On March 3-4, 2026, the SAP for Internal Controls, Compliance and Risk Management Conference gathered SAP governance, risk, and compliance professionals in Amsterdam. Organized by TAC Insights, in partnership with SAP, the event drew SAP users, IT managers, auditors, risk managers, and security experts from across the industry.
The two-day conference centered around the latest updates in SAP’s GRC portfolio, including intelligent risk and compliance (SAP GRC 2026 releases), cybersecurity and data protection (e.g. SAP Enterprise Threat Detection and Identity Access Governance), the use of AI in compliance (SAP Process Control with AI enhancements), and security strategies for SAP S/4HANA and RISE transformations.
Axel Vetter of SAP kicked off with a keynote on improving organizational flexibility and turning regulatory compliance into a competitive advantage. He set an optimistic tone — one that was felt across the two days of presentations, conversations, and standing room only crowds — about the power of security and controls to enable business growth and drive progress toward broader strategic goals.
As a Platinum Sponsor, Turnkey had a prominent role, both in showcasing our expertise and contributing to the agenda. On Day 1, CEO Richard Hunt co-presented with SAP’s Chris Johnston. Together, they explored the shared responsibility model in RISE with SAP and how users can manage their responsibilities with confidence.
The next morning, Turnkey’s Simon Persin joined Sheryar Chida of Universal Music Group to share insights from UMG’s SAP access remediation journey to achieve SOX compliance. These contributions — alongside SAP expert talks and client case studies — exemplified the collaborative spirit of the conference. Across all sessions and conversations, several key takeaways emerged that those who were unable to attend shouldn't miss.
1. Simplifying the identity and access landscape
Sessions and hallway conversations revealed concern about “tool overload” for identity governance and access management, particularly for cloud and hybrid IT estates. One IT architect bluntly shared that their company is hesitant to introduce SAP Cloud Identity Access Governance (IAG) — despite its SAP-specific benefits — because they already leverage an enterprise-wide identity-as-a-service solution (Okta) enterprise-wide. “We don’t want yet another tool if we can avoid it,” they noted.
This sentiment of simplicity over complexity struck a chord. Organizations want to improve SAP access controls, but not at the cost of fragmenting processes or user experiences across too many systems.
The underlying question is how to reconcile SAP’s identity management offerings with existing corporate IAM frameworks. For organizations heavily invested in platforms like Okta or Azure AD, the ideal path is integration — using SAP IAG or SAP Access Control as specialized extensions of a broader IAM program, rather than siloed add-ons. But it’s clear that a better understanding is needed around how SAP IAG and/or Access Control can complement an Okta (for instance, by handling fine-grained SoD controls and emergency access in SAP) without duplicating what’s already in place.
Turnkey’s take: Integrating SAP and enterprise IAM
We’ve long advised clients to pursue a holistic IAM strategy — one that bridges SAP-specific controls with enterprise identity platforms. Our work around SAP Access Control and IAG, for example, often involves ensuring they seamlessly integrate with existing directories and single sign-on solutions. The concerns raised by customers validated that our role as integrators — not just implementers of single products — is crucial.
Further, it reinforced that success is two-fold. First, in enabling simplification through user-centric design. Second, in facilitating adoption by educating stakeholders on the interplay between SAP and enterprise identity and how the pieces fit together. We will continue helping clients leverage the full capabilities of their current investments (e.g. central user provisioning, AD group management), while introducing SAP’s GRC identity tools only where they add unique value.
2. Embracing cloud GRC and continuous controls
Many organizations are at an inflection point. With SAP moving to S/4HANA (on-prem and RISE cloud), customers are reconsidering their GRC landscape with an eye toward cloud-hosted GRC solutions and continuous control monitoring. The conference highlighted several related insights:
Moving to SAP Cloud IAG
Several case studies featured companies transitioning from the traditional SAP Access Control (on-premise) to SAP Cloud Identity Access Governance. One session featured a manufacturing firm that has implemented SAP Cloud IAG and plans to decommission its legacy Access Control system. The move took place as part of their S/4HANA transformation. They saw the cloud GRC tool as more aligned with a future-state SAP environment and cited benefits such as automatic updates, easier scalability, and better integration with cloud applications. Despite some challenges (data migration and re-training users), it was clear that cloud SAP IAG is ready and able to support large enterprises.
