Extending identity lifecycle automation to disconnected apps

At a glance

What this is: This is a lifecycle management analysis of why disconnected enterprise apps resist standard IAM and IGA controls, and what it takes to automate provisioning, deprovisioning, and governance anyway.

Why it matters: It matters because IAM, IGA, PAM, and compliance programmes fail when critical applications sit outside standard identity integrations, leaving access, rotation, and offboarding to manual workarounds.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Cerby's post on extending identity lifecycle automation to disconnected apps

Context

The app gap is the identity lifecycle management problem that appears when enterprise applications do not support SAML, SCIM, or OIDC, so IAM and IGA cannot automate provisioning, deprovisioning, or access governance. In practice, that pushes lifecycle work into custom connectors, brittle integrations, and manual processes that fail as soon as application APIs or user interfaces change.

For identity programmes, the issue is not whether automation is desirable. It is whether the applications in scope can actually be governed through the identity standards already in place. Where they cannot, teams are left managing access by exception, which weakens recertification, offboarding, audit evidence, and operational consistency across human and non-human identity estates.

Key questions

Q: How should security teams govern applications that do not support SCIM or SAML?

A: They should treat those applications as lifecycle exceptions that still need full governance, not as exempt systems. The practical response is to inventory them, prioritise the highest-risk apps, and use resilient automation or controlled manual evidence for provisioning, deprovisioning, and recertification. The objective is consistent access control, not connector completeness.

Q: What breaks when identity lifecycle management depends on custom connectors?

A: Custom connectors usually fail when the target application changes its API, data model, or interface. That creates recurring maintenance work, delayed offboarding, and gaps in audit evidence. Over time, the connector becomes a hidden operational dependency rather than a stable control, which means governance quality drops whenever the app vendor ships updates.

Q: How do organisations know if disconnected app governance is actually working?

A: They should measure how many apps are covered, how quickly access is removed at leaver events, and how much manual work remains for provisioning and audit prep. If teams still depend on tickets, spreadsheets, or exception handling for core lifecycle actions, governance is partial rather than effective.

Q: Who is accountable when disconnected apps remain outside identity governance?

A: Accountability sits with the identity and application owners together, because the control failure is shared. IAM teams own the governance model, while application owners own the integration feasibility and lifecycle evidence. If either side treats the gap as someone else’s problem, the application remains outside effective access control.

Technical breakdown

Why disconnected apps break standard lifecycle automation

Standard lifecycle automation depends on a reliable control plane. SCIM, user management APIs, and federation protocols let IAM and IGA systems create, update, and remove access predictably. Disconnected apps remove that control plane, so every lifecycle action becomes an integration problem instead of a governance workflow. Custom connectors work only while the app state remains stable, which is rare in SaaS and private application estates. When the app changes, the connector becomes a maintenance liability. This is why manual execution and hard-coded integrations keep reappearing even in mature identity programmes.

Practical implication: Treat missing identity standards as a governance constraint, not an integration inconvenience.

How UI automation and self-healing workflows change the operating model

UI automation extends lifecycle execution into applications that expose no usable identity APIs. Instead of depending on SCIM or custom code, the workflow can interact with the application interface and adapt when the interface changes. Self-healing automation adds a detection layer that relearns the task when the app version changes or the UI shifts. That matters because lifecycle coverage stops being tied to the vendor roadmap and becomes a function of runtime adaptability. The architectural shift is from static connector logic to resilient execution across heterogeneous app environments.

Practical implication: Use automation models that can survive UI drift without requiring a new connector build each time.

Why on-premises and private apps are part of lifecycle governance

On-premises and private applications create a different kind of lifecycle gap because they are not reachable through the same network patterns as cloud SaaS. An outbound-only agent pattern lets automation reach those systems without exposing inbound access or redesigning the network. That keeps lifecycle governance inside the identity programme rather than splitting it across separate operations teams. The point is not convenience. It is preserving a single source of lifecycle truth for applications that would otherwise stay outside standard joiner, mover, and leaver controls.

Practical implication: Extend lifecycle governance into private applications without forcing network exceptions or manual side channels.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The app gap is a lifecycle governance failure, not an application inconvenience. When most enterprise apps cannot speak SCIM, SAML, or OIDC, the IAM programme cannot reach them through normal lifecycle controls. That means provisioning, deprovisioning, and access certification drift into manual work, ticket chains, and one-off scripts. The implication is straightforward: lifecycle maturity has to be measured against actual application coverage, not against the existence of an IAM stack.

