The Identity Crisis No One Is Talking About
By the end of 2026, many SAP environments will have more non-human identities than human users. Joule agents, RPA bots, API service accounts, integration middleware, scheduled jobs, and third-party connectors all access your ERP with various levels of privilege.
Yet most organizations govern these non-human identities with the same rigor they applied in 2015: a shared service account, a static API key, and a prayer that nothing goes wrong.
SAP Sapphire 2026 highlighted agentic AI as the future of enterprise operations. If your AI agents are autonomous enough to execute business transactions, they are autonomous enough to need proper identity governance.
Why Traditional IAM Falls Short
Human identity management assumes certain behaviors: users log in during business hours, access a predictable set of transactions, and can be reached for verification. Non-human identities break every one of these assumptions:
- No business hours - Agents run 24/7, making time-based anomaly detection useless
- No interactive login - Service accounts authenticate via certificates or API keys, not passwords
- No human verification - You cannot send an MFA challenge to a bot
- Exponential growth - One Joule Studio deployment can spawn dozens of specialized agents
- Shared credentials - Multiple bots often share a single service account, making attribution impossible
A Framework for Non-Human Identity Governance
1. Identity Registration
Every non-human identity must be formally registered with a clear owner, purpose statement, and expiration date. Treat bot creation like onboarding a new employee: documented, approved, and provisioned through a controlled process.
2. Least Privilege Enforcement
Each agent should have its own identity with only the minimum permissions needed for its specific task. The SoD conflict monitor agent does not need write access to role assignments. The vendor screening agent does not need access to financial data.
3. Credential Rotation
API keys and service account credentials must be rotated on a regular schedule. For Joule agents using SAP IAS, implement certificate-based authentication with automatic rotation. No credential should be valid for more than 90 days.
4. Activity Monitoring
Non-human identities should be subject to the same activity monitoring as human users, but with different baselines. Build behavioral profiles for each agent and alert on deviations: unexpected data access patterns, unusual transaction volumes, or access outside expected parameters.
5. Access Certification
Include non-human identities in your regular access certification campaigns. The agent owner should certify that the agent still needs its current access and that the access is appropriate for its function.
6. Decommissioning
When an agent is retired, its identity must be fully decommissioned: credentials revoked, permissions removed, and the identity marked as inactive. Orphaned bot accounts are a significant security risk.
The SAP Technology Stack
SAP provides several tools for non-human identity management. SAP Cloud Identity Services handles identity lifecycle. SAP Identity Authentication Service manages authentication. SAP BTP security contexts govern authorization. Integration with PAM tools like CyberArk or SailPoint adds privileged session management.
UX Tech implements comprehensive non-human identity governance programs that leverage these tools. We start with a discovery phase to identify every non-human identity in your landscape, then design and implement governance controls that scale with your AI workforce. Contact us to assess your non-human identity risk.
