As we move into 2026 and beyond, the same pattern keeps emerging across SAP customers – regardless of industry:
SAP landscapes are steadily becoming more hybrid, spanning on-premise systems, cloud environments, and multiple SaaS solutions.
Compliance expectations are increasing while threat pressure accelerates. And yet, identity data, access risk, and security monitoring are still too often handled in separate worlds.
This article goes deeper: it focuses on what identity governance means specifically in SAP landscapes and how to build an operational program around it.
At Xiting, we start with the SAP reality: authorizations are powerful, business-critical, and complex. The objective is not governance on paper – it is operational governance that works across systems and remains effective over time.
IGA can be defined as the set of policies, processes, and technologies that continuously manage identities and control access to systems and data – typically with automation for access reviews, provisioning and deprovisioning, and compliance enforcement.
In theory, that sounds straightforward. In SAP, IGA becomes truly tangible once you can consistently answer these questions:
If your organization cannot answer these questions reliably and across systems, you have an identity governance gap – even if individual tools are technically in place.
SAP is not a single application. In most organizations, it runs the highest-impact business processes – from finance and procurement to HR and logistics. The difficulty with identity governance in SAP is not only the scale.
It is the combination of several factors that reinforce each other:
→ Users often have different IDs, naming conventions, and directory entries across SAP on-premise, SAP BTP, cloud applications, and third-party systems. Without consolidation, cross-system governance is impossible.
→ SAP authorization concepts – with single roles, composite roles, derived roles, and Fiori catalogs – create layers of access that are difficult to trace, review, and govern over time.
→ SoD rules, critical access definitions, and detection patterns must stay current. When SaaS and cloud applications update frequently, static rulesets become outdated fast – creating blind spots in risk analysis.
→ Many organizations have governance processes (access reviews, approval workflows) that run on a quarterly cycle, while threats and policy violations happen in real time. Without bridging that gap, governance remains reactive.
On top of these structural challenges, SAP customers now face an additional catalyst: SAP Identity Management (SAP IDM) reaches end of mainstream maintenance at the end of 2027, with no direct successor product. For organizations still relying on SAP IDM, this adds urgency to rethink identity governance holistically rather than simply replacing one tool.
This is where we position the Xiting Security Platform (XSP): it supports user and authorization management, compliance management, and cross-system risk analysis – and it also adds real-time monitoring with SIEM integration to help detect and respond to threats through our new tool Falcora.
In SAP security discussions, three terms are frequently used interchangeably: Identity and Access Management (IAM), Identity Governance and Administration (IGA) and Privileged Access Management (PAM).
They overlap, but they solve different problems – and mixing them up is one of the fastest ways to build an incomplete program.
The pattern is almost always the same: organizations implement one layer and assume the others are covered.
The goal is not to pick one. It is to connect and orchestrate all three in a SAP-centric way: use IAM to establish strong identity and authentication, IGA to govern and prove that access is appropriate, and PAM to control the most sensitive privileges – all tied together with monitoring so governance does not live in a quarterly cycle only.
When explaining identity governance to executives, simple frameworks work best – as long as they still map to SAP reality.
One practical model is the “Four A’s”:
This structure is simple enough for leadership, yet practical enough for SAP teams. You can immediately see which layer is strong, which one is missing, and where Xiting capabilities (governance + workflows + content + monitoring) can close the gaps.
And I'd like to thank everyone and I'd like to thank everyone for joining us today. But before we begin the webinar, just a few quick housekeeping items. Recording of the webinar will be provided after the session here today for any participants that have signed up or or joined or if you need to leave halfway through. We will provide a copy of the webinar recording to you after the call has been completed. Participants' webcams and microphones have been turned off to ensure audio quality. If you have any questions throughout the presentation, please feel free to submit them in the chat. We will reserve time at the end of the session to review and address as many of those questions as possible. But with that, let's go ahead and get started. My name is Alex Manning, and I am the managing con managing consultant, for the Americas here at Xciting. And joining me on the call today is Alessandra Banzer, who is the CEO of the Americas. I'll be moderating today's webinar titled the SAP centric IGA blueprint for hybrid landscapes. And this session really marks the first webinar in our security madness two thousand twenty six series, which is our March themed program inspired by the excitement and competitive spirit of the well known college basketball tournament, March Madness. And then we can see here them repping the Kentucky team here. But, anyway, this session marks the first web or whoops. Much like our tournament itself, success in SAP security comes down to preparation, structure, and strong fundamentals. The organizations that advance are the ones that build on a solid foundation and execute with discipline. Across this series, we'll break down the key building blocks of a resilient SAP security strategy starting with today's presentation, which is defining the IGA blueprint. The following webinars that follow will talk about redesigning roles and authorizations, implementing SOD and risk analysis, modernizing the identity life cycle management, as well as ultimately advancing toward an AI driven security monitoring for SAP environments. And each of these sessions ultimately build on the last just like progressing through a bracket. And today, we tip-off with the blueprints. Today's session focuses on something every organization talks about, but not every organization truly designs, an SAP centric IGA blueprint. Hybrid landscapes are now the norm, which include s four HANA environments, ECC remnants, cloud applications, BTP services, third party integrations, and now even AI driven tools and autonomous agents operating together. The challenge isn't simply governing identity. It's governing its consistency across that complexity, managing both human and nonhuman identities within a unified framework. Without a blueprint, IGA really becomes reactive. But with a blueprint, we can become strategic. Today's discussion really sets that architectural vision for everything that follows with the security madness series that we have for March. And with that, I'll go ahead and turn the webinar over to Alessandro to begin the presentation portion. Thank you, Alex, and welcome, everyone. My name is Alessandro Benser. Like Alex said, I I head up the Americas for exciting. I've been in SAP security and GSE for, I think, almost twenty years now. I'm getting old, that means. And, yeah, I'm very excited to to be here today to talk about the IGA and the IGA blueprint. And as Alex pointed out, it's, like, a high level overview that goes into certain details and recovering a lot of of the aspects that are then also laid out in in the in the following sessions. So what do I have on the agenda for today? At first, a little bit about exciting. Just for those of you that are new and that have maybe haven't had interaction with us yet, just a little bit couple minutes about about us, what we do, why we're here, why we're talking to you. And then we wanna, dive into the topics. I wanna talk about that ITA, identity governance and administration. What does that mean? What's what is a modern ITA? Why is it important? Especially, why is it important now? What changes with AI, with the AI, with all those LLM new things that are that are coming out and are probably already in your environment? How do we, you know, guard that? How do we protect that? How do we, you know, talk governance and all the aspects around? And also a little bit, you know, why you have to adjust your IGA or why your traditional IGA will fail, and, you how we have to then really incorporate these new things into into your IGA blueprint. With that, let me get started. Let's start over with just, like I said, a couple minutes about Xighting. We've been around for, quite a while since two thousand