How Life Science Companies Can Protect Drug Discovery IP with SAP

Developing a new drug is one of the most expensive innovation processes in the global economy. It can take more than a decade of research and billions of dollars in investment before a treatment reaches the market.

That investment is protected by one critical asset: intellectual property (IP).

Drug formulas, molecular discoveries, clinical trial data, and manufacturing processes represent the competitive advantage of pharmaceutical and biotech companies.

Protecting that knowledge has always been important. But today, new threats are emerging that put these strategic assets under greater pressure than ever before.

On one side, rising geopolitical tensions are contributing to a more multipolar world in which software, hardware, data, patents, and IP are increasingly treated as strategic assets for national interests.

At the same time, companies face growing risks from corporate espionage, cyberattacks, internal leaks, and reverse engineering, making IP protection a top priority for companies, but also for regulators and national governments.

According to the WEF, one in three CEOs now ranks cyber espionage and the theft of sensitive information among their top strategic concerns.

On the other side, the pharmaceutical R&D process itself is relying hevily in AI for different parts of the drug discovery pipeline. AI models can analyze molecular structures, simulate chemical interactions, and accelerate early-stage research.

However, this transformation also introduces two important risks:

1) First, it is often difficult to trace the data used to train generative AI models. These models may include both public and proprietary information, sometimes without clear attribution. As a result, organizations may unknowingly use AI-generated outputs that rely on IP belonging to other companies or protected by patents.

2) Second, when researchers interact with external AI tools, there is a risk that confidential information (such as molecular formulas, test results, or clinical insights) could be inadvertently exposed if the organization is not using a properly secured private model or has not configured adequate safeguards.

For Life Sciences companies, these risks can have serious consequences: multimillion-dollar financial losses, legal disputes, regulatory penalties, and disruptions to already lengthy R&D processes.

In this article, we explore how SAP’s governance capabilities help Life Sciences companies address all these challenges and protect their intellectual property.

A Bit Of Context: Corporate Espionage, National Security, and AI Infringing IP

I. Why governance matters more in a fragmenting world

As we explored in “Rethinking Software Delivery in a Fragmented World”, the machinery of globalization is not running quite as smoothly as it once did. Cross-border trade still defines the global economy, but the system shows strain. Companies operate internationally as before, yet governments now watch far more closely what flows across those same borders.

Intellectual property sits at the centre of that scrutiny.

A 2025 report from the Center for Strategic and International Studies notes that some economic assets carry implications far beyond business. Intellectual property is a prime example. The formula behind a drug, the code behind critical software or the process behind advanced manufacturing can influence public health, industrial capacity and technological leadership. What looks like a corporate asset on paper can quickly become a matter of national interest.

Corporate leaders are increasingly aware of this shift. According to the World Economic Forum’s Global Cybersecurity Outlook, nearly 60% of organizations say geopolitical tensions have already influenced their cybersecurity strategy. At the executive level, the concern is even more explicit: one in three CEOs now identifies cyber-espionage and intellectual-property theft as one of their top strategic risks, while 45% of cybersecurity leaders worry about disruptions to operations and business processes caused by geopolitical tensions.

The stakes are reflected in the scale of investment. Global spending on research and development now exceeds $2.2 trillion a year, with governments and companies pouring resources into artificial intelligence, biotechnology, semiconductors and other advanced technologies.

When knowledge becomes that valuable, it also becomes a potential target.

Why IP matters so much in biopharma

Few industries depend on intellectual property as deeply, or as expensively, as biopharma.

Bringing a new drug to market can cost anywhere from $300 million to $2.8 billion (CSIS). The full journey can stretch across 10 to 15 years.

Drug discovery is a long process filled with failed experiments, dead ends, and expensive setbacks.

IP is what makes that risk tolerable for labs.

The patent system is often debated. But from a purely economic standpoint, without patent protection few investors would fund research programs that require billions of dollars and more than a decade of experimentation.

In Life Sciences, however, protecting IP goes far beyond guarding the final drug formula.

It also means protecting the layers of knowledge that sit upstream from commercialization: molecular research, early-stage findings, experimental results, clinical trial data, manufacturing processes, discovery models, collaboration records, and the logic embedded across R&D systems.