Continuous controls and process automation
Hand in hand with cloud adoption is the push for continuous controls monitoring. Instead of periodic SOX audits or annual risk assessments, companies want their GRC tools to provide real-time assurance.
One attendee described how they are expanding usage of SAP Process Control to monitor key controls continuously — for example, scheduling automated compliance checks and alerts for control failures. The organization had historically used SAP Process Control in a limited way, but after implementing new modules in SAP Cloud, they realized they could embed compliance monitoring into daily operations. The result is a more proactive stance on risk: issues are flagged as they occur, which helps in prompt resolution and reduces audit findings.
Varying maturity and making the business case
Not everyone at the conference was on the cutting edge. A frank conversation with one attendee underscored that some companies are still early in their GRC journey. “We’re pretty basic — lots of manual processes and relying on trust,” they admitted about their company’s access controls.
In some environments, the concept of automated controls or continuous monitoring is met with skepticism, e.g. “If it ain’t broke, don’t fix it.” For such cases, it’s often best to start with small wins: implement a single automated control or use analytics to show management where the biggest risks lie. By demonstrating quick value, GRC champions can build momentum for larger changes.
Turnkey’s take: Managing business change alongside modern technology
Clients are increasingly drawn to cloud GRC and continuous controls, with many evaluating SAP Cloud IAG and SAP’s SaaS offerings for GRC. Our extensive experience with SAP Access Control and Process Control, as well as the rest of the SAP GRC solution suite, means we can guide their roadmap. Depending on their readiness, that might mean an upgrade to the latest GRC 2026 on-premise or a leap to cloud-based IAG. A key aspect of this is helping clients define and deliver their unique business case, quantifying the benefits of continuous monitoring and automation with use cases, success stories, and data points.
Change management is also essential, and Turnkey recognizes our role is as much about guiding cultural change — showing stakeholders the value of new ways of working — as it is about the technical implementation. This work isn’t easy, but we meet clients where they are on the maturity curve and helping them advance step by step.
3. Cybersecurity & intelligent GRC: From logging to AI
Cybersecurity was woven throughout the agenda — not as a standalone topic, but as an integral part of GRC in the SAP ecosystem. A few standout discussions illustrated how organizations are making their SAP environments more secure and intelligent:
UI Logging and Data Masking for sensitive access
SAP’s capabilities for UI logging and masking allow companies to track exactly what sensitive data is viewed or changed in SAP and to obscure sensitive fields from unauthorized view — capabilities that are increasingly important for privacy compliance and insider threat monitoring. UI logging can detect unusual user activities — for example, if a user suddenly accesses an atypical transaction or views an unusually high volume of confidential records. By masking fields, organizations add an extra layer of protection on top of role-based access controls.
Real-time threat detection
Logging and monitoring of SAP systems is a must in the current threat landscape. So, it’s no surprise that SAP Enterprise Threat Detection (ETD), SAP’s SIEM solution for monitoring security events in real time, featured heavily in conversations around cybersecurity and data protection. On one panel, experts discussed how ETD can analyze SAP system logs to spot attack patterns or anomalies — for instance, detecting data exfiltration attempts or misuse of privileged accounts.
GRC and security leaders are actively evaluating SAP ETD and similar third-party alternatives (including Onapsis and SecurityBridge) to bolster their real-time detection capabilities. Their overarching strategy is clear: embed security monitoring into your SAP operations so that threats can be caught early, rather than discovered after a breach.
