Why two pages of policy can redraw the boundaries of enterprise AI*
At the end of April 2026, SAP published, with relative discretion on the Help Portal, a two-page document destined to cause discussion: the SAP API Policy v4/2026a. Three sections, dry legal language, potentially huge impact on anyone who has ever integrated a non-SAP system or is building AI scenarios on ERP data.
La motivazione dichiarata è la tutela di “solution health and security” di fronte all’esplosione delle chiamate API da sistemi esterni, comprese le architetture AI. Motivazione legittima. Ma il testo della policy, a parere di molti, va molto oltre la gestione del traffico e questo è il punto che ha generato reazioni a catena tra clienti, partner, analisti e studi legali internazionali.
SAP manages the data that feeds 90% of global supply chains. When it redefines the rules of access to that data, it is not a matter of updating the user manual: it is a matter of redrawing the boundaries of an ecosystem worth billions.
The official text is available on the SAP Help Portal. I advise everyone interested to read it without intermediaries. For convenience and context, below I summarize and quote some parts of it.
Section 1 introduces a clear classification into three categories:
The critical point for many organizations is that RFC calls, BAPIs, and other traditional routes, for decades the backbone of SAP data flows, presumably fall into the category of non-published APIs. But let's move on to section 2 where we talk about controls.
It reads verbatim:
Except through and within the limits of SAP-endorsed architectures, data services, or service-specific pathways expressly identified and intended for such purposes, SAP prohibits API use for: (a) interaction or integration with (semi-)autonomous or generative AI systems that plan, select, or execute sequences of API calls, and (b) scraping, harvesting, or systematic and/or large-scale data extraction or replication.
Simplified: if your AI agent queries SAP autonomously (planning, selecting, or executing sequences of API calls) you are violating the policy, unless you go through architectures expressly approved by SAP such as Joule (SAP's AI), BTP, and SAP Business AI Platform.
SAP reserves the right to monitor API use and to adopt "reasonable enforcement actions" in case of non-compliance. The provided measures are: throttling, suspension, or termination of access. And it is explicitly prohibited to bypass controls through "intermediary services, custom code or developments, proxies, gateways, impersonation techniques, or similar mechanisms."
The only explicitly guaranteed protection is towards legal obligations: the policy does not limit SAP's obligations related to data export or data egress required by specific regulations ( data portability, switching, legal retention).
For a few months now, many have expressed their views.
The Deutschsprachige SAP-Anwendergruppe (DSAG) published an official note on April 29, 2026, harsh in tone and precise in content, identifying three specific requests: clear definitions and complete documentation of the APIs involved, explicit contractual guarantees, and realistic transition times for those who depend on undocumented APIs.
Forrester summarized the picture in no uncertain terms: "Three weeks ago, the SAP API Policy v.4.2026a looked like a legal document with no enforcement infrastructure. After Sapphire 2026, it looks like a strategy with a product line attached.". Technical enforcement begins on June 9, 2026, with a security patch that blocks ODP via non-compliant RFC calls.
The answer is "it depends".
Note: the above is my interpretation based on the many contracts viewed in my work. However, I advise a legal opinion on the subject, especially in "gray" cases. *Article signed by Jary Busato, SAM/ITAM Consultant at WEGG - The Impact Factory ATTENTION! This article is drafted by Jary Busato for informational and sharing purposes. The analyses and comments expressed represent the author's point of view and do not constitute legal advice or contractual consultation. The contents are based on publicly available sources cited at the end of the article. SAP SE and the mentioned products are registered trademarks of their respective owners. The author has no commercial affiliations with SAP SE nor with the cited vendors. The contents are updated to June 2026.
Insights
La policy si applica a tutte le soluzioni SAP cloud e on-premise, inclusi S/4HANA Private Cloud (RISE) e tutte le line-of-business solution.
OUR OFFICES
OUR OFFICES
PADUA
Via Arnaldo Fusinato 42, 35137
MILAN
Viale Enrico Forlanini 23, 20134
ROME
Viale Giorgio Ribotta 11, 00144
Copyright © 2025 WEGG S.r.l. • P.I 03447430285 • C.F. 02371140233 • REA 311023
Azienda Certificata ISO 9001:2015 – ITA / ISO 9001:2015 – EN