What's your experience with SAP ERP on Prem security testing? What kind of engagement did you choose for your SAP landscape—was it a deep-dive technical System Audit, a full-scope Red Team scenario, or something in between? What was the 'why' behind your decision, and what were your key takeaways?

Lets break it into two parts:- Comprehensive Security Audit and threat testing plugged into it.

A hybrid approach that involves periodic deep dive Security Audits and ad-hoc red team scenarios to optimize and balance the resources, time, and efforts, and mitigate the risk. One should make it more targeted and results-oriented.
Organization generally know their weak areas, so tap on those and the higher weighted risk must be targeted first.
Deep Dive Security Audit with testing, which also ensures following.
Periodic Review (regular/continuous monitoring) to ensure administrative privileges are sufficiently and effectively secured, tracked, and controlled to prevent misuse. Established elevation of administrative privileges on need and by approval
Administer all changes to access rights (creation, modifications, and deletions) on validity based only on approved and documented transactions authorized by designated management individuals. - Wrong configs and improper access controls are the primary gateways for the risks.
Build a role-based and job-based Authority Matrix to have authority with segregation of duties.
Linking access control with users' Active Directory/LDAP or employee database.
Co-ordinated Red and Blue teams for ad-hoc threat testing and including business continuity.
Beyond testing ket takeaways:-
It's a team effort and exhausting, so keeping everyone motivated and interested is also crucial for good involvement.
SAP is a complex system; hence, a combination of multiple-layered options could be more effective.
"Security is everyone's responsibility." Establishing this culture is tough, but highly beneficial.
"Look inward and look around as well," meaning the Auxiliary system/integrations should also be in scope, as SAP is always highly integrated.

I used to deliver these. At a baseline you want a landscape pentest, it will pick up infrastructure issues that can lead to full compromise. Be weary of pentest firms using only open source SAP test tools - they are insufficient