieve in my GRC aspirations?’. From that question, Turnkey can help to shape the appropriate ‘what’ and ‘how’ from your ‘why’.”
“Beware of the brownfield migration”: Simon Persin, Global Practice Director | RSC
“I believe the key SAP security challenges from 2025 will continue into 2026, including solving the conundrum of how to migrate to the S/4HANA technology stack. Whether that means taking the SAP Cloud (Public or Private) route or retaining the perpetual license scenario (potentially with third-party support), the strategic solution for how to get there is a significant investment in thinking and execution.
SAP is the backbone of many organizations’, underpinning IT estate, and is responsible for much of their revenue generating activities. As such, retaining SAP is almost mandatory. But how to migrate to the ‘next-generation technology platform’ is a difficult calculation to make. It requires harnessing the potential for streamlining and standardizing to drive better business performance whilst protecting the business from significant disruption and unnecessary CapEx costs.
The hidden factor here is also maintaining a level of security that was hitherto assumed yet inadequate in many places. For many, a brownfield migration provides the path of least resistance, because it’s the cheaper option, avoids much of the scary ‘transformation’ that means additional business change, and allows it to be a technical migration project.
But think carefully: There is still the business disruption. And a brownfield approach effectively kicks the problem down the road, still incurs significant spend, and delivers minimal upside value other than de-risking the potential ‘end-of-life’ vendor support costs.
While initially more expensive, a transformation unlocks far greater business benefits, avoids duplication of project efforts, and reduces total cost of ownership from that point onwards. Whichever route you take, making sure the business access assignments, the shared responsibility operating model, and the end-to-end security are all in place is essential for a successful migration.”
“SAP security as a business enabler, and winning the PR battle”: Simon Persin, Global Practice Director | RSC
“In my experience, the threat landscape is arguably looking more robust now than it ever has been. With a polarized political landscape fuelling more populist views and state-sponsored attacks becoming the norm, there is every chance of organizations being targeted via cybersecurity attack vectors.
This may seem like a moment to retreat into defensive mode. But that’s a mistake. In fact, the big challenge for cybersecurity teams is to be perceived as business critical, not just an ‘insurance policy’ that brings cost and overhead. Teams must help senior business leaders understand that the investment will not just support resilience but reinforce and drive business growth.
This is exacerbated within the SAP security realm. As cloud adoption continues to grow, there is an assumption that full and complete security is inherently included, which is a dangerous and incorrect assumption, highlighted by the gaps in the shared responsibility model.
Thus, the fight for recognition of needing end-to-end SAP cybersecurity — aligned to the importance of SAP within your organization — continues. Positioning it as an enabler to the overall business strategy is a 2026 imperative.”
“Building belief in long-term GRC investments”: Marc Jackson, RSC Practice Director
“Understandably, I’ve seen customers who have been getting increasingly concerned about the future of their SAP GRC 12 on-premise solutions. Many have invested significant time and energy in deploying and embedding it as the backbone to their SAP risk and compliance processes, so that they have the level of control required to manage risks across their complex SAP landscapes.
This uncertainty has been fuelled by SAP's ‘cloud-first’ strategy, and a push towards cloud-based equivalents such as SAP IAG or SAP RAM. These solutions can act as a complement to existing ones. For example, the "Bridge Edition" of SAP IAG enables the extension of access governance to SAP cloud applications, which are becoming more and more prevalent within the standard SAP landscape.
However, SAP customers' risks, and the level of controls required to manage them, are complex. This means the more mature and functionality-rich SAP GRC 12 solution remains a key part of their risk and controls strategy and approach. SAP has recognized these needs, and their well-received response is the new SAP GRC 2026 release. The confirmation of the SAP GRC on-premise roadmap has helped to dispel rumors that the looming end-of-life timeline for SAP GRC 12 on December 31, 2027 (extended maintenance only until December 31, 2030) would mark the end of an SAP GRC on-premise solution altogether.
This has reinforced confidence in SAP's continued investment in, and the longevity of, their tried and trusted platform. And as a result, it will trigger the re-planning of multi-year risk and compliance programs. Teams responsible for managing Risk, Security, and Controls can plan with confidence, with additional interest in the new and improved functionality being provided and how it can support them in becoming increasingly more resilient.
These plans can also consider the right time to upgrade to the new version. We anticipate having many strategic and architectural conversations with our customers, especially as we get nearer to the general availability release in Q3 2026.”
“High-profile attacks are generating awareness”: Richard Hunt, CEO
“In the UK, we've seen several high-profile cyber attacks on manufacturing and retail clients in 2025. Only the attack at Jaguar Land Rover has been officially linked to an SAP breach. However, Marks & Spencer, Harrods, and the Co-Op all run SAP as well and have had major cyber incidents in 2025, which has served to raise the profile of cyber risk significantly.
At Turnkey, we've been speaking to clients about going 'beyond SoDs' for some time now, and have been working with products such as Onapsis and SecurityBridge since their inception. However, one of the key challenges in this space is that it's often difficult to find an 'owner' for SAP cybersecurity in an organization, and the governance model for SoD risks doesn't exist for SAP cybersecurity in most companies.
That has meant that, as an industry, a lot of our work in the SAP cyber space has centred around highlighting the need for action and educating clients around the ways that SAP systems can be protected from external threats. But with high-profile cyber breaches doing a lot of the education 'heavy lift' in 2025, it feels like there is a shift away from explaining the problem and towards solutions for a known issue. Will 2026 be the year when cybersecurity for SAP becomes mainstream?”
In summary: “Whatever you do in 2026, make sure you know why you’re doing it”
The consistent theme of our experts’ predictions for 2026 is the need for planning and strategy. This includes governance of AI, understanding how the cloud changes risk, managing non-human identities, and making security and GRC decisions with business context.
While some of the challenges highlighted here may seem daunting, all are manageable — and can be turned into opportunities — with the right approach and support. It’s something that we at Turnkey excel in — translating confusion into strategy and strategy into practical delivery, with a focus on partnership, pragmatism, and long-term thinking.
To speak directly with our experts, get in touch with the Turnkey team today.
