A few weeks ago, SAP and our long-time conference producer partner TAC Insights hosted our yearly Governance, Risk, and Compliance event: SAP for Internal Controls, Compliance and Risk Management Conference.

This year, it was in Budapest and let me tell you: the view from the show floor and adjacent terrace was nothing short of spectacular. With a completely open view embracing the Danube and across to the Buda Castle, the St. Gerard Sagredo Statue and much more, it was a delight as much during daytime as it was at night. Especially when enjoying some relaxing time during the evening’s cocktail.

Location aside, this conference is now in its 7th year, and I continue to be grateful to our partners for sponsoring, and to our customers for presenting their use cases and sharing some lessons learned but also openly exchanging with the audience. We were very fortunate to have representatives from companies across multiple industries including:

I am also grateful to the 120+ attendees, many of whom continue to come back and bring new perspectives, ideas, and suggestions. With an ever-changing risk, compliance and security landscape, no event is really like the previous one.

In this blog, instead of providing you with a summary of the sessions, I thought of collecting thoughts from the other co-hosts, Vincent Doux and Bo Baade-Pedersen – from the SAP EMEA GRC Center of Excellence, and Axel Vetter – Head of Product Marketing for GRC & Quote-to-Cash at SAP.  

This year, the theme was “Connect the dots” and you may be wondering why.

The answer is pretty simple: we wanted to inscribe this event within SAP’s new era of enterprise management with the SAP Business Suite. Much like GRC, the SAP Business Suite connects processes and empower teams with dedicated business applications. And this was central to Axel’s opening keynote, and a common thread across SAP presentations during the event.

Thomas: During your keynote, you detailed SAP’s Business Suite strategy with the audience, built around systems and applications, insights and Artificial Intelligence. Would you say this is a pivotal moment for GRC? Or would you say that this is simply a natural business evolution that was already in the making?

Axel: There has never been a moment in time when GRC applications have been this business critical, I think. The concerns companies express about their risks and the increasing demand from regulations are currently accelerating SAPs responsibility in those topics. We have extended our portfolio to comprehensively to provide access governance, management of controls, compliance management and application security capabilities for every customer. It was great to see the excitement of the audience when we reiterated on the continuous future of SAP GRC for SAP S/4HANA while at the same time strongly investing into SaaS-based GRC as part of SAP Business Suite. So yes – this is definitely a pivotal moment.

Another common denominator across most customer cases revolved around 2 main topics: people and performance. Many presenters stressed that they had plans to even further apply automation to compliance and security to expand the coverage but also highlighted the need to have expert humans in the middle taking care of the exceptions.

Thomas: from what you have heard from the various presenters, would you say that humans are the weakest link in the chain or, on the contrary, an essential “mortar” that strengthens the GRC process?

Vincent: Humans should be seen as an essential “mortar” that strengthens the GRC process. While it's true that human error and limited resources can pose challenges, humans provide critical contextual understanding, judgment, and adaptability that technology cannot replicate. Automation and AI can certainly augment human capabilities, but they rely on human oversight and intervention for complex decision-making and ethical considerations. Therefore, the focus should be on leveraging technology to empower humans, rather than replacing them.

Bo: I would not say that humans are the weakest link as such, but humans are the most scarce resource when it comes to getting a job done well and especially when we look at identifying risks or designing intelligent controls based on context and environment. Many of the speakers referred to the issue of having limited skilled people available as well as limited budgets. So, a key element of the benefits of using GRC solutions was to cover more ground with less resources by automation and feeling confident with the outcome from solutions like SAP Risk Management, Process Control and Audit Management. What really stood out for me was the reliance of the GRC solutions in their key processes to support essential business needs and demonstrate compliance to a very detailed level with human intervention only in central vital functions. The rest was automated and based on raising only the exceptions.

Finally, in his closing keynote “Do agentic AIs dream of quantum leaps?”, Chris Johnston - Head of Finance and Risk Customer Solution Advisory EMEA at SAP, gave us a lot to think about the transformative landscape of 2025 so far, where agentic AIs are not just tools but decision-makers and creative partners... But also, the ethical considerations and societal implications of integrating agentic AIs into our daily lives and potential danger of an uncontrolled intelligence that we could no longer comprehend.

Thomas: based on your interactions in Budapest, but also on your various discussions with many organizations and partner on this topic, what do you think is the place of Agentic AI in GRC? Is it an “enabler” to supplement GRC tools and processes or a complete “replacer”?

Vincent: Agentic AI should be viewed as an “enabler” to supplement GRC tools and processes, rather than a complete “replacer.” AI can automate routine tasks, analyze large datasets, and provide predictive insights, freeing up human resources to focus on strategic and creative work. However, the ethical considerations, societal implications, and potential risks introduced by AI necessitate human oversight and governance. The future of GRC will likely involve a hybrid model where AI handles much of the heavy lifting, but humans remain responsible for setting guardrails, monitoring AI performance, and addressing exceptional cases that require human judgment. This collaborative approach leverages the strengths of both humans and AI to enhance the overall effectiveness of GRC processes.

Bo: I do not believe humans will ever be replaceable by machines – I think we need to look at it in the right light. Humans created machines and technology on one part because we could, but a big driver is because we are lazy. We want things to be easy, to only do the fun things in life, what we really enjoy. Agent AI in GRC I see a bit as the enabler to focus on the fun things because the tedious tasks can be done be technology. So, if you are only doing tedious tasks today that can be replaced by AI Agents, the yes you might be replaced for those specific tasks like coming up with standard controls as a risk response our concluding on audit topics that has been assesses multiple times in the past. But this only means you will have new areas to cover – like what controls do you need to have in place to rely on output from AI Agents? What is this risk introduced by AI Agents? If an AI Agent can perform both sides on a Segregation of Duties (SOD) – is this then a risk? Would we allow it?

We need to set the guardrails and monitor the why and how of the AI Agents – yes they can ‘learn’ and become smarter based on the data models underneath but like with everything else, there is always room for improvement and sometimes things do not work as expected. We need to be able to tell when things are not right so yes AI Agents will be a huge enabler for many of the things and decisions we do today but this only means we will need to replace the tasks we do today with more fun tasks.

Axel: As Risk and Compliance Management have to be effective and at the same time efficient, agentic AI provides a huge opportunity to raise the quality of GRC onto a whole new level. But the technology also raises new compliance – and other risks, that we a fully aware of. Based on our existing application portfolio, the Business Data Cloud and our business AI, we are ready to exploit the possibilities – but it needs these three elements. Applications that understand business processes and run them, a data-cloud that captures all data in way that it becomes accessible for insight and business AI that safely operates with this wealth of knowledge to generate automated improvements without exposing data to the outside world or violating a company’s legal responsibilities.

If you attended the conference, I would be very interested in reading your comments either in this blog or on LinkedIn.

And, if you couldn’t attend in 2025 in Budapest, I hope that you will consider joining us next year! As a matter of fact, the 2026 conference planning is already under way. It will be held in Amsterdam on March 3rd to 4th. Back to where the very first SAP for Internal Controls, Compliance and Risk Management Conference took place.

If you have a good SAP GRC story to share, feel free to let me know and we can definitely include it in the list of sessions for consideration for 2026.