eight. Originally founded in in Switzerland. We're an SAP solution provider in in in particular in sub security. We have a lot of solutions. So we're a solution provider. We also do consulting services, and all our solutions, they are SAP certified. So we are fully certified for S4HANA, S4HANA Cloud, and and different other certifications that we hold as well. We're also, obviously, SAP partners, and like I said, very heavily focused on on SAP security. We have offices throughout the world, I would say. Like I said, originally, we're from Switzerland, but we have offices in in Germany, in Romania, in the UK. Also here in United States, we have, sales locations in Argentina and Colombia, and we have, obviously, a global presence through our partners. So we work with over over eighty global partners that, use our tools, our services, and, you know, distribute our knowledge and our experience and, obviously, the solutions as well to a global audience. We very heavily focus on four pillars, I would say. The first one, that's also where we originally come from. That's particularly our authorizations management. So we typically or traditionally come from, yeah, ABAP authorizations or ABAP authorization concepts, redesigns, S4HANA migrations, Fiori security implementations. Anything around roles and authorizations management, that's where we originally come from. That's also where we have our flagship solution, the exciting authorizations management suite that really enables and accelerates anything, authorizations related. So when it comes to role building, role testing, role design implementation, fallback, go live scenarios, anything and everything around the authorizations management, that's, you know, what we do. That's our bread and butter. Then we also moved into different areas over the years. One big area is obviously also the entity access management, I'm more than also now more the ITA portion of it where we talk about and and, obviously, have solutions when it comes to user management. So the workflow driven approach for self-service capabilities, integrations into HR applications. We'll talk about that a little bit later. But then also anything when it when when when when it comes to the entities in general with the cloud and the services, we do a lot of consulting in that area as well, b two p security, implementing security concepts for those, and making sure we have a holistic approach and and, you know, a governed and secure environment also when it goes beyond just a traditional app up on prem. Then we also do a lot of things in regards of cybersecurity and security monitoring. We have a very exciting session coming up. That's I think it's the fifth session where we talk about our AI driven security operation centers over the end of the month, the end of of March, we're releasing a new a new solution that fully automates the security operations centers or the SOC level. We'll talk about that briefly today as well. But, obviously, we also have other capabilities when it comes to security monitoring, cybersecurity monitoring, especially in regards to anything SAP, up up on prem or or on prem application in general, but then also cloud logs, making sure that, you know, everything that we've implemented stays compliant, stays secure, and, you know, therefore, we also have different capabilities around there. We also have a lot of integrations in general. We'll better it in in a in just a minute. And so we also integrate with, you know, standard solutions like Centimeters applications for event and information monitoring solutions and so on, different integration capabilities. And then last but not least, we also talk about governance risk compliance. That's where I originally come from. I've been doing sub g o c or access control in IHE for almost fifteen plus years, almost eighteen or nineteen years. That's how old I am. And, obviously, there we talk about, you know, emergency and and privilege access, obviously, the rule set topic, which is very important. We have a specific session on that topic as well because, you know, rule sets are important, especially with all the governance and and, you know, comp compliance requirements we have. And that's obviously also important in a hybrid landscape, especially also when we move towards cloud and get more and more solutions covered. Cross system risk analysis, simulations, you know, mitigation scenarios, all those things come together, and we have solutions for all of that. And that's ultimately what we do. With the solutions, we're not just a solution provider. We also do consulting services. So if you're interested in any kind of of of, you know, consulting, whether it's managed services or more like package services that we can deliver or then also project or sales consulting, so when it really means to implement, redesign, migrate, any any type of guidance and consulting support you need, we we provide that as well with our consulting units throughout the globe. With that, let's go a little deeper just for another minute. We have an entire portfolio, obviously, of services and solutions. And what's important for us is we live and we have our our, yeah, our saying is get connected, run secure. So what does that mean? We have a lot of solutions, lot of solutions that have been around for many, many years, and a lot of solutions that are used by various customers around the globe in any industry, any size and regulation that they have to follow. But we don't reinvent the wheel. So we want to make sure that we, you know, get connected and run secure, which means, you know, instead of reinventing the wheel, we also connect. So lot of our solutions, they're also available to integrate with existing solutions. So if there's something already in place, it's very likely that we offer interfaces connectivity to those applications. So in in you know, that that goes from, obviously, the classical authorizations and user management, whether you do those through our tools or if you're using, let's say, like, an IEM solution, like a SailPoint or Nomada or even a sub access control to your c or sub IDM. We can connect to those and then provide additional functionality like your risk risk simulation, risk analysis, license analysis, anything that we provide with solutions, we can also offer in an integrative way with those applications. We connect to Centimeters applications. We connect to licensing solutions for proper license management, and then, obviously, anything and everything within the SAP ecosystem that we support and and connect to. With that, enough about what we do. Let's talk about the topic. The IGA or entity governance and administration is a very, very important aspect. The entity governance administration talks about life cycle, excess governance or governance in general, and then, obviously, the entire administration aspect of how do we maintain, how do we, you know, handle all that. So I have a couple slides prepared. First and foremost, I just wanted to get started with, like, what is IGA? You know? Because maybe not everyone of you is familiar with IGA or has not really heard the term. Oftentimes, we, you know, use one term and mean another. But IGA is basically a framework, and that's that ultimately answers your most critical security questions. And ICA is more than just for SAP. Today, we're talking very specifically on SAP, so I wanna be SAP focused. But ICA is a broader topic. It's a framework, And it's a framework that ensures that the right people have the right access to the right resources at the right time and that you can prove it. That's the ultimately what it comes down to. So what does that mean? That means it handles all your entities, human, nonhuman. We'll get to it in a second, especially with AI, with the bots, with the agents. Very, very important. But IT ultimately really follows that approach. Like, it will it it it needs to tell you who has access to what, should they have it from a GRC perspective, SOTs, critical authorizations, or other governance aspects, who approved it, and when. So it's the entire audit trail that's important, and that's ultimately also what your what your what your auditors will ask you. They will ask you those those four questions. Who has access to what? Who approved it? And when was it granted? That's ultimately what an IHA solution needs to provide you. What needs to prove you is that you have a proper implementation, a proper life cycle that, you know, has governance aspects, and then the entire audit trail for visibility, all the analytics capabilities that are audit ready for any type of reviews. That's very, very important. So I chase a framework. It's not necessarily a a tool, you could say. It's more a framework, more an approach where we have to follow and consider many, many many, many different points that that that that that go towards that. So when we look at modern identity and governance and administration framework or a solution that provides those IGA capabilities? What are