Drug discovery is also deeply collaborative. Universities, startups, pharmaceutical companies, contract research organizations, cloud platforms, manufacturing partners, and regulators all play a role.

Valuable knowledge moves constantly across these networks. And every transfer creates another point of exposure.

That is why governance matters so much in this industry:

• Who can access specific datasets?

• Who approves that access?

• Which partners can interact with internal systems?

• What information can move across borders?

• Which parts of the research pipeline remain confidential, and to whom?

When corporate secrets walk out the door

Many companies assume that if they build a strong enough cybersecurity perimeter, the fortress holds. Firewalls, identity tools, monitoring, controls. All necessary. But that view can be dangerously incomplete.

Because intellectual property is often not stolen by smashing through the walls. It leaks through the side doors, the trusted connections, the people already inside the building.

Research cited by Splunk points to a sobering reality: around 95% of data breach incidents involve a human element.

For example, corporate espionage can take many forms. A disgruntled employee, an insider gathering information over time, or even a business relationship that unintentionally becomes a channel for intelligence.

And the consequences can be enormous.

The BBC reported on the case of a former General Electric engineer who concealed confidential turbine design files inside the binary code of a digital photograph using steganography. There was nothing cinematic about it. In the end, the files left the company through something as ordinary as an email.

This is the real lesson: Sensitive knowledge does not only need to be locked away from outsiders. It needs to be governed across the people, systems, and relationships already allowed to touch it.

II. AI introduces a new layer of intellectual-property risk

The same research knowledge that companies now work so carefully to protect is also beginning to flow through GenAI systems.

Generative AI is becoming an increasingly important part of the drug-discovery pipeline. According to McKinsey, the time companies have to capture the commercial value of a new drug has fallen from 11.7 years to about 9.8 years over the past two decades, thanks, in part, to these new tools.

Researchers at MIT, for example, have used generative AI to screen more than 45 million chemical structures in search of new antibiotics. From those candidates, scientists identified compounds capable of killing highly drug-resistant bacteria such as MRSA and gonorrhoea, infections that are becoming harder to treat as antibiotic resistance spreads.

This example illustrates why many scientists believe AI is opening a new chapter in drug discovery. The technology can explore vast chemical libraries in hours rather than years, helping researchers accelerate early-stage research and uncover treatments for diseases that have resisted decades of traditional experimentation.

The pharmaceutical industry has taken notice. McKinsey estimates that generative AI could generate $60 billion to $110 billion in economic value annually for pharmaceutical and medical-product companies by accelerating compound discovery, clinical development and regulatory workflows.

But the technology also introduces two important risks.

1) When AI models are trained on uncertain data sources

The first relates to the origins of the data used to train these models.

Generative AI systems are typically trained on vast datasets that combine publicly available information with material whose provenance is not always transparent. In many cases, it can be difficult to determine exactly which sources contributed to a particular output.

For most industries, this raises questions about attribution. In Life Sciences the stakes are higher. Drug discovery pipelines often rely on highly specialized datasets and patented knowledge. If an AI-generated output draws on protected information, companies may find themselves relying on intellectual property that belongs to someone else. Or inadvertently reproducing insights already covered by existing patents.

2) Unintentional exposure of proprietary research

The second risk moves in the opposite direction: sensitive information leaving the organization.

In highly regulated industries such as Life Sciences, companies rarely allow researchers to upload confidential data into unsecured AI tools. Strict compliance frameworks and internal policies usually prevent that.

Yet the reality inside large organizations is often more complex.

When official AI capabilities are limited, delayed, or difficult to access, employees sometimes turn to external tools on their own. This phenomenon (often referred to as shadow AI) is becoming a growing concern across many industries.

In those situations, proprietary knowledge can inadvertently end up embedded in prompts, uploaded documents, or model interactions. Molecular structures, experimental results, or clinical insights may pass through external systems without the organization fully understanding how that information is stored, processed, or reused.

But external tools are not the only source of risk.

Even AI systems deployed inside corporate environments can introduce unexpected vulnerabilities. Security researchers have already demonstrated how attackers can exploit AI assistants to extract sensitive information from enterprise systems.

