Disconnected app governance is the identity blind spot teams miss

At a glance

What this is: This is an analysis of why disconnected apps remain a major identity governance blind spot and how manual controls fail to cover them.

Why it matters: It matters because IAM, IGA, PAM, and NHI teams still need consistent lifecycle, access review, and remediation coverage when applications cannot integrate cleanly with modern identity standards.

By the numbers:

• 65% of SaaS applications used within organizations are, ons are not approved by IT.
• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified.

👉 Read Cerby's analysis of disconnected app governance and identity automation

Context

Disconnected apps are applications that do not support modern identity standards such as SAML, SCIM, or API-based automation, which leaves identity teams dependent on manual processes to manage access, passwords, and offboarding. In practice, that creates a governance gap across both SaaS and older on-premises or homegrown systems, because the application estate is larger than the identity stack can see.

The primary issue is not that disconnected apps are unusual. It is that they are common, business-critical, and often managed outside formal IAM workflows. When access lives in tickets, spreadsheets, and email threads, the programme loses auditability, consistency, and speed, which is exactly where identity governance is supposed to reduce risk.

For teams building a broader programme, the challenge belongs in the same conversation as lifecycle management, access reviews, and entitlement cleanup. The operational pattern is familiar enough to map to the Ultimate Guide to NHIs, but the application layer here is broader than NHI alone because it spans user access governance across disconnected systems.

Key questions

Q: How should security teams govern disconnected apps that do not support SAML or SCIM?

A: Treat them as explicit exceptions in the identity programme. Assign ownership, define access review cycles, and require a documented remediation path for onboarding, offboarding, and entitlement changes. If the application cannot participate in normal identity automation, the governance process must compensate with traceability, evidence, and enforcement.

Q: Why do disconnected apps create so much risk for IAM teams?

A: They break the normal identity control loop. When provisioning, certification, and deprovisioning depend on tickets or email, access becomes slower to correct, harder to audit, and easier to overlook. The risk grows when the app is business critical but still outside integrated lifecycle controls.

Q: What do teams get wrong about manual access reviews for disconnected applications?

A: They confuse completion with control. A spreadsheet-based access review can produce a record, but it does not guarantee that entitlements were accurate, owners were reachable, or removals were enforced. Without reliable data and follow-through, the review becomes documentation rather than governance.

Q: Who should be accountable when disconnected app access is not removed properly?

A: The accountable owner should be the business and technical owner of the application, with identity teams defining the control standard and audit evidence requirements. If no named owner can act on remediation, the application is not actually governed, no matter how many reviews it passes.

Technical breakdown

Why disconnected apps break modern identity integration

Disconnected apps are systems that cannot participate cleanly in SAML, SCIM, or API-driven identity workflows. That means the identity plane cannot automatically provision, deprovision, certify, or synchronize entitlements, so the security team loses the control loop that modern governance depends on. The result is not simply inconvenience. It is a structural break between identity policy and application reality, especially when the app remains business critical but cannot speak the language of the control stack.

Practical implication: inventory which applications cannot integrate with your identity standards and treat them as governance exceptions, not informal side projects.

How manual governance breaks down at scale

Manual governance usually means tickets for onboarding and offboarding, spreadsheets for access reviews, and email for password handling or entitlement cleanup. These methods can work in isolated cases, but they fail when the app estate expands because ownership becomes unclear, evidence becomes fragmented, and remediation slows down. The problem is not that the tasks are hard individually. The problem is that they depend on human coordination for every step, which makes repeatability and audit readiness fragile.

Practical implication: replace ad hoc manual handling with a defined exception workflow that records ownership, review outcomes, and remediation actions in one system of record.

Why session control matters after governance decisions

Access governance is not complete when a review closes. If an app still has active sessions or stale credentials after access is removed, the identity decision has not been enforced in the application layer. That is why session termination, credential rotation, and deprovisioning need to follow the governance action, not merely accompany it. In disconnected environments, this last mile is often the weakest point because the application cannot be trusted to cleanly enforce the decision on its own.

Practical implication: require post-review enforcement steps for disconnected apps, including session termination and credential revocation where the platform allows it.

Threat narrative

Attacker objective: The practical objective is to preserve unauthorized or poorly governed access long enough to survive reviews, audits, and offboarding.

1. Entry occurs when business units adopt disconnected SaaS or legacy applications outside IT-approved identity workflows, creating unmanaged access paths.
2. Credential and entitlement control then drift into manual handling, where passwords, sessions, and account changes are maintained through tickets or email instead of enforced lifecycle automation.
3. Impact is governance failure, with incomplete offboarding, weak audit evidence, and residual access that can persist after reviews or role changes.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Disconnected app governance is really a lifecycle governance problem, not just a tooling gap. The source article shows that identity teams still rely on tickets, spreadsheets, and manual password work when applications do not integrate with SAML or SCIM. That means the issue is not simply lack of automation. It is the absence of a dependable lifecycle path for onboarding, certification, and offboarding across applications that remain operationally essential. Practitioners should treat disconnected apps as a governed population, not a fringe exception.