AI and analytics in GRC
Unsuprisingly, AI dominated the conference with a focus on applying analytics and artificial intelligence to GRC and controls. Without question, companies that harness machine learning to sift through vast amounts of security and controls data to identify patterns or predict issues will have an early competitive advantage. But many are still figuring things out.
For those looking to get started with GRC analytics, the advice was to begin with existing data (logs, user access records, incident reports) and explore simple analytics for trends — for example, which business areas generate the most SoD violations or what user behavior often precedes a security incident. From there, consider more advanced solutions. While true AI for GRC is still maturing, tools like SAP’s Business Integrity Screening, which employs predictive algorithms to flag fraud, allow for early steps in this direction.
The promise of AI is compelling and within reach. But as with any technology, AI needs business context. A session on Intelligent GRC noted the importance of Contextual AI — AI that is intelligible, adaptive, customizable, and context-aware — to ensure AI-generated decisions can be understood and adjusted by humans, especially for risk and compliance use cases.
Turnkey’s take: Aligning security and GRC with help from AI
Organizations are increasingly understand the importance of “security by design” in SAP projects. Regularly implementing solutions like SAP UI Masking and Logging make clear the value of granular security controls. Moreover, interest in SAP ETD and similar tools present the opportunity to help clients choose and use the right monitoring solutions for their needs.
Finally, on the topic of AI and advanced analytics, the takeaway is to leverage existing data for quick wins like control dashboards or trends in access risks. As AI capabilities in GRC evolve, we aim to be a guide — piloting new features with early adopters — but always translating them into clear business value. The emphasis on contextual and intelligible AI resonates with our philosophy that any automated risk detection must be explainable and tailored to each client’s environment. It’s not about AI for buzzword’s sake, but about smarter compliance that keeps humans in the loop.
In summary: The future of SAP GRC and security looks bright
TAC Insights CCR 2026 provided not only a view of where SAP’s GRC and security solutions are headed, but also a reality check from the trenches — how different organizations are tackling similar challenges in different ways. Several clear conclusions emerged:
-
Organizations crave simplicity and clarity: Whether it’s consolidating identity management or navigating the plethora of GRC tools, the recurring plea was to reduce complexity. This validates Turnkey’s aim of serving as a trusted guide —helping organizations chart a clear path for GRC and security, enabling them to get the most out of what they have, and adding new capabilities in a non-disruptive way.
-
Cloud and continuous = the future: The momentum towards cloud-based SAP solutions like S/4HANA on RISE and the expectation of continuous, real-time risk management cannot be ignored. Our early involvement in cloud GRC projects has prepared us to leverage lessons learned — for example, pitfalls in moving to SAP Cloud IAG or best practices in setting up continuous controls — and help clients upgrade their GRC approach in tandem with their digital transformation, modernizing security and controls alongside SAP itself.
-
AI and automation adoption varies: Some companies are on the cutting edge with AI-driven analytics and fully automated controls, while others are just establishing basic policies. For less mature organizations, foundational accelerators, like quick start templates for role design or control frameworks, can help build confidence. For the more advanced, integrating GRC data with enterprise analytics and piloting new SAP GRC features come into play. In all cases, empathy and listening — understanding each organization’s culture and pain points — remain paramount.
-
Innovate with purpose: Finally, the excitement around new technology — be it AI, or sophisticated tools like ETD and BIS — is contagious. As advisors, we’ll remain at the forefront as these solutions evolve. But real value comes from translating innovation into practical, actionable strategies. Our goal is always to ensure that when clients invest in the next big thing, it genuinely advances their risk management capabilities.
In closing, the SAP for Internal Controls, Compliance and Risk Management Conference (CCR) 2026 was a testament to the vibrant community in our field. Engaging with this community, sharing our knowledge, and learning from others left us with new ideas to implement and new stories to tell. As we digest all that was shared and follow up with the contacts we made, one thing is certain: the future of SAP GRC and security looks bright, and Turnkey will continue to be at the heart of helping organizations unlock that potential.