the most important features that we have? We have that in three silos, as I like to call them. We have the life cycle. We have the governance aspect and then the entire intelligence. On the life cycle, and that's obviously very, very important. The life cycle and and also governance, knows intelligence needs to handle and needs to be available and and around for not just your human entities, also for your nonhuman entities, like your AI agents, your bots, your service users, your interfaces, pretty much anything. So we need to establish life cycle processes for anything and everything that's that's that's accessing your applications. Very, very often, obviously, we we start with with human interaction, and there we have typical, like, join and mover lever processes where, you know, we have provisioning, deprovisioning, and all those good things, we won't have triggered automatically if possible. So if you have a, like, an HR application in place, like SuccessFactors or Workday, we wanna make sure that when our HR department enters a joiner, that a process gets triggered automatically. Or if you have someone that leaves the organization, that we deprovision the access automatically. That's very, very important. And, obviously, also in between, so the entire life cycle from hire to retire, as we also call it, job changes, organizational changes, all those things need to be reflected, and we always have to live the the process. Again, I think there, one of the most important things is that we automatically trigger it. That makes it that makes it, yeah, that makes it much more efficient and helps along the way also to, you know, prove compliance down the road. In the life cycle, obviously, we also wanna include the governance aspect. So for example, the SOD controls, cross system SODs, critical authorizations, you know, checking for critical transaction codes, Fiori access. We shouldn't leave Fiori out now because Fiori becomes very popular. But then also not just the for on prem. It also needs to be for cloud applications, for your S4HANA public cloud, but also for others like SuccessFactors, Ariba, Fidelis. There's a lot of things in there that are also critical that lead to SOD conflicts, and those need to be established as part of the life cycle as well. With the life cycle, obviously, as well, and that's also in the context of IHE, very, very important, is your back end authorization. So your classical ABAP authorization concept, obviously, needs to needs to be adjusted or needs to follow certain principles. So if we wanna remediate SOD findings, we have to start in the authorizations. Because if we have roles and authorizations built in PFCG that are, you know, totally overloaded with authorizations, it's very difficult to remediate that on a user level. So we also have to consider the overarching ITA framework also down to the authorization, not just in your ABAP on prem. That's typically the core application. That's where we have the most authorizations and the most the the the most reasons to to separate and and then have a close eye on those. But also for other applications like your SuccessFactors, your Fieldglass, and all the others need to follow that as well. It's ultimately important because when we do the life cycle, when we have, let's say, a joiner or a mover or a lever process, oftentimes, we also wanna automate those entirely. So when we have someone joining the organization, we wanna provision the user. Provision the user doesn't just mean we're creating a user ID and and and create the account. We maybe also wanna provide certain access, and that's one something we call birthright access. So they get that access when they're born, basically. So the identity is born, and then we provide certain access along with it that can be based on on the job, that can be based on the position, on the organization. And if we do those type of life cycles, which ultimately then will make our process much more efficient and automated and also from their perspective more compliant because we have certain guardrails in place, that goes back down to a proper authorization concept. So if I have proper authorizations controlled, then I also control the the change, There's a proper change controls on my authorizations and including all those governance aspects, then I can also automate the life cycle for, like I said, typically for joiners, providing access for movers, deprovisioning old access, granting new access, all the way to a lever when someone retires to taking all the access away, locking users and invalid users as well. So the life cycle is very important, but the life cycle alone is not everything. We also need the governance So we have, obviously, certain things, like we said, we can automate, but others we cannot. So certain things need to be provided in addition to what is automatically provided. Like, for example, then we talk about self-service capabilities, you know, giving the users or manager, whoever, the ability to request additional access, but also those additional access that is not automatically provided needs to be governed. We have to have policy enforcement, SOT checks, critical authorizations, mitigation strategies, and so on. Very, very important. Again, not just for your human identities, also for your nonhuman identities. So for your bots, for your RFC interfaces, for your technical users, for the agents, and so on. And that all goes for everything, for the life cycle, for the governance, and then also the intelligence. In the governance aspect, we also wanna make sure we orchestrate workflows. We have a lot of different workflows that concern IGA, typically your typically your user provisioning workflows where we have, you know, multistage approval processes, manager approvals, role on approval, risk owner approvals, maybe an admin that needs to interfere. Maybe we have license implications where license costs like, a user might you know, new authorization might lead to to a higher license cost. Maybe we have an additional approval for that or someone that reviews that. So a lot of things need to be orchestrated, need to come together. Not just the access request where we provide access and deprovision access, also the entire review when we talk about access certification, user access reviews, but also reviews of role content and other things that need to be reviewed. That's very often done in campaigns and also can be prioritized by by risk level, by criticality. Sometimes also certain thing need to be done by calendar date, not exclusively, but some need to be done once a year and so on. But that's also very important that they feed into that. So if we do user access reviews and we deprovision access, we have to make sure that, you know, that's governed through an ITA approach and properly documented audit trails and so on. So even we take something away, we always have to be able to document why and who decided when and what. That's very, very important. The last pillar is the intelligence aspect. That's all about reporting analytics. So different dashboards, obviously, evidence packages that need to be put together. And that's obviously very, very important as well, and the audit will come one way or the other. And it's important that we have that always available, not just when the auditor asks for it. So we shouldn't put the evidence packs together when the auditor asks. The application needs to support that. And, obviously, modern applications, that's a hundred percent mandatory, and we always have to be able to answer the who, what, why, when, and that that's important. We also talk about the entire entitlements, obviously, from on prem to cloud. You know, different applications have different authorization concepts. Insights into those is is critical, but then also understanding and, you know, building rules around that. And like I said, for the nonhuman entities and the entire AI agents, and they're booming right now, we'll we'll get to that in just a minute, we also have to ensure that all these processes, the life cycle, the governance aspects, but then also the intelligence needs to also exist now for all those technical or nonhuman identities. That's very, very important. Because even there, if something happens, in order to will ask who approved when and why and what, and that's why we also have to include that into our, IGA approach. I'm not sure. Kati, do we have a a quick poll on that? I think we have a quick poll just to yeah. There we go. Just a just a quick poll just out of out of curiosity that we wanted to see. We have, like, two two quick question. The first one is, you know, what's the the biggest thing of slowing down your IGA in today's landscape? And then the second one will be around the AI agents. So if you wanna answer those, that would be fantastic. Then we can also, I mean, a little bit look at, you know, what the what the answers are. But let me continue. So IGA is obviously, yeah, a big a big topic for many organizations, and it's