Identity consolidation is reshaping enterprise governance in 2026

At a glance

What this is: Identity-focused consolidation and new automation capabilities are making broader application coverage technically and economically viable, while exposing how many enterprises still under-govern disconnected apps.

Why it matters: IAM, NHI, and autonomous governance teams need to treat application coverage as a programme design problem now, because acquisition-driven capability expansion will not automatically close the gaps inside their own environments.

By the numbers:

• The average enterprise has 370+ applications and over 40% don’t support the necessary standards or APIs to connect to existing identity tooling.
• Many enterprises now use AI-powered tools, and 15% of employees are sharing sensitive data with these platforms.
• For every employee, there are now 100 machine identities.
• 99% of CISOs plan to increase their budgets over the next two to three years, with 42% of leaders making IAM a top budget priority.

👉 Read Cerby’s analysis of 2026 identity consolidation and app coverage

Context

Identity governance breaks down fastest at the application edge, where disconnected tools sit outside standard provisioning, review, and offboarding workflows. This is the primary problem this article is really about: not a lack of intent, but a coverage gap that leaves entire parts of the enterprise outside identity control.

In late 2025, identity-focused M&A accelerated as major security vendors bought or pursued identity capabilities. That consolidation changes the market signal for IAM leaders, but it does not remove the operational reality that enterprises still have dozens or hundreds of applications that remain outside consistent governance.

The article also points to a second pressure line. AI adoption is raising the number of places where identities, permissions, and data move faster than manual controls can track, which means identity programmes now need to manage both application sprawl and machine-scale access at the same time.

Key questions

Q: How should security teams handle disconnected applications that sit outside identity tooling?

A: Treat disconnected applications as part of the identity perimeter, not as exceptions to ignore. Start by classifying them by business criticality, access risk, and lifecycle impact, then close the biggest gaps first. If an app cannot support standard integration, define a compensating control path for provisioning, review, and offboarding so ownership does not disappear.

Q: Why do disconnected apps create persistent IAM risk?

A: Disconnected apps create persistent risk because they often bypass the controls that make identity programmes effective: onboarding, access review, change tracking, and deprovisioning. When those workflows break, permissions outlive need, ownership becomes unclear, and exceptions accumulate. The result is not just operational inefficiency, but a durable access surface that attackers and auditors both care about.

Q: How do you know if identity coverage is actually improving?

A: Track the percentage of applications under governed access control, and separate that metric from total seat counts or login volumes. Improvement should show up as a shrinking unmanaged-app population, faster deprovisioning, fewer manual exceptions, and better visibility into applications that previously sat outside the identity perimeter.

Q: Should organisations let AI handle permission changes in identity workflows?

A: Only if the workflow can tolerate deterministic output and strong guardrails. AI is useful for discovery and analysis, but direct permission changes and credential handling are high-risk actions because a small error can create a broad access problem. Keep those changes inside approval-based, predictable execution paths and use AI for support rather than authority.

Technical breakdown

Disconnected applications and identity perimeter coverage

Disconnected applications are systems that do not support the standards or APIs needed for normal identity integration. In practice, they often sit outside joiner-mover-leaver workflows, access reviews, and automated deprovisioning. The result is not just inconvenience. It is a parallel access layer where permissions drift, ownership is unclear, and exceptions become permanent. The article’s key technical point is that custom connectors were once too expensive to scale, but modern integration approaches change that economics. Coverage is therefore becoming a design choice, not a hard constraint.

Practical implication: inventory which applications remain outside your identity perimeter and prioritise the ones that create the largest unmanaged access surface.

Identity automation versus agentic AI in governance workflows

The article separates useful automation from risky variability. AI can help discover apps, generate workflows, and surface over-permissioned accounts, but direct permission assignment and credential handling tolerate almost no error. That distinction matters because identity workflows are deterministic by design. When an AI system can choose a wrong field, mistype a credential target, or vary execution, the control objective changes from efficiency to correctness. For governance, the architectural requirement is a constrained automation layer, not open-ended agent behaviour.

Practical implication: confine AI to discovery and classification tasks, and keep access changes and secret handling inside deterministic approval and execution paths.

Coverage percentage as an identity control metric

Coverage percentage is the share of the application estate governed by identity controls, ideally weighted by criticality rather than raw count. It is more useful than traditional activity metrics because it tells you where the programme actually reaches. The article’s emphasis on 100% coverage being economically viable changes the benchmark. Identity governance is no longer about protecting only the most visible systems. It is about measuring whether unmanaged apps are shrinking or simply being tolerated as legacy exceptions.

Practical implication: report identity coverage as a board-facing programme metric and tie remediation priorities to business-critical apps first.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity consolidation is becoming a market signal, not a governance solution. The current M&A wave shows that identity has moved into the centre of security architecture, but buying identity capabilities does not equal governing enterprise identity risk. Vendors can add pieces of the stack, yet disconnected applications, offboarding gaps, and policy drift still live in the customer environment. Practitioners should read consolidation as confirmation that identity matters, while continuing to own their own coverage model.

