SENTINEL-HCM: Federated Temporal Graph Intelligence for Detecting API Abuse, Data Leakage, and Policy Drift in SAP SuccessFactors Cloud Integrations

Abstract

Modern HCM integrations expose a difficult security problem: the riskiest events rarely appear as isolated violations, but as small changes in API sequences, token behavior, role permissions, data movement, and policy execution over time. In SAP SuccessFactors cloud environments, these signals are often distributed across integration middleware, identity services, workflow engines, audit logs, and external enterprise systems, making conventional threshold alerts inadequate for detecting slow-moving data exposure and governance drift. SENTINEL-HCM addresses this gap through a federated temporal graph intelligence framework that converts cloud integration activity into an evolving security graph, where users, service accounts, OAuth tokens, API endpoints, integration jobs, HR data objects, external systems, workflow rules, and access policies are modeled as connected entities. The framework combines temporal graph learning, federated model aggregation, sensitive-object lineage scoring, and policy drift measurement to identify API abuse, token misuse, privileged access drift, data leakage, and abnormal integration behavior without centralizing raw employee data. Its learning design uses local graph encoders to capture tenant-specific event patterns, a federated aggregation layer to preserve privacy across distributed integration nodes, and a risk interpretation layer that traces high-risk predictions back to the API path, token scope, accessed object, permission change, or policy deviation responsible for the alert. The evaluation compares SENTINEL-HCM with rule-based monitoring, classical anomaly detection, tree-based classifiers, sequence models, static graph learning, and non-federated temporal graph baselines, where the proposed framework achieved an F1-score of 0.937, ROC-AUC of 0.978, PR-AUC of 0.961, and a false positive rate of 2.60%. By treating integration security as a time-evolving relationship problem rather than a flat log-classification task, the proposed framework provides a practical foundation for privacy-preserving HCM security monitoring, explainable audit evidence, and proactive governance of SAP SuccessFactors cloud data exchange.