also becoming a board level topic. So more executives and more, you know, higher ups are now talking about IGA, and it's important that we address that and also look at that very, very briefly. So first and foremost, identity is the number one attack vector for most organizations. What does that mean? We have insider threat. We have, you know, obviously, externals like hackers or in you know, criminals that try to exploit and and get access to this. But also the insider threat where we know the human, the the people, they are ultimately a risk to our organization. So identity is the number one attack vector. That means, especially for SAP applications, that's a hundred percent true because SAP especially how they it holds all our sensitive business data. You know? That's basically our secret sauce. That is in SAP. We have the financial records, all the payroll, HR, all the like I said, the secret sauce is in SAP. And that's why whenever there's a breach in SAP, it's not just an I c IT incident, it's really a business crisis. That's why it's very important that we address identity, that we live a proper workflow, a proper life cycle, govern that, and have the ability to administrate and get intelligence on it to always report who, what, when, and why. AI agents, like I mentioned, we'll have have a slide just the next slide, we'll talk a little bit more about AI agents and what that means. But AI agents and AI in general is becoming overly popular. I mean, I think you guys have all all seen and heard and and and have your experience with AI. It's incredibly powerful already, and it's it's only going, you know, gonna be more and more. And SAP is pushing it hard as well. We have tool. We have b two p automations. We have other AI tools around that are integrated. And also those, we now have to address because, ultimately, what we see a lot is now, you know, organizations are adopting AI because it's it's fancy. It's interesting. It it solves problems, creates others, but it's also very interested in learning more or trying out, and we're we're we're we're trying to automate and, you know, lower headcounts and save money and all those good things. But, ultimately, it also has an inherent risk that we have to also manage those entities. We see it many times where, you know, we start with, like, a POC. We, you know, let let an AI agent operate with my authorizations, and then we go to production, and it still has my authorizations. And that should not be the case. We don't know who approved the access. We don't have specific roles for it. We don't know anything about it. And so that's why it's important that we also, you know, talk about AI, and that's also why IT now is becoming a board level topic because we have to address and also answer questions on the AI side. Then, obviously, there are a couple of things also impacting the the the board. That's obviously the sub IDM. Many of you probably have sub IDM in place. It's going out of maintenance in end of twenty twenty seven, so there needs to be a replacement solution one way or the other because it's all going out of maintenance. A lot of organizations are shopping around. There's different applications or different solutions out there that can help with that, and that's obviously also one driving factor into really talking ITA and talking ITA strategy, you know, more than just probably more than just just on the SAP side. Then we have a lot of a huge a huge gain or a huge drive towards the hybrid landscape. So we have more and more applications that come into picture and not just our on prem ECC like it used to be in the days. Now it's s four, s four on prem, s four cloud, public cloud. We have BTP. We have all kind of cloud apps, SuccessFactors, Ariba, you name it. And then also non SAP or third party apps that are now all of a sudden hosted on BTP that have identities, two things. We have the we have bots, you know, the the RPAs and so on. And there's a lot of identities that are that are that are now, you know, coming around and not just in one application, cross application in the entire landscape. And that's the hybrid landscape makes it more more complex, more more difficult to to govern, and that's also one thing where we need a a full fledged ITA approach. Also, obviously, on the regulation side, I mean, you know, SOX and GDPR and ISO and all those frameworks, they're more and more there's more and more requirements from stock market, from regulators that that we follow and and adhere to different policies, and that makes this very important. And if you break it down, obviously, a a a big push towards or because of the end of maintenance, also, ECC is going out of maintenance that is driving that. And then, obviously, the AI is a big driver in talking ITA. There's a lot of studies out there. Gartner has a couple. I found here one from, or not just found one. I know one from, Rubik's Rubik's Zero Labs that are saying, today, there are already forty five nonhuman entities for every human identity. So, basically, that means for every person that has a user, there's forty five nonhuman identities. It could be a bot, an and whatever, and that's only going to grow. Gartner is predicting that to grow even faster. So that means there will be a big shift towards the technical, the nonhuman users, and that's why we need really need to start addressing that and start looking into what that means. Not as much. Switch. Here we go. Specifically, I I spoke a lot about AI agents and AI in general. I mean, we all know AI is becoming overly popular, and AI agents are or AI in general is fantastic. I use it every every single day. It's it's my companion. It's my copilot for many things. I do a lot of things. I I I build my own agents that are fantastic to do a lot of work for me or or not just a lot of work, but they help me to be more efficient or review things or do things for me. And that's also obviously becoming now popular or not just popular, becoming reality in your productive environment. So in your ECC, in your s four, in your cloud applications, AI is coming. Whether you like it or not, it's adopting. And from an AI perspective, there's different ways of how AI or the agentic AIs interact with your environment. Sometimes you start out with a Copilot. That's like your your your chatbot. Like, you know, you you ask questions and answers and, you know, gives you drafts your request and summarizes certain things and explains the context. But then from a chatbot, it might go into more like an assistant where it gives you recommendations, what you could do, all the way to an agent where all of a sudden, it acts on behalf of you or it acts by itself. So the chatbot, you know, is not just answering your your questions, like, you know, you know, explain me why someone got or explain an SOD conflict. It's now maybe also going towards, okay. Let me let me clean it up. Let's do a deprovisioning request, or let's change authorizations. So as soon as a chatbot also evolves into more, like, the doing side, it becomes an agent. Agent has a different meaning as well, but we see that very often, where it progresses. We start somewhere, then it progresses into more like an an agent where it executes tasks directly and, you know, sometimes with approval, sometimes without approvals. And that's what we really need to consider now as well. So whenever we talk AI, we talk agents, we have to establish guardrails. For me, they're nonnegotiable. We have to talk about that. We have to talk about different action tiers, you know, what what what you know, which agent or which AI application does certain recommendations, you know, who can do you know, which which agent or which which app can execute, you know, who approves access, you know, how do we how do we ensure that we review what an AI agent does, who can even review what an AI AI agent does, and then ultimately also down to the road when we have an audit. Because if an AI agent does something, someone will be or has to be accountable and responsible for what the AI agent does. So then there must be clear ownership. We have to be always able to explain what was the rationale behind an AI decision, especially when they when they act autonomously. So if they're just, you know, doing things, which that's the future. That's where it's going for certain things. It's fantastic. But we have to be able to explain and document and and and ultimately answer to the auditors if something happened, whether good or bad, but someone will ask, and we have to be able to document. It also goes back to the identity. We have a lot of AI agents. They they connect from left to right. They have a lot of authorizations very often, and that's why it's very important that we govern it properly. We run them through the the life cycle because also AI agents, eventually, they it's like hire and fire. Right? We hire an AI agent. We fire it eventually. And and and during the life cycle, it might change positions or or maybe capabilities. You know, it