Disconnected applications are the next identity maturity gap

At a glance

What this is: This analysis shows that disconnected applications remain outside core identity controls, creating persistent gaps in access governance, auditability, and lifecycle management.

Why it matters: It matters because IAM, IGA, and PAM teams can only claim mature governance when identity controls extend beyond connected apps to the tools that still run business operations.

By the numbers:

• On average, 30% of enterprise applications are disconnected from identity systems, often translating to dozens of applications operating outside centralized control.
• The survey is based on 614 IT and security leaders at organizations with more than 500 employees across the United States.

👉 Read Cerby's analysis of disconnected application risk and identity maturity

Context

Disconnected applications are applications that sit outside standard identity federation and lifecycle controls because they do not support SAML, OIDC, or SCIM. In practice, that means identity teams cannot rely on the same SSO, MFA, provisioning, and certification workflows they use for connected systems.

The research argues that this is not a small edge case but a structural IAM gap. For teams trying to extend Zero Trust and automate identity governance, disconnected apps force a split between what is theoretically controlled and what is actually reachable. See the Ultimate Guide to NHIs for the broader lifecycle and governance model around machine and non-human access.

Cerby sponsored the Ponemon Institute survey, but the operational problem is larger than the vendor context: when identity tooling cannot reach an application, access governance shifts back to tickets, spreadsheets, and manual admin activity. That is the real maturity test for IAM and IGA programmes.

Key questions

Q: How should security teams govern applications that cannot connect to an IdP?

A: Treat disconnected applications as a separate governance class, not as exceptions to be ignored. Assign an owner, define the approval path, document revocation evidence, and decide whether the app needs compensating controls or should be retired. If access still depends on tickets and spreadsheets, the programme is managing process, not enforcing control.

Q: Why do disconnected apps create so many audit problems?

A: Because auditors need proof that access was granted, reviewed, and revoked consistently, not just a statement that policy exists. Disconnected apps often force teams to assemble evidence after the fact from emails, screenshots, and export files. That is slow, fragile, and difficult to defend when controls are reviewed at scale.

Q: What breaks when identity automation stops at connected applications?

A: Lifecycle management breaks first, then access review quality, then confidence in the overall identity programme. If a meaningful share of applications still relies on manual administration, the organisation loses consistency and cannot prove that identity controls extend across the full estate. The result is partial governance disguised as maturity.

Q: Should organisations prioritise connected app coverage or disconnected app remediation first?

A: Disconnected app remediation should be prioritised where the affected systems are business-critical, sensitive, or heavily audited. Connected applications are easier to standardise, but the governance risk sits in the unreachable layer. Mature identity programmes expand coverage based on risk, not on whichever apps are simplest to integrate.

Technical breakdown

Why disconnected applications sit outside identity federation

Disconnected applications are systems that cannot participate in standard identity plumbing because they lack support for federation and automated provisioning protocols. Without SAML or OIDC, authentication cannot be delegated to the IdP. Without SCIM, joiner-mover-leaver automation cannot reliably create, update, or revoke accounts. That leaves identity teams with fragmented control points, often across legacy SaaS, on-premises business applications, and AI-powered tools that were adopted faster than governance patterns evolved. The result is not just inconvenience. It is a structural break between policy and enforcement.

Practical implication: inventory which applications cannot be governed through your IdP, IGA, and provisioning stack, then treat them as separate control domains.

How manual access handling creates audit and evidence gaps

When access is granted through tickets, email, direct admin login, or spreadsheets, the control may exist in policy but not in machine-verifiable evidence. Auditors care about repeatability and proof, not intent. Disconnected apps often require after-the-fact reconstruction of who approved access, when it changed, and whether revocation happened on time. That creates a weak chain of evidence for SOC 2, ISO 27001, HIPAA, and PCI DSS reviews. In governance terms, the problem is not only access risk. It is evidentiary fragility, where the organisation cannot readily demonstrate that controls were consistently applied.

Practical implication: replace ad hoc evidence collection with a control record for each disconnected app that captures approval, assignment, and revocation events.

Why disconnected apps block identity maturity

Identity maturity is often measured by coverage, automation, and policy consistency. Disconnected apps break all three. You cannot automate lifecycle management if the application has no integration path. You cannot enforce standard authentication or certification if the system remains outside central control. You also cannot claim meaningful Zero Trust coverage when an expanding portion of the application estate is governed by manual exceptions. In effect, the maturity ceiling is not set by your IdP or IGA platform. It is set by the most difficult applications to bring under control.

Practical implication: define maturity against full application reach, not only against the connected systems that are easiest to count.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Disconnected application coverage is now an identity governance boundary, not an edge case. The article shows that many organisations still measure identity maturity by connected application coverage, while a substantial share of business systems remains outside that scope. That creates a false sense of completeness because the controls appear strong only where federation exists. Practitioners should treat disconnected apps as a separate governance class with its own lifecycle and evidence model.