100% identity coverage is now a programme design target, not an aspirational slogan. The article’s central claim is that the cost and time barriers that once justified partial coverage are dropping. That changes the decision model for IAM leaders, because leaving large app populations outside governance is increasingly a choice, not an inevitability. The implication is straightforward: coverage gaps now represent avoidable exposure, not unavoidable complexity.

Application sprawl remains the real failure mode behind most identity programmes that stall. The market may be converging, but governance reality is still fragmented. Enterprises that focus only on crown-jewel systems end up with hidden exceptions, unmanaged last-mile applications, and incomplete lifecycle control. The practitioner conclusion is to treat disconnected apps as a structural identity problem, not a tooling inconvenience.

AI-assisted identity operations need deterministic boundaries to remain governable. AI can accelerate discovery and triage, but identity decisions still require predictable outcomes because a small error rate can create a large access problem. This is especially true where credentials, permissions, or review outcomes are being changed. The implication for the field is that identity automation and autonomous decision-making are not interchangeable, and governance programmes must keep that distinction explicit.

Coverage gaps are now a strategic budgeting problem as much as a security problem. The article connects identity maturity to budget reallocation, operational efficiency, and risk reduction. That matters because underfunded identity teams are forced to prioritise only the most visible assets, which perpetuates unmanaged access elsewhere. The practitioner conclusion is to fund coverage expansion as an enterprise control, not a narrow IAM tooling upgrade.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
• The governance gap is not abstract, so compare this coverage problem with 52 NHI Breaches Analysis to see how access gaps become incidents.

What this signals

Coverage, not capability, will be the differentiator in 2026. As consolidation continues, the teams that win will be the ones that can prove governance across the full application estate rather than only the most visible systems. The practical lesson is to treat unmanaged apps as a measurable control gap and to pressure-test whether your identity programme covers the long tail, not just the crown jewels.

Identity programmes now need to absorb AI-assisted operations without surrendering deterministic control. Cerby’s framing of AI as both a discovery tool and a workflow risk is the right lens for practitioners. A small error rate is acceptable in analytics, but not in permission assignment, so the operating model should keep AI in support roles and preserve human or policy-mediated execution for access changes.

With 90% of IT leaders saying properly managing NHIs is essential for successful zero trust, per the Ultimate Guide to NHIs, identity coverage is now a foundational architecture question rather than a downstream tooling choice. That matters because disconnected applications and machine identities fail in the same place: outside the perimeter of governed access.

For practitioners

• Measure identity coverage by application class Segment your application estate into governed, partially governed, and unmanaged groups, then weight the gap by business criticality. The goal is to make the coverage gap visible enough that remediation becomes a priority list rather than an abstract concern.
• Prioritise last-mile applications first Target marketing tools, social platforms, HR and finance portals, and on-premise systems that lack standard connectors. These are often the highest-risk systems because they combine low coverage with real business value and weak offboarding discipline.
• Constrain AI to deterministic identity tasks Allow AI to assist with discovery, workflow generation, and anomaly detection, but keep permission grants and secret handling inside deterministic controls with explicit approvals. Any workflow that cannot tolerate variability should remain non-agentic.
• Recast identity as a full-time programme Assign dedicated ownership for coverage expansion, lifecycle governance, and access review remediation. Treat the function as ongoing operational discipline, not a side task attached to infrastructure administration.

Key takeaways

• Identity consolidation does not remove the governance burden inside enterprises, because disconnected applications still create unmanaged access.
• The article’s core evidence is that broader coverage is becoming economically viable, which makes partial governance harder to justify.
• Security teams should respond by measuring coverage, constraining AI to deterministic tasks, and treating identity as a dedicated operational function.

Key terms

• Disconnected Application: An application that does not integrate cleanly with standard identity tooling. It may lack the APIs, protocols, or lifecycle hooks needed for automated provisioning, review, and offboarding, which leaves access management dependent on manual work or compensating controls.
• Identity Coverage: The proportion of an organisation’s application estate governed by identity controls. In practice, this means whether the application is included in provisioning, access review, deprovisioning, and exception handling, not simply whether it uses a login system.
• Deterministic Identity Workflow: An identity process that produces predictable, repeatable outcomes with minimal variance. This matters because permission changes, credential handling, and access approvals must not depend on probabilistic behaviour when operational error can create security exposure.
• Last-mile Application: An application that is difficult to connect to central identity tooling but still matters to the business. These systems are often the final gap in governance because they sit outside the standard path for access control and lifecycle management.

Deepen your knowledge

Identity coverage expansion and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern disconnected applications and machine identities at the same time, it is worth exploring.

This post draws on content published by Cerby: 2026 identity consolidation and the five trends shaping IAM programs. Read the original.