starts as a chatbot, but eventually, it's an AI it's it's an fully automated agent. And that's why it's important that we also control the access the agent gets. Whenever we have agents, whenever we have AI, we have to make sure we have kill switches and human override because we don't want them just, you know, autonomously do whatever and and and go, you know, go in loops and do. So we have to make sure there's the kill switch is in there. It should never, you know, operate without any escalation path. It should always be, you know, under clear ownership, and someone needs to be accountable and responsible for what the AI agent for for does. And I'm pretty sure we had it in the poll. I'm not sure how many AI or how many AI agents you're already using in your in your application. I mean, we all talked about we all heard of Chewel and other automations. It's become more and more. And I think they're already in your landscape for for most of you at least, and it's important that, again, we define ownership. We define review cycles. We define the guardrails. That that that's a must. It must change today because, ultimately, that's where the world is going, towards, and that's why it's important that we really think about that and also think about it in the context of of of IGA of the entire life cycle. When we look at traditional IGAs, mean, IGA is not nothing entirely new. IGA has been around, and, you know, you could say with sub IDM or others, you already have, like, an IGA in place. You know, you might have your your access controls, your GSEs connected for risk and as a simulation and so on. So certain things are already there. But why do traditional ITAs fail in a hybrid scenario, especially now when we also look into AI and we're now in a area of of of of AI? And I was kinda trying to show it in in in sense of, like, a like an iceberg. And the tip of the iceberg, that's like our static design and our human only lens that we're focusing on. And when we think about, like, our traditional sub IDM or even if you sub access control g or c or other, let's call it, more older applications, they were built for on prem lives for on prem life cycles and not so much for SaaS. So very often, they're lacking the SaaS support for your success factors, Naribas, and so on, and BTP itself. And but also AI and all those new things are not really considered from ground up. That means that all the machine identities and AI, since they're scaling so fast and and, again, without ownership, our our IDM cannot really keep up with that. That's why we, you know, we have to really rethink that. And that's why I think this the the traditional ITA, it's kinda failing because we're only looking at the tip of the iceberg, and we kinda forget what's underneath, which is very, very important. And I think one big topic is the entitlement sprawl, especially with the cloud adoption, with the hybrid landscapes, and also just historically. Because I've I've been to many, many customers that tell me, hey. You know, we used to have grid authorizations in the nineties, but, you know, the business evolved. We acquired companies. We had, you know, sell offs and so on, and a lot of things changed. It changed it changed hands. It changed, you know, over and over. And a lot of times, we have hundreds and thousands, and we've got tens of thousands of roles and authorizations laying around. Some are used, some are not. Now we add more applications to it, cloud applications to it. There's new authorizations, new roles. We don't know exactly. We don't have a concept. We don't have a clear concept. We have nothing that governs the entire hybrid landscape from left to right in the context of IGA. Why is that so important? Because, ultimately, we have to authorize users, whether the users are a human being or a nonhuman identity. We have to authorize someone, and that's why we have to make sure that the the authorizations within the systems is properly properly built. And especially also when we review older organizations that have been around for years and had, you know, ECC for for decades, some of the users still have roles that were built in the in the nineties. And I don't mean they're negative. It's just reality. The roles are still working. They were always added there were always authorizations added on. They're fully functioning, oftentimes way, way more than what the user needs, and it was always added on. It's accumulation of excess, and it's very, very difficult to provision, but also very difficult to review. And that's ultimately why we talk, redesign, getting up, following a proper, you know, authorization concept across the board, not just in one system, but across in the entire hybrid landscape. Because, again, sometimes also business processes, they start in one application, continue another, and might end in a third application. And the entire process needs to be obviously documented, but also properly authorized from start to finish, and that's cross system. That's why we always talk cross system SODs and cross system risks, but also cross system authorization concept are very, very important. Then we also have, obviously, a lot of silos nowadays. Very often, we have we have maybe an IEM solution. You know, we have a GRC solution. We have our firefighting solution. We have Centimeters applications. We have our SOC teams that do certain things, and it's all in silos. They're not talking to one another. It's not integrated. And that's one thing also where we have to be, you know, more cautious and more you know, we have to address that more going forward is to bring those closer together. That's also the the fifth session where we also talk about our new SOC tool where we also consolidate different application into one. That's ultimately what we also try to do with our get connected run secure approach is connecting all those applications, whether it's your I'm application, your tier c application, your, obviously, your back end applications, get them together, connect signals, locks, and, you know, correlate and, you know, you know, build out or get actionable insight and results out of it. Last but not least, obviously, also a lot of times, you know, we have manual ticket driven approaches, manual processes. You know, very difficult to match the speed of business as especially now with AI. I mean, if we're still following a paper trail or even manual workflows, it's very difficult. That's why we talk with the life cycle. We have to make sure that we, you know, automate it more and more so that we're more efficient going forward and always obviously, keep keep the governance aspect in scope there as well. So when we look at, again, the iQIYI blueprint, so if we just go a little bit deeper now. We have the three blocks. We have identity life cycle, access governance, and then the access intelligence, I mentioned already. On identity life cycle and I have one slide each just to go a little bit deeper. On the identity life cycle, obviously, again, we talk about the mover lever. Obviously, best will be automatically triggered by a SuccessFactors or Workday or any other HR system you have, which are to avoid manual approaches. The more automation, the better. Additional access can always be provided. That's the more the access governance side where we have self-service capabilities, you know, to to access more. But we wanna integrate more. So the life cycle, very important Access governance, that's typically our SODs, critical authorization checks, cross system checks, but also identity in general, making sure we have consistent entities across all kind of mitigations, remediation capabilities, and simulation capabilities within the the entire life cycle. So we'd wanna make sure we address issues before they happen. We don't wanna provision. And then at the end of the year, the order says, hey. Alessandra has an SOD conflict. We wanna see that before it happens. And then, again, on the intelligence side, we wanna get full visibility. We wanna also on the identity side because it is the number one attack vector from from cyber security perspective. We wanna make sure we have everything visible, documented, full audit stamp, and, you know, we get all those anomalies and anything detection wise that's possible to detect into connect applications. We'll talk about that also in a second. Again, whenever we talk about any of these silos, whether it's identity life cycle, access governance, or access intelligence, it's very important that we always talk about it from a nonhuman perspective as well. So all the machine entities, the AI agents, your RFC interfaces, all those need to be included as well. That's very important. They need clear ownership. They need clear policies and and and, frameworks that they follow and, also the continuous monitoring to get the intelligence into other applications wherever needed. The ended life cycle here, obviously, oversimplified. The joiner mover lever should be your automated control system that's