The real failure mode is governance by exception at scale. Tickets, spreadsheets, and direct admin access are not temporary workarounds when they govern a third of the application estate. They become the operating model for access, revocation, and review. That is the kind of control drift NIST CSF and Zero Trust programmes are supposed to eliminate, yet disconnected apps preserve it. Security teams should read this as a boundary problem, not a tooling problem.

Disconnected apps create auditability debt that compounds over time. The article’s audit findings point to a named concept worth keeping: evidence gap sprawl. When each application requires bespoke proof of access control, the cost of assurance rises while confidence falls. That weakens not only compliance outcomes but also the board-level credibility of the identity programme. The practitioner conclusion is simple: if controls cannot generate evidence continuously, they are not mature enough for broad-scale governance.

AI-powered tools make the disconnected-app problem more urgent, not less. The article correctly places emerging AI tools inside the same governance gap as legacy systems and unmanaged SaaS. These tools are often adopted faster than integration and review processes can keep up, which means the disconnected layer grows faster than the control plane. Identity teams should expect the category to expand unless application onboarding is tied to governance requirements from day one.

Identity maturity must be redefined around reach, not pride in coverage metrics. A programme can be sophisticated and still incomplete if it only governs what is easy to federate. The field needs a more honest benchmark: what percentage of the application estate is actually reachable by policy, provisioning, review, and deprovisioning controls? Practitioners should use that question to reset internal maturity scoring and prioritisation.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag even after a known exposure.
• For a deeper control baseline, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs covers provisioning, rotation, and offboarding across non-human identities.

What this signals

Evidence gap sprawl: disconnected applications do not just create access risk, they create assurance debt. Once control evidence has to be reconstructed manually, programme owners lose the ability to prove consistency at speed, and that weakens both audit readiness and board confidence. The operational answer is to measure reachability as a control metric, not as an inventory exercise.

Identity teams should expect the disconnected layer to expand as SaaS adoption and AI-powered tools outpace integration planning. The practical response is to align application intake, governance ownership, and review evidence before production use, rather than after control failure. For a broader control model, see the NIST Cybersecurity Framework 2.0.

A mature IAM programme is no longer defined by how well it handles the easy majority. It is defined by whether it can extend policy, lifecycle, and verification to the applications that resist federation. That is the difference between partial automation and defensible governance.

For practitioners

• Inventory disconnected applications by control gap Create a registry of applications that cannot be reached through SAML, OIDC, SCIM, or your current IGA integrations. Classify each one by business criticality, data sensitivity, and whether access is still handled through tickets, spreadsheets, or direct admin login.
• Build a separate evidence model for audits For each disconnected application, define who approves access, how changes are recorded, and what artifact proves revocation happened. Use that record to replace after-the-fact spreadsheet reconstruction during SOC 2, ISO 27001, HIPAA, or PCI DSS reviews.
• Prioritise the highest-risk disconnected systems first Start with applications that store sensitive data, support core workflows, or have broad administrative access. These are the systems where manual handling creates the largest governance and compliance exposure, even if they are only a subset of the disconnected estate.
• Tie new application intake to identity reachability Require identity integration planning before new SaaS or AI tools are approved for production use. If the application cannot participate in your identity control plane, assign compensating controls and a review owner before go-live.

Key takeaways

• Disconnected applications are a structural IAM gap because identity controls cannot reach the systems that lack federation and provisioning standards.
• The research shows the scale is material, with 30% of enterprise applications disconnected and a majority of organisations reporting audit failures tied to those gaps.
• The practical fix is to treat unreachable applications as their own governance domain, with separate ownership, evidence, and risk-based remediation.

Key terms

• Disconnected Application: An application that cannot be fully governed through standard identity integrations such as SAML, OIDC, or SCIM. It may still be important to the business, but access is handled through manual or custom processes that are harder to automate, audit, and revoke consistently.
• Evidence Gap: The difference between having a control in policy and being able to prove it was applied in practice. In identity programmes, evidence gaps appear when access changes, reviews, and revocations must be reconstructed from emails, screenshots, or spreadsheets rather than generated continuously.
• Identity Coverage: The portion of an organisation’s application and account estate that is actually reachable by central identity controls. For disconnected environments, coverage is not just about count or inventory. It is about whether policy, lifecycle, and verification can be enforced end to end.
• Compensating Control: A secondary control used when the primary identity mechanism cannot be applied. In disconnected application environments, compensating controls may include manual approvals, stronger logging, or tighter owner review, but they must still produce defensible evidence and clear accountability.

Deepen your knowledge

Disconnected application governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still relies on manual handling for key business apps, that training is directly relevant to your next phase of maturity.

This post draws on content published by Cerby: The Hidden Cybersecurity Threat of Disconnected Apps. Read the original.