SAP is prohibiting the use of its APIs to integrate with AI systems outside its endorsed architectures, raising concerns that it is locking out third-party AI tools from customers' SAP data.

The API policy document published earlier this month says that "except through and within the limits of SAP-endorsed architectures, data services, or service-specific pathways expressly identified and intended for such purposes, SAP prohibits API use for: (a) interaction or integration with (semi-) autonomous or generative AI systems that plan, select, or execute sequences of API calls, and (b) scraping, harvesting, or systematic and/or large-scale data extraction or replication."

Marian Zeis, an independent SAP consultant in Germany, said the changes were more restrictive than the community expected and could affect SAP customers, not just third-party partners.

The concern is that customers themselves, or those working with partners, might be restricted in how they deploy alternatives to SAP's AI technologies or other systems as the list of "documented" APIs is not kept up to date.

"SAP is pretty slow to publish those or improve templates, so we more or less have to rely on [undocumented APIs]. Otherwise, we can't continue developing our applications with our use cases," he said. If developers are only allowed to use the documented APIs it would allow the vendor to "govern, monitor, throttle, and control" future development of customers' SAP system, he warned in a post.

Several other consultants echoed these concerns.

Reporter Christof Kerkmann from German newspaper Handelsblatt said the new API policy had sparked immediate controversy, adding it appeared the document was published by mistake.

You can find the document, which was last updated on April 27th but still contains the critical phrasing, in SAP's help section; readers can view a download here [PDF].

SAP also provided an FAQ here.

An SAP spokesperson told The Register:

"SAP has announced updates to its data access and API policies to support secure, reliable, and equitable use of shared enterprise platforms as automation and AI-driven access continue to grow. These updates clarify design-intended use of SAP interfaces, align with industry standard cloud practices, help protect system stability and customer data, and provide guidance on supported integration patterns — without changing customer data ownership."

On a call to investors last week, CEO Christian Klein said customers would not pay for accessing their own data and claiemd SAP wants to keep its architecture open, including for third-party AI agents.

"Obviously, when there is mass data requests or millions of calls coming towards an API, we need to start throttling those APIs, because otherwise we are ending up, or the customer is ending up, in performance issues on the application side. Again, no customer, no partner needs to worry. We all want them, and we want to have an open platform. Please also understand that the IP of SAP, the domain knowhow is something [which] we will make available to our customers… but [is also] something which [is] a great asset to protect," he said.

• The spaghettified DBMS chart that shows Oracle's crown is slowly slipping
• France's digital directorate dumping Windows desktops, adopting Linux instead
• How Salesforce and ServiceNow are squaring off in the battle for the helpdesk
• Salesforce is looking to Slackbot to help it solve the SaaSpocalypse puzzle

Alisdair Bach, head of SAP practice at consultancy Dragon ERP, told The Register there is also an argument for tightening access to APIs as a security measure.

"We are moving into a landscape where enterprise systems are being tested constantly. Not occasionally, but continuously. Data extraction is automated, and AI-driven agents can probe weak access points far faster than any human ever could," he said.

"In that environment, loose integration patterns are not just inefficient. They are vulnerable," Bach said. ®

More about

• API
• Programming
• SAP

More like these