triggered by HR. That's ultimately where where it comes down to. Like I said, automation is good because the automation is is helps to standardize and, you know, build more robust, yeah, processes. In the life cycle, again, we wanna use alternative sources like your HR for key identifiers that could be your HR, your intra, others as well. We have the cloud and the services with the IES portion. That's your identity backbone. That's from where we trigger it. And we wanna make sure everything goes through that. So if you have the cloud and the services, we always wanna use that as the a single source where we that we use. Then we have different triggers for the life cycle that can be the hire, the fire, the transfer, termination events. But also in between, you know, maybe when there's a transfer change of organizational levels or position, trigger review workflows, the you know, trigger deprovisioning or retention of access for thirty days and then deprovision, There's a lot of automations that we can incorporate into those life cycles. Clear ownership, obviously, for every role that's being provisioned, whether it's a technical role or business role, it's cross, application, needs clear ownership. Should always be business use and not IT. It's not that the IT admin decides what the business needs. It needs to be business a business ownership. It's it's a business responsibility that needs to be very clearly marked. And it also then goes back down to the authorization concept. So even if we build authorization concepts, you have to ensure that in both business, there's clear ownership, what goes into role, what's being authorized in the role. It's it's it's an overarching approach. Obviously, there's also a lot of SLAs, service level agreements that we have to define, you know, for especially for deprovisioning. Orders are always looking for that that, know, we have same date deprovisioning. So if a user accounts, you know, terminates the end of March, we have to ensure the end of March, it was a terminate. You know, it should not be that still open on April fifth. Right? That will not be good. So there not needs to be needs to be clear SLAs as well to monitor and also report if that's, properly working. We always have, removal with time frame windows or, like, a defined window. Like I said, grace period, fifteen, twenty, thirty days. Someone keeps access when they do positional changes. That's obviously needs to be fully customizable as well. But also there, we wanna SLAs, wanna report on it, and making sure that that's that's that's clear. For the entire identity life cycle, lot of evidence is needed. That's where I mentioned earlier with the audit log. We always have to define we always have to answer those those w questions we say in German, the who, what, when, why. That's very, very important. So any action within the workflow needs to be documented, time stamped. We always need to know who and and and and and when and what and why. So even for for automated stuff. So if there's automation, it's, you know, it's we documented as well. When there's, like, human interaction, like an approval or someone forwarding or approving on behalf. All those steps, all those decisions along the way need to be properly documented. Then, obviously, also about deprovisioning, we have to make sure it's everything is timely deprovisioned. It shouldn't, you know, you know, be a delay. That's why time stamps are important. Anything that's exceptional needs to be properly documented, whether that's, you know, you know, temporary access, privileged access, always there. And then also that we have the the reconciliation, so checking between, like, what was approved versus what is authorized. That's a big problem for a lot of organizations. We have an IDM applications or IEM application in place. We provision access to that, but then we have the admins or site and shadow processes that still do manual s s zero one where someone assigns access or remove access. That should not be the case because that's very difficult from an audit perspective to explain why that happened. So that's why it's important to also reconcile, making sure that only the user only has what what actually was approved and was, you know, going through an entire process. That's very, very important from an identity life cycle. That's also one of the things where, Fabian, my colleague, I think in in session three, he will very specifically talk about identity life cycle in the context of ITA, where really a full a full hour will be spent on how do we, you know, ensure identity life cycle with different tools and how we have to relook into the more detailed aspect of of how that can be done and and what that what that means in in general. The life cycle alone, that's your IDM process, your IEM processes in the aspect of IGA of identity governance. We also have the access governance silo where we typically have our SOD scanning, the entire obviously, the the audit the the audit log is is part of access governance. But that, again, is something that needs to happen ad hoc. It's not like something that happens post provisioning. So when we do SOD scanning, SOD simulation, SOD, you know, risk analysis that needs to happen throughout the workflow. So that's it's a workflow. And here, I'm just showing one. That's not a obviously, not a complete workflow. There's no detouring and no escalation path. But what what what I wanna show here is basically that in the workflow, there needs to be risk checks, need to be simulation. What if scenarios? So what if I assign this role to user? What happens from an SSD perspective? What happens from a critical authorization's perspective? What happens from a license perspective? So even license governance is a big topic as well. So we're not not, you know, triggering higher license costs or changing license things. That's very, very important. Also, from an access governance perspective, we have a lot of alignments with different frameworks and standards. I mean, NIST is definitely one that's that's that's very important. Two aspects of NIST, the govern and the protect in in particular. That means that policies need need to be established. It's not like you can or cannot. It needs to be established. It's a must. And we also have to always protect. So that means we have to follow least privilege principles for an authorizations and and identity perspective. We only grant what users need. We don't overauthorize. And then, obviously, again, we have to with the government, we have to make sure that we're living those processes along the way. So every request, anything that's provisioned needs to go through the rule engine, check for compliance, check check for any, any issues in regards of of any concept or or or, framework we're we're checking against. Access review is a big topic as well, recertification. So once access is provided, it was obviously initially approved. Eventual needs to be revisited. Someone needs to review if the if the access is still accurate and timely. So that means if I if I've gotten access two years ago, we have to revisit whether that's still possible because maybe my my job change workflow that automatically triggers didn't fully work, or maybe I haven't had it two years ago. So that's why review of access is very important. Review of access or access reviews in general can be in different form and shape. It could be straight up user access reviews where we just review what users have authorized, but it could also be that we have more like a risk driven review looking into what risky access a user has, like like, what leads to SOD conflicts or critical authorizations. So access reviews can be in different form and shape, and that's also one important aspect of of the IGA is that we obviously govern and make sure that access is continuously checked. So it's not and that's that's an ongoing continuous, event. Very, very important. Ultimately, every access decision must, produce evidence at any moment in time, and it should never be reconstructed later. So, you know, you like I said earlier, if you have an audit end of the year, we cannot reconstruct audit and evidence. It needs to be always an ongoing event. Whenever something happens, whenever an approval is given, it needs to follow that. Can I say it one more time? Nonhuman entities are all also in scope. Okay? That means for SOD conflicts and so on because it doesn't help if we reduce SOD conflicts on a on a on a human level. If Alessandro doesn't have an SOD conflict, but my AI agent I'm using has, and I can do the same thing as I would have the access myself. So we also have to consider that. We will eventually also have to talk about SOD violations between AI agent that I have in control and what I have. Because if an SOD conflict where we have two a separation of two functions and I do the one and my AI agent does the other, I technically don't have the SOD conflict. But in combination, because I can access my authorizations and the AI