Visibility is the first control that fails when applications sit outside the identity stack. If teams cannot reliably see who has access, what entitlements exist, or who owns the application, every later control becomes partial. The article’s core point is that access review without context is administrative theatre. Once entitlement and owner data are missing, certification campaigns can still run, but their findings are weak and their remediation paths are inconsistent. Practitioners should measure governance coverage by completeness of identity and owner data, not by the number of reviews completed.

Manual identity operations create control latency that governance frameworks were not designed to absorb. Access that is changed through tickets and email can be technically correct and still arrive too late to matter. The identity programme then inherits delay, inconsistency, and evidence loss at the exact point where auditability should be strongest. This is why disconnected applications need explicit exception handling and lifecycle enforcement, not just policy statements. Practitioners should assume that any manual step becomes a potential failure mode unless it is tightly bounded and logged.

Blast-radius control is the right concept for disconnected apps because the main risk is residual access persistence. The article’s emphasis on session control, credential rotation, and deprovisioning shows that the key question is how far access can spread after governance action is taken. If review outcomes do not translate into session termination or credential revocation, the blast radius remains open. Practitioners should focus on how quickly a disconnected app can be brought back to a known state after access is removed.

Disconnected app coverage should be evaluated as part of a broader identity architecture, not as an add-on project. The article is strongest when it frames Cerby as a bridge into existing governance workflows rather than a replacement for them. That reflects the real architectural choice for practitioners: extend the control plane to unreachable applications, or accept permanent blind spots. The field is moving toward coverage-oriented identity governance, and teams that cannot extend controls to disconnected systems will carry hidden risk across both compliance and security programmes.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why residual access remains a recurring governance problem.
• That lifecycle gap is why teams should pair governance coverage with the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs when disconnected apps and machine identities overlap.

What this signals

Disconnected app coverage is becoming a test of whether identity programmes can govern beyond the fully connected stack. As business-led application adoption expands, teams will need to prove that lifecycle control, access review, and post-review enforcement still work when the app cannot speak native identity protocols. The programme signal is simple: if governance depends on integration, your exception list is already your real control surface.

Coverage will matter more than policy in the next phase of identity governance. The number of completed reviews is less useful than proof that access was actually removed, sessions were terminated, and ownership stayed current. Teams that can measure complete enforcement across disconnected apps will have a clearer view of residual risk than teams that only measure process throughput.

Blind spots in disconnected applications will increasingly overlap with NHI and workload identity governance. That is where the shared pattern emerges: control planes fail when they cannot see the subject they are meant to govern. For practitioners, the next step is to align disconnected app governance with broader identity architecture and use the Ultimate Guide to NHIs as a lifecycle benchmark while extending control coverage to legacy and off-platform applications.

For practitioners

• Classify disconnected applications as governed exceptions Build an inventory of apps that cannot support SAML, SCIM, or API-driven identity workflows, then assign each one an owner, review cadence, and remediation path.
• Connect access reviews to enforcement steps Require every certification outcome to trigger a follow-up action for session termination, credential rotation, or deprovisioning where the application supports it.
• Replace spreadsheet governance with traceable workflows Move onboarding, offboarding, and entitlement cleanup out of email and spreadsheets so evidence, ownership, and remediation status live in one auditable record.
• Measure control coverage, not process volume Track how many disconnected apps have complete ownership, entitlement visibility, and post-review enforcement, rather than counting only the number of access reviews completed.

Key takeaways

• Disconnected apps create an identity governance blind spot because they sit outside the standards and workflows that automate lifecycle control.
• Manual handling through tickets, spreadsheets, and email can document activity, but it does not reliably enforce access removal or maintain audit-grade evidence.
• Identity teams should manage disconnected applications as governed exceptions with named ownership, enforcement steps, and measurable coverage.

Key terms

• Disconnected App: An application that cannot integrate cleanly with modern identity standards such as SAML, SCIM, or API-based automation. These systems often require manual governance for access, offboarding, and entitlement changes, which increases the chance of drift between policy and actual application state.
• Identity Governance: The set of processes used to ensure the right identities have the right access for the right reasons and for the right duration. In disconnected environments, governance depends on exception handling, evidence capture, and follow-through because native automation is unavailable.
• Access Certification: A periodic review process used to confirm whether an identity should keep its access. For disconnected apps, certification is only meaningful if review results can be enforced, ownership is clear, and entitlement data is accurate enough to support a decision.
• Residual Access: Access that remains in place after it should have been removed. In disconnected applications, residual access is common when offboarding, session termination, or credential revocation is handled manually and the final enforcement step is missed or delayed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerby: The Rise of Disconnected Apps and the Growing Challenge for Identity Teams. Read the original.