SAP Business AI Platform is transforming the way companies will work with their SAP systems in the future. Anyone entering the world of AI agents cannot avoid a crucial question: Who is allowed to do what – and who decides that? This blog post explains why the SAP Authorization Management Service (AMS), a component of SAP Cloud Identity Services, is evolving in this context from a technical detail to a strategic prerequisite.
At the customer and partner conference Sapphire 2026, SAP presented its vision of the Autonomous Enterprise: The term refers to organizations in which AI agents independently perform tasks that were previously carried out by humans in their familiar (user) interfaces. The technical foundation for the Autonomous Enterprise is SAP Business AI Platform (BAIP), which unifies SAP Business Technology Platform (BTP), SAP Business Data Cloud (BDC), and SAP Business AI into a single platform. SAP Joule is evolving from a digital assistant in individual applications to a central gateway for artificial intelligence across all SAP solutions.
In the target architecture – also known as the North Star architecture – identity management and security are not additional features, but cross-cutting characteristics that hold the entire SAP Business AI Platform together. The message behind this is clear: Without proper authorizations, the Autonomous Enterprise cannot exist.
As long as a human operates a system, the question of authorization is clear: The user logs in, views, and modifies what their role permits. With the use of AI agents, this principle shifts. An AI agent acts on behalf of a human and accesses data and functions via interfaces. This has three consequences:
An agent may only do what the user behind it is permitted to do – and nothing more. Without reliable authorization, automation becomes a risk.
If SAP Joule serves as the central gateway across all applications, a consistent, centralized authorization layer is required instead of many separate models for each application.
SAP consistently focuses on trusted data access. Access is controlled via defined interfaces, and unauthorized paths are blocked. However, this requires that every access attempt be associated with an identity and an authorization.
This is exactly where the SAP Authorization Management Service comes into play.
The SAP Authorization Management Service is the component of SAP Cloud Identity Services that enables administrators to centrally manage authorizations across applications – in the form of authorization policies that they customize and assign via groups. Four key features are crucial here:
Centralized rather than distributed: Authorizations are defined, refined, and assigned via groups in a central location, not individually in each application.
Policy-based: Developers describe authorizations in the Data Control Language (DCL), an SQL-like language. These policies are evaluated at runtime when an application checks for access.
Instance-based: A policy not only determines whether someone is allowed to read data, but also which specific data records may be read.
Linked to identity: Each authorization policy is mapped as a group in the central Identity Directory. Users receive their authorizations through group membership, which is maintained by the leading identity management system – consistently across all connected services. SAP Joule’s onboarding process also uses this mechanism.
SAP AMS thus replaces the previous, broader authorization model (XSUAA via the SAP Authorization and Trust Management Service, scope-based) and enables fine-grained, data-driven decisions – exactly what trustworthy AI agents and data access require.
The SAP Authorization Management Service is not an optional add-on, but rather the key to fulfilling – or failing to fulfill – the promise of the Autonomous Enterprise:
Trust: Agents and AI functions are only as trustworthy as the authorizations behind them. Centralized, traceable authorization is a prerequisite for automation to be implemented at all.
Compliance: It must be possible to verify and control who accesses which data. Centralized policy management is the foundation for audits and regulatory compliance.
Scalability: With every new application and every new AI agent, the number of access requests grows. A centralized, policy-based model scales; many separate authorization silos do not.
Prerequisite for business value: The productive benefits of SAP Business AI Platform – with AI agents that execute entire processes autonomously – can only be achieved if the authorization layer is robust. In this respect, the SAP Authorization Management Service is not a barrier, but rather the trailblazer for the Autonomous Enterprise.
The transition to the new SAP world doesn’t have to be a major undertaking, but it should be started early. Some sensible first steps include:
Aligning your SAP landscape with SAP Cloud Identity Services as the central identity and authorization layer
Analyzing the existing authorization model and planning the transition from scope-based to policy-based, instance-specific authorizations
Considering authorizations from the outset as an integral part of every AI project, rather than treating them as a downstream task
IBsolution’s comprehensive portfolio covers all topics and technologies relevant to SAP Business AI Platform – from SAP BTP and SAP BDC to security and AI. We support you in establishing the various levels of the Autonomous Enterprise and creating the prerequisites for the profitable deployment of AI agents in your SAP landscape. In this context, the authorization layer – powered by the SAP Authorization Management Service – represents a clearly defined, easily planable starting point for the new SAP world – and forms its foundation at the same time.