agent performs certain functions when I tell them to, if that leads to an SOD conflict, we also have to address that. So we also have to think about our, let's call it, or our governance aspect or governance controls and policies that we have to also include that. In the past, we looked into firefighter access because I have a firefighter available that I can use. But going forward, we also have to think about all those new nonhuman entities like an AI agent that can work on my behalf or if I tell them to. Right? If I say, hey. Do this and does it, it needs to consider that I have the access or that the AI needs to check that I'm not doing something that leads to fraud or anything that I'm not supposed to do, but that's another, aspect that we have to, definitely consider. So access governance, they have a specific session about that as well. I think it's session four with Eric that will talk about the access governance aspect, especially in hybrid landscapes and what that means, and how do we also ensure and build those rules, make sure that the rules stay, you know, stay in sync, stay up to date because it's an ever changing environment, especially with this AI and with cloud adoption and the the, you know, the entire speed. We also have to make sure that our rule sets, our controls, our policies, they stay up to date. They're they're they're current. They're they're, yeah, they're they're they're specific enough for the cases and for the business scenarios that we have in front of us, and that's that's changing faster than it has ever. And that's why it's important that we also specifically address the access governance side, and Eric will talk about that, in in session four. Last but not least from the IHA perspective, you have the access intelligence, so that's the third, silo. And access intelligence really means that we're turning the raw entitlement into insight. So that means, basically, again, also things, like I mentioned earlier, with the attack vector. So identity being the number one attack vector, we also have a lot of events and a lot of raw data locks and things that are happening on the identity side, whether those are role changes, whether those are user changes, provisioning, deprovisioning, all kind of things that might lead into or that that that, you know, is a is an event or a raw data, that may need need to be put into an intelligent way to understand it better to process it also from, like, a like, a security monitoring perspective, let's say. So, basically, also those outputs we have from the life cycle, from from excess governance, that needs to now be fed into the security monitoring. So for example, if we are assigning a firefighting a firefighter someone or if someone gets access to an AI agent, let's think about, like, we have proper life cycle processes, and I'm requesting authorizations for an AI agent that I own. Then we also have to feed that back into security monitoring for events and, you know, making sure we're also putting monitoring around that. And there's a lot of different raw data that are being produced, and that ultimately needs to correlate as well. That's the session the the fifth session with Moritz where we talk about our new product, Fulcora. It's called exciting Fulcora. It's like an AI driven security operation center, so it really handles all kind of events. It it's also AI. It's a lot of AI agents in there that have guardrails and are properly implemented, hopefully. But they they deal with all these signals and interact with the IGE as well. So security monitoring should not be blind an IT perspective. It needs to correlate and work together hand in hand as well. So that could be for enrichment. That could be to to, you know, perform certain actions. So when we have a security operation center and there's, like, an alert and an incident that needs to like, for containment or for corrective actions, that also needs to feed through the IT approach. Also, again, following the life cycle, the workflows, excess governance aspect, and so on. And that's ultimately also where those two words need to come closer together because everything is moving faster. We also have to make sure that our security monitoring stays up to date and, you know, keeps everything in check. And that's where, you know, the intelligence portion of it is very, very important as well to correlate, prioritize, and ultimately, you know, forward into wherever we need it. So yeah. That's that's ultimately what I wanted to show you guys. It's like a high level overview. Like I mentioned, we have a lot of different pillars, a lot of different things we're addressing. We have just a blueprint high level overview. We have a couple interesting sessions coming up. The first one is the is this coming Thursday where we talk about authorizations in S4HANA, those authorizations, and the redesign is a foundation for IGA. Why is that important? Like I mentioned earlier, when we talk about governance or SOD remediation and all those good things, our life cycle and automations, it's important that we have a solid authorization design. So if you have bad roles and you know? I I always say the she show, the **** inch it out. Right? I'm not supposed to say it, but I say it anyways. The if you if you have a solid concept, it makes it much easier to build business roles to do the role mining to, you know, find the correct roles a user needs. So that's why it needs to start in the background, in the back end. That's what we're talking on Thursday. And then we have those three pillars. We have the access governance session. We have the life cycle session, and we have the intelligence session where we talk about our new products and also then in channel in in specifically, like, you know, how do we do the the churn and mover lever, how that interacts, and also how do we do the risk analysis and and keeping SOTs in check and also keep it up to date. With that, let's see. We might have questions. We might have an answer to the poll maybe. Let's quickly see. So I'm not sure if you can can you guys see the or I can read it out? So maybe for you for those of that are interested, we had the the first question was, you know, what is the biggest thing slowing down IGA in your landscape today? And, yeah, a lot of lot of a lot of you say that too many systems and entitlements, so it's the hybrid and SaaS pro. So a lot of more applications, lot of lot of application entitlements that are just too many to handle, then also provisioning deprovisioning delays, which kinda leads to not having a proper churn and mover lever process. I would say, Alex, you just interrupt or feel free to add anything I'm missing. And those are the things we want we will address on that identity lifecycle management session for the children mover lever. And then the second question was in regards to the AI agent. That was more and more for my curiosity, like, how many of you are already operating AI agents and AI bots and any kind of bots in your productive or pilot landscapes. And a third of you guys say we're already using them in business critical productive environments, and that's kinda interesting or not interesting. I'm was kinda expecting that, but that means, like, a third of you guys are already using in production, and that's that's interesting. I think it's growing. And a lot of you are planning it or are using it in in limited scope. So if you look at, like, not planned, there's only one person. So it that I think that's the trend where that we see. It's it's more and more, and it will be very interesting. And I think that's why we need to talk about the the topic of AI, how do we get that into into our, you know, ITA process. With that, Alex, any questions? Let me check. Yeah. Ultimately, thank you for providing this presentation here today to the group, you know, the first part in our webinar series for Security Madness. We do have a minute left. So if there are any questions in the chat, maybe we can use this time to go through and answer them. Yeah. There was a specific question on one application. I'm not familiar with that application, so I can't really answer that question. I'll look into that and just follow-up offline with the person who asked that. Okay. Perfect. But I would say if any other questions I mean, we have four more sessions that go into more detail, and those are the experts for every single I'm just a high level guy, but for every single of those, you know, silos or topics. We'll have a follow-up session and, yeah, looking forward to that. Awesome. Well, thank you so much for providing this presentation today. And as just a reminder, our our next session in our Security March Madness webinar series will be this Thursday, March fifth at twelve PM eastern. So if you're not signed up yet, you know, you can use this time to get signed up for that next event. But, ultimately, thank you so much for joining everyone, and I hope everyone has a great rest of their day and a a great week. Thank you, everyone.