One example involved Microsoft Copilot. In 2025, researchers identified a vulnerability known as “Reprompt,” which allowed attackers to bypass Copilot’s security guardrails through a specially crafted link. By manipulating a URL parameter, attackers could inject hidden prompts into the assistant and force it to perform a chain of actions designed to retrieve sensitive information previously accessible to the user.

None of this diminishes the potential of AI in drug discovery. The technology is already helping researchers explore vast chemical libraries, identify new compounds, and accelerate the search for treatments for diseases that have resisted decades of research.

But it does highlight a new reality: AI systems now sit closer to some of the most valuable assets inside a pharmaceutical company:

• Research data

• Discovery pipelines

• Intellectual property.

And this makes governance more important than ever.

How SAP Helps Protect Life Sciences IP

One practical starting point for addressing these risks lies in strengthening governance and access control around critical systems. Many organizations rely on platforms such as SAP to manage core processes and sensitive operational data, which makes them a natural place to establish the first layer of protection.

Tools like SAP GRC and Identity Access Governance help organizations control who can access sensitive environments, what actions different roles are allowed to perform, and how approvals are handled across internal teams, partners, and third-party vendors.

Considering that most security incidents still involve a human element (whether through mistakes, excessive permissions, social engineering, or compromised credentials), these governance mechanisms can play an important role in reducing the risk of valuable IP being unintentionally exposed.

1) Controlling access to scientific knowledge

One of the most important layers of protection in research environments is controlling who can access sensitive scientific data in the first place.

Governance platforms such as SAP GRC and SAP IAG allow organizations to define precisely which users, roles, and applications can access specific datasets inside enterprise systems. That includes research repositories, clinical data, manufacturing documentation, and other knowledge assets that form part of the drug-development pipeline.

This control becomes particularly important when AI systems are introduced into the workflow.

In most enterprise architectures, sensitive research data is not embedded directly inside the AI model. Instead, the model retrieves information from governed systems in real time. That means the AI can only access the same datasets the requesting user is already authorized to see.

In practical terms, if someone from the finance department asks an internal AI assistant about a confidential molecular formula, the system should not retrieve that information because the user does not have permission to access that dataset.

This approach also helps avoid another important risk. If organizations were to train AI models directly on large internal datasets containing proprietary research, that information could become embedded inside the model itself, making it much harder to enforce access controls later. For this reason, many companies prefer architectures where sensitive knowledge remains inside governed systems.

2) Managing collaboration across research ecosystems

Drug discovery rarely happens inside the walls of a single company:

• Universities contribute early-stage research.

• Startups develop new therapeutic approaches.

• Contract research organizations run trials.

• Manufacturing partners scale production.

• Regulators supervise the process.

So pharmaceutical innovation is the result of a long chain of interconnected stakeholders.

Each collaboration could bring valuable expertise and different POVs. But it also introduces new actors (and risks) into environments where sensitive knowledge lives.

Every new participant expands the network through which knowledge moves.

Governance frameworks help keep that complexity under control. Instead of granting broad or permanent access, permissions can be limited to specific datasets, roles, or timeframes. External collaborators see only what they need to see for their work, and nothing beyond that.

In environments where dozens of institutions may participate in different stages of drug development, these guardrails become essential.

3) Keeping vendor and partner access under control

Beyond research collaboration, pharmaceutical companies also rely on a large ecosystem of operational partners:

• Suppliers

• Logistics providers

• Manufacturing contractors

• Technology vendors

All of them interact with enterprise systems in different ways. Here, governance intersects with compliance.

Solutions such as SAP Global Trade Services (GTS) help organizations verify whether vendors appear on international sanctions lists or fall under specific regulatory restrictions. Governance tools can then define exactly what those partners are allowed to access within enterprise systems.

In practice, this creates two complementary layers of protection.

The first ensures that partners meet regulatory and compliance requirements. The second ensures that their interaction with enterprise systems remains tightly controlled.

On-Premise or Cloud Governance? Understanding SAP GRC and SAP IAG Approaches

To understand how SAP governance tools fit into intellectual-property protection, it is useful to look at how these solutions are typically used.

