That's the binary your AI roadmap now faces. AegisAI is the structured, identity-propagated, audit-ready pathway compatible with every requirement Section 2.2.2 introduced - and durable as a control plane whether SAP's policy holds, relaxes, or extends to other vendors.
SAP defines an "agent" with unusual precision in the policy text:
And then prohibits direct API access for anything matching that definition. If your AI agent talks to SAP, the policy applies to you. If it plans, selects, or executes a sequence of calls, it's an agent under SAP's own definition. And if it hits SAP's APIs directly, it's now non-compliant.
The policy preamble names four things its controls exist to do:
All four are tractable with the right control layer. AegisAI is that layer.
In 2001, Hasso Plattner spent $400 million acquiring TopTier - a portal company whose founder, Shai Agassi, had told Plattner that SAP would be "an irrelevant background data store" if portals took over the desktop. Plattner reportedly called Agassi a "retrovirus" - an external agent injected into SAP's DNA. The defense worked; portals fizzled.
4.2026a is the inverse posture. Where 2001 saw SAP buy the disruption, 2026 sees SAP fence it off. Both moves are defensible. Neither, on its own, is a strategy.
The 2001 defense worked because portals were a thin presentation layer competing for desktop real estate - a war of UX. Agassi's "retrovirus" line was a metaphor about who controlled the user's day. SAP could absorb that fight by buying it.
Section 2.2.2 is different. Agents aren't competing for the desktop; they're a new abstraction layer above every API. You can't buy your way out of a category - only build the sanctioned interface to it. That's where the policy creates an opportunity for everyone outside SAP, including AegisAI.
The 4.2026a preamble is explicit about what its controls exist to do. AegisAI was designed against those exact concerns - not as a workaround, as the structured architecture that satisfies them.
JWT verification (HS256 / RS256 / ES256 / PS256) with JWKS rotation. Identity-propagated SAP authority via documented BAPIs - no service-account masking. Fail-closed defaults at every layer. Schema-driven response firewall. PRODUCTION refuses to start with default secrets.
Per-user and per-tenant rate limits in Redis - one tenant cannot monopolise SAP capacity at the expense of another. ASGI-level request ceilings. Trust-based throttling drops misbehaving callers in proportion to their score, leaving capacity for well-behaved ones. SAP sees one well-behaved client, not thousands of agents.
Intent compiler validates and structures every request; vague or scope-expanded intents are rejected at compile time. Deterministic policy engine, deny-by-default. Adaptive trust signals - frequency, scope expansion, coverage growth, cross-user coordination - directly address the policy's "sequences of API calls" concern. Documented BAPIs only. Parameterised SafeQuery - no string interpolation.
Tamper-evident HMAC audit chain - Postgres-backed with SELECT ... FOR UPDATE row lock so the chain stays linear under multi-pod writes. Public integrity probe for Prometheus / k8s CronJob monitoring. Admin-gated chain re-walk. OpenTelemetry from day one. Single audit format across SAP, AWS, Azure, GCP.
Industry observers point out that 4.2026a may not hold in its present form forever. We agree - and it doesn't matter. The need for a structured, identity-propagated, auditable control plane between AI agents and enterprise data outlasts any specific regulatory text. AegisAI is built for the durable need, not just the immediate compliance trigger.
By recent estimates, ~77% of AI-active SAP customers run their agents on Microsoft Copilot. Only a small minority use SAP's own Joule in production. AegisAI is AI-vendor-neutral by design - it works with Joule, Copilot, custom LLM apps, or whatever your team brings.
The 2027 ECC support deadline turns every SAP shop into a migration-evaluation customer over the next 18 months. Every one of those evaluations now includes "how do AI agents access this?" The right answer is a sanctioned control plane that doesn't depend on which AI vendor wins.
SAP is first to publish an explicit AI-agent restriction. AWS, Azure, GCP, Snowflake, Databricks all have similar concerns and are watching. The same architecture that satisfies 4.2026a generalises to whatever the next system publishes.
Service accounts and shared API tokens erase the human asking. Auditors can no longer prove who saw what.
"Do not return PII" prompts are a hope, not a control. Probabilistic safety applied to a deterministic problem.
An AI that hallucinates a column name once a thousand requests is a leak vector at enterprise scale.
"(semi-)autonomous or generative AI systems that plan, select, or execute sequences of API calls" - the definition exists because of the failure mode.
Most LLM platforms log the prompt. Few log the resolved data, the policy decision, or the masking applied.
A "be careful" instruction in the system prompt is not a control. Real controls are deterministic, evaluated server-side.
| What 4.2026a restricted | What AegisAI provides |
|---|---|
| Direct API calls from AI agents (§2.2.2) | A single sanctioned pathway. AI tools talk to AegisAI; AegisAI talks to SAP using documented BAPIs and the calling user's identity. |
| Undocumented interfaces | Documented RFCs only. BAPI_USER_GET_DETAIL + SUSR_GET_PROFILE_AUTH_OBJECTS. |
| ODP large-scale extraction | Per-request scoped queries. Each /query compiles to a parameterised SafeQuery. No bulk extraction. |
| "Sequences of API calls" without governance | Trust-system pattern detection. Sequence frequency, scope expansion, coordination - all recorded; abusive patterns rate-limited or denied. |
| Service-account broad access | Identity propagation. The user's JWT and SAP credentials flow all the way to the backend. |
| Uncontrolled simultaneous calls | Per-user + per-tenant rate limits. Trust-based throttling. |
| Unaudited AI access | Tamper-evident HMAC audit chain. Postgres-backed; re-walk on demand. |
| Data leaving SAP unmasked | Schema-driven response firewall. Per-field classification × clearance × auth-object gate. |
The full architecture, threat model, and request-by-request walkthrough live in the whitepaper.