Translating this into concrete capabilities, a modern SAP-focused IGA program needs seven building blocks:
Governance breaks down when entitlements are treated as technical labels only. What you actually need is ownership and context – the business process an entitlement supports, its criticality level, and who is responsible for it. Only then can approvals and reviews happen with clarity and consistency.
The Xiting Security Platform (XSP) supports this through centralized SAP security management, backed by cross-system risk analysis and compliance capabilities – providing a strong foundation for attaching governance metadata to access.
You cannot govern what you cannot relate. Hybrid landscapes create identity fragmentation by default: different user IDs with different case sensitivity and uniqueness rules, different directories, and different cloud identities.
That is why identity consolidation is a prerequisite – not a nice-to-have. Consolidated identities are the foundation for meaningful cross-system analysis, risk detection, and provisioning.
SoD conflicts do not live in a single system. Business processes commonly span multiple applications – for example, S/4HANA and Ariba, or SAP ERP and SuccessFactors. Effective governance requires cross-system risk analysis that combines consolidated identities, up-to-date rulesets, and detection during provisioning, access requests, and review cycles.
The Xiting Content Portal (XCP) plays a key role here as a SaaS application that simplifies maintenance of rulesets, mitigating controls, and detection patterns – supported by automation and AI features. XCP delivers content as a service, ensuring that rules stay current even as SaaS applications update frequently.
IGA must reduce manual work and minimize human error – especially in access reviews. Automation is essential for governance that scales and stays consistent.
In SAP practice, the strongest review models are not only periodic. They are also event-driven: triggered by a job change, a project end, emergency access usage, assignment of critical access, or a security event. Combining both approaches ensures that reviews happen when they matter, not just when the calendar says so.
Self-service requests and standardized workflows are a major productivity multiplier – but only when they are connected to governance rules and the right approval logic.
Xiting’s Digital Identity Management (DIM) via Xiting Central Workflows (XCW) delivers exactly this: standardized workflows for , role assignment and removal, user creation, and password self-services – with flexible scenarios for the hybrid IT landscape. Cross-system risk analysis and license cost simulations are included to support governance and cost control.
A hidden cost driver in IGA is ruleset maintenance – especially when it is handled in spreadsheets. SoD rules, mitigating controls, and detection patterns need continuous updates to reflect organizational changes, new applications, and evolving regulations.
This is where XCP as content-as-a-service becomes critical. Xiting and its partner ecosystem ensure that governance content stays up to date – a particularly important capability when cloud applications introduce changes on a regular release cycle.
IGA cannot succeed if role management is slow, inconsistent, or overly manual. Role design and cleanup determine how clean your governance baseline actually is.
The follows a least-privilege “get clean, stay clean” approach: role design with integrated checks for critical authorizations and SoD conflicts, significant time savings compared to manual procedures, and license cost transparency for S/4HANA migrations.
Traditional IGA answers the question: “Who should have access?”. Security monitoring answers: “What is happening right now?”.
When these two worlds remain disconnected, governance decisions are always a step behind actual system activity.
Xiting explicitly addresses this gap with real-time SAP security monitoring capabilities – including alert forwarding to application-neutral SIEM solutions and security monitoring services positioned as “Xiting Falcora“.
Agentic AI represents the next evolution of automation: agents that do not just summarize alerts, but reason over context and drive consistent response steps under clear guardrails.
In SAP, that context is exactly what IGA provides: consolidated identities, entitlement and role ownership, SoD rules and critical access definitions, change history, and approval records. The vision is straightforward – monitoring signals should trigger governance decisions, and governance context should make monitoring investigations faster, richer, and more precise.
A realistic and audit-friendly agentic operating model follows these steps:
Identity governance in SAP only works when it becomes operational: identities consolidated, entitlements understood, risks measured, workflows standardized, and reviews automated.
That is why we position the Xiting Security Platform (XSP) as a central platform for SAP security management – combining cross-system risk analysis with real-time monitoring and SIEM integration, supported by SAP user lifecycle processes via Xiting Central Workflows (XCW), the Xiting Content Portal (XCP) for the ruleset and control lifecycle, and Xiting Authorizations Management Suite (XAMS) for least-privilege role engineering at scale.
IAM covers authentication and basic access enablement (SSO, MFA, directories). IGA adds the governance layer – access justification, SoD enforcement, lifecycle automation, and audit evidence. PAM focuses specifically on high-privilege access such as SAP firefighter scenarios. A complete SAP security program connects all three.
SAP Access Control covers important governance functions like SoD analysis and access risk management. However, a full IGA program also requires identity consolidation across SAP and non-SAP systems, automated user lifecycle management, workflow-driven provisioning, and the connection between governance and real-time monitoring – capabilities that go beyond what Access Control provides on its own.
SAP Identity Management 8.0 reaches end of mainstream maintenance at the end of 2027, with no successor product. This forces organizations to rethink identity governance holistically rather than simply replacing a tool. It is an opportunity to build a modern IGA program that covers hybrid landscapes, cross-system risk analysis, and automated workflows.
Xiting offers an integrated portfolio:
Combined with consulting expertise and real-time monitoring capabilities, Xiting helps organizations build IGA programs that are operational – not just documented.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from Turnstile to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Embedded Content. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information