SAP GRC has traditionally been used inside companies’ core SAP systems. It is usually installed alongside platforms such as SAP ECC or SAP S/4HANA and accessed through the company’s internal SAP interface.

Because it sits close to the systems where critical business processes run, GRC is commonly used to control access to financial records, operational data, and other sensitive information stored inside those systems.

Companies typically license GRC in a similar way to other SAP modules: a base license combined with additional fees depending on the number of users and the components activated, such as Access Control, Process Control, or Risk Management.

SAP Identity Access Governance (IAG) was introduced later to address a different need. As more business applications moved to the cloud, companies needed a way to manage user identities and permissions across those external systems.

IAG runs on SAP Business Technology Platform (BTP) and is accessed through web interfaces that allow administrators to manage identities across cloud applications connected to the company.

Its licensing model usually follows the logic of cloud services, with subscriptions tied to the number of users or services managed through the platform.

In practice, the difference between the two tools is less about which one is “better” and more about where the systems and data are located.

Organizations that run most of their critical systems inside their own infrastructure often rely on GRC to manage access and compliance.

Companies that depend heavily on cloud applications may rely more on IAG to manage identities across those external services.

In industries such as Life Sciences, where intellectual property, clinical data, and research results represent extremely valuable assets, many companies still keep parts of their infrastructure tightly controlled inside internal systems.

This does not necessarily mean that cloud platforms are insecure. Major cloud providers often offer strong security controls. But some organizations remain cautious about moving highly sensitive research environments entirely to the cloud, particularly when regulatory compliance, trade secrets, and intellectual property are involved.

For that reason, many pharmaceutical companies end up working with a mix of both models.

Core research systems, manufacturing platforms, and ERP environments may remain governed through GRC, while cloud applications used for collaboration, analytics, or AI tools are managed through identity-governance platforms such as IAG.

In other words, governance must cover both worlds: the systems that store sensitive knowledge and the growing number of cloud services that interact with them.

The SAP Roadmap and the 2027 Milestone

The evolution of these tools also reflects broader changes in SAP’s platform strategy.

SAP has announced that mainstream maintenance for SAP GRC 12.0 is scheduled to end on December 31, 2027. This date aligns with SAP’s broader transition away from legacy ECC systems and toward SAP S/4HANA.

The milestone does not mean governance tools will disappear. GRC will continue to play a role for companies running SAP systems on-premise.

What the deadline signals is the direction SAP is taking: a gradual shift toward architectures that combine S/4HANA with cloud platforms such as SAP Business Technology Platform (BTP).

For organizations already planning their S/4HANA migrations, governance architecture is becoming part of that discussion.

Many companies are gradually moving toward models where traditional GRC controls remain in place for core ERP systems, while cloud identity governance tools manage access to external applications and services.

For industries such as Life Sciences, this transition is not only a technology decision. It is also a question of how to continue protecting highly valuable intellectual property while enterprise systems evolve.

Conclusions: Governance as the First Layer of IP Protection

Developing a new drug is one of the longest and most uncertain innovation processes in modern industry. It can take more than a decade of research and billions of dollars in investment before a treatment finally reaches patients.

Experimental results, molecular models, clinical datasets, manufacturing methods, and discovery pipelines represent years of accumulated scientific work. In an industry where innovation moves through large networks of researchers, universities, partners, and platforms, protecting that knowledge becomes a constant challenge.

The risks are also evolving. Corporate espionage, insider threats, and cyberattacks have long been concerns for pharmaceutical companies. Plus, the rapid adoption of GenAI inside these processes adds new lines of exposure.

In this context, tools such as SAP GRC and SAP Identity Access Governance do not eliminate every risk surrounding intellectual property. But they provide an essential first layer of control: defining who can access critical systems, how permissions are granted, and how sensitive information moves across teams, partners, and platforms.

At Inclusion Cloud, we bring more than 20 years of experience as an SAP partner delivering digital engineering solutions for global organizations. Our teams have worked with leading healthcare and pharmaceutical companies on SAP governance, compliance, and S/4HANA transformation initiatives. You can explore some of the results of this work here. If you are looking to strengthen the protection of your most valuable assets, our certified business and technical consultants are ready to help. Contact us to schedule a discovery call.

---

FAQs: