COMMENTARY: AI has significantly accelerated the speed of innovation: Nearly 90% of organizations regularly use AI for at least one business function, compared to 78% a year ago, according to research from McKinsey.More than one-third are either increasing the scaling of AI throughout their organization, or consider themselves fully-scaled with AI deployment-integration.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]In the process, they improve the efficiency and efficacy of enterprise applications in day-to-day operations. They fast-track digital transformation projects. They save significant costs.All of these benefits particularly apply to SAP enterprise resource planning (ERP) products, which have emerged as ubiquitous in the enterprise: The SAP Business Network accounts for no less than $7.4 trillion in annual commerce, and and 99 of the world’s 100 largest companies now run SAP. With the advantages clear, boards and CEOs are pressuring CIOs to incorporate AI into workflows. However, too often they do not consider the subsequent security impact on the applications.AI-generated code accelerates output, but does so at the cost of vulnerabilities. Teams are now tasked to create and deploy agentic AI capabilities for applications to streamline critical processes and allow for more effective cross-functional team collaboration. But then they discover that they can’t fully control and protect AI agents, including the data they access and the agent’s traceability.Cyber attacks against SAP applications already were at a record high, as recent real-life examples illustrate:All of these attacks were pre-AI, which tells us that security issues remain a blocker in adopting AI for critical enterprise applications. There are real risks and concerns about how to defend agents, protect data, and ensure compliance.Already, our research has revealed that 2025 was the most volatile year ever for SAP, with a 210% increase in the active exploitation of SAP vulnerabilities from 2024 to 2025, exposing a substantial amount of business-critical applications.So how should chief information security officers (CISOs) and their teams seek to safeguard AI in SAP/business applications without hindering the “need for speed” in deployments? They can start with the adoption of the following best practices:The speed of AI innovation isn’t slowing down anytime soon. So CISOs and their teams must turbo-charge their defense capabilities to keep up.By investing in secure-by-design, ZT, and autonomous tools, organizations stay ahead of the proliferating threats while reaping all of the rewards of optimal business operations. As a result, they can take the next critical steps in their digital transformation both successfully and safely.Mariano Nunez, co-founder and CEO, OnapsisSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- In September 2025, a large global manufacturer was forced to shut down its systems after the cybercriminal group ShinyHunters publicly boasted that it had compromised the organization by exploiting a vulnerability in its SAP applications. The incident resulted in $2.4 billion in profit loss year-on-year and caused $1.9 billion in damage to the United Kingdom economy, affecting an estimated 5,000 organizations.
- In December 2024, two U.S.-based subsidiaries of the Luxembourg-based vodka manufacturer Stoli Group filed for Chapter 11 bankruptcy months after a ransomware scheme disabled its SAP ERP operations, including accounting functions.
- An SAP security flaw was found by Mandiant to be the most frequently-exploited vulnerability in 2025, with at least ten different threat actor clusters exploiting it.
- Implement secure-by-design principles: Once AI agents are off and running, it’s difficult to defend them. That’s why teams must ensure critical systems are fortified before exposing them to agentic workflows, in the interest of business resilience. As part of this, teams should scan AI-generated code for flaws before deploying them in products.
- Launch autonomous defense: The swift elevation of vulnerabilities means teams need to install security patches with much greater volume and velocity. But they were already struggling to install patches before AI. Thus, teams have to defend at machine speed with zero-day threat detection to stay ahead of the bad guys. So first, continuously monitor threats as a compensating control until team members are able to apply patches. Then, invest in AI-enabled autonomous security tools, weaving SAP risk intelligence directly into agentic workflows – transforming vulnerability data into actionable insights.
- Extend zero trust (ZT) concepts: We often think of ZT as applying to employees/users and applications. But we can also extend this proven access control concept to AI agents to limit them to minimum privilege restrictions, so they do not access data that they should not.