Static connectors fail because identity is being treated as fixed when applications are not. Custom integrations assume the target app state stays stable long enough to justify hard-coded logic. In real environments, API changes, UI changes, and product updates invalidate that assumption quickly. The result is connector fragility, growing maintenance debt, and recurring exceptions that keep disconnected apps outside governance.

Application-network coverage is becoming the practical answer to enterprise identity fragmentation. A pre-built integration network changes lifecycle management from one connector per app to reusable coverage across thousands of apps. That matters because the core problem is scale, not intent. Practitioners should read this as a sign that lifecycle tooling is moving toward coverage breadth and resilience, which is exactly where disconnected app governance has been weakest.

Manual lifecycle execution is now a measurable cost centre, not a temporary workaround. The article's reported hours saved and audit-effort reduction show that disconnected apps create direct operational drag as well as security and compliance exposure. That makes lifecycle automation a budget, assurance, and workforce issue at the same time. The practitioner conclusion is to prioritise the apps that consume the most manual identity effort first.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• From our research: Use NHI Lifecycle Management Guide to extend offboarding evidence and rotation discipline into disconnected application estates.

What this signals

Disconnected app coverage will increasingly determine whether lifecycle programmes are real or cosmetic. If identity governance cannot reach the applications that employees and workloads actually use, the programme may look mature on paper while leaving material access unmanaged in practice. The operational signal to watch is the size of the exception queue, not the number of connected systems.

Manual identity execution is the hidden cost center behind app gaps. Cerby's reported reductions in manual access work and audit prep point to a broader pattern: organisations are paying for the same lifecycle tasks twice, once in tooling and again in human intervention. Teams should expect audit pressure to move from policy coverage to evidence of execution across disconnected systems.

Hybrid lifecycle coverage will become a board-level governance question. As more apps sit outside standard identity standards, the difference between connected and disconnected estates turns into a measurable control gap. The programme implication is to align lifecycle reporting with NHI Lifecycle Management Guide style coverage metrics and to use NIST Cybersecurity Framework 2.0 language when discussing governance outcomes.

For practitioners

• Map the disconnected-app inventory first Identify which applications in scope still lack SCIM, SAML, OIDC, or usable user management APIs, then rank them by lifecycle volume and audit impact. That gives you a practical order of operations instead of spreading effort evenly across low-value integrations.
• Separate brittle connectors from resilient automation Review every custom integration for hard-coded dependencies on API endpoints, version-specific UI behaviour, or manual fallback steps. Replace the highest-failure workflows with automation that can relearn tasks when the app changes.
• Extend lifecycle controls into private apps Use outbound-only automation patterns where on-premises or private applications cannot be reached through standard internet-connected identity flows. Keep provisioning, deprovisioning, and access changes inside the same governance model as cloud apps.
• Tie offboarding to access removal evidence Require proof that leaver access is revoked across disconnected apps, not just in the primary directory or IdP. Build audit evidence around the actual application state, because disconnected apps often remain active after the employee record is closed.

Key takeaways

• The app gap is an identity governance problem created by disconnected applications that cannot support standard lifecycle standards.
• Static connectors and manual workarounds fail for the same reason: application change outpaces brittle identity integrations.
• Practitioners need resilient coverage, not just more connectors, if they want provisioning, offboarding, and audit evidence to hold up.

Key terms

• App Gap: The app gap is the difference between the applications an organisation uses and the applications its identity systems can actually govern. It appears when apps do not support standards such as SCIM, SAML, or OIDC, leaving lifecycle actions dependent on custom workarounds or manual execution.
• Disconnected App: A disconnected app is an enterprise application that cannot be fully reached through normal identity integrations. It may lack APIs, standards support, or network accessibility, which means provisioning, deprovisioning, and access review must be handled through alternate automation or controlled manual processes.
• Self-Healing Automation: Self-healing automation is a lifecycle control pattern that detects when an application changes and relearns the steps needed to complete the task. It reduces connector fragility by adapting to UI or API drift instead of breaking when the target system changes.
• Lifecycle Governance: Lifecycle governance is the discipline of managing joiner, mover, and leaver access across identities and applications. In disconnected environments, it becomes a measurement of whether the organisation can still prove who has access, who lost access, and when those changes happened.

Deepen your knowledge

Identity lifecycle management for disconnected apps is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still depends on custom connectors and manual offboarding, the course is a practical next step.

This post draws on content published by Cerby: modernizing identity lifecycle management for disconnected applications. Read the original.