Identity governance fails when programs stop at phase one

At a glance

What this is: This is an analysis of why identity governance programs stall at partial application coverage and why disconnected systems become the real control gap.

Why it matters: It matters because IAM teams cannot treat coverage gaps as temporary exceptions when unmanaged applications undermine access reviews, lifecycle control, and auditability across NHI, autonomous, and human identity programmes.

By the numbers:

• Only 54% of applications are adequately integrated with an IGA platform.
• Only 6% of organizations have achieved fully automated IGA processes.
• 47% of organizations have failed to meet regulatory compliance specifically because they could not govern their disconnected applications.

👉 Read Cerby's analysis of why phase one identity governance stalls

Context

Identity governance fails when coverage is treated as a pilot-state problem instead of a structural control issue. The article argues that organisations start with a handful of critical applications, then leave disconnected, non-federated, and legacy systems outside the governance model because integration economics do not scale.

That matters across IAM, NHI, and lifecycle governance because an access review that cannot enforce change is only documentation. When applications sit outside the identity plane, joiner-mover-leaver workflows, offboarding, and recertification all degrade into manual exception handling rather than control enforcement.

Key questions

Q: What breaks when identity governance stops at the easiest applications?

A: Coverage gaps turn governance into documentation instead of enforcement. If disconnected applications cannot receive automated provisioning, deprovisioning, or review outcomes, then access drift, ghost accounts, and audit exceptions accumulate outside the control plane. The result is a program that looks active but cannot reliably change state where it matters.

Q: When should organisations prioritise hard-to-integrate applications over easy wins?

A: As soon as the easy integrations no longer improve security posture. Hard-to-integrate systems are often the ones that remain manually administered, poorly reviewed, and most likely to carry stale access. If the application cannot be governed, it should move up the backlog because it represents lasting exposure, not temporary inconvenience.

Q: How do you know if access reviews are actually reducing risk?

A: Access reviews are working only when the outcome is enforceable. If certification results stay in spreadsheets, emails, or tickets because the application cannot accept remediation, the process is read-only. A useful signal is whether review decisions lead to actual entitlement removal inside the target system, not just audit evidence.

Q: Who is accountable when disconnected applications stay outside identity governance?

A: Accountability sits with the identity and application owners who accepted the exception and with the governance function that allowed it to persist. If the organisation chooses to leave a system outside automated control, that decision should be explicit, time-bound, and reviewed as a risk acceptance rather than treated as normal coverage.

Technical breakdown

Why disconnected applications break identity governance economics

The article’s core technical point is that application integration cost, not policy intent, becomes the limiting factor in IGA programs. Traditional deployments often require expensive professional services, custom connectors, and ongoing break-fix maintenance whenever an app changes its UI or API. That means the operational model is not linear. Each additional hard-to-integrate application increases both upfront cost and long-term support burden, which is why programs plateau after the first wave of high-value systems.

Practical implication: map integration cost by application class, not just by business criticality, before setting coverage targets.

How manual lifecycle management turns exceptions into persistent accounts

When provisioning is not automated, identity teams must perform joiner, mover, and leaver actions directly in each disconnected application. That creates delay, inconsistency, and high error risk, especially when the app has no standard API or federation path. Over time, manual handling produces ghost accounts, stale entitlements, and inconsistent offboarding. The technical failure is not simply lack of automation. It is the absence of a reliable enforcement path between the identity system and the application.

Practical implication: treat every manual lifecycle step as a control gap and measure how many systems still depend on it.

Why access reviews become read-only without enforcement hooks

An access review only has security value if review outcomes can be executed. In disconnected applications, the review process often ends with documentation, not revocation, because the governance platform cannot reach the target system. That creates a read-only control loop: the organisation can attest to review activity, but cannot reliably remove access in response to it. The article correctly frames this as a structural weakness, not a process failure, because the control boundary stops at the connector gap.

Practical implication: identify which applications cannot accept automated remediation after certification and escalate them as control exceptions.

NHI Mgmt Group analysis

Phase one IGA is a coverage model, not a governance model. A program that secures only its easiest applications leaves the most operationally difficult systems outside enforcement. That is where lifecycle drift, certification failure, and exception sprawl accumulate. The implication is that partial integration should be treated as an interim state with explicit risk, not as a stable operating model.

Disconnected applications create governance debt because the control plane cannot act. The article’s strongest insight is that risk exceptions are not controls and cannot substitute for revocation, provisioning, or attestation enforcement. When the identity system cannot reach the application, the organisation can only document risk instead of reducing it. Practitioners should treat unreachable systems as a governance backlog with measurable exposure.

Maintenance burden is the hidden limiter in IGA maturity. Custom connectors are not a one-time implementation cost. They create an ongoing support obligation every time an application changes. That means program capacity gets consumed preserving existing coverage rather than expanding it. The practitioner conclusion is simple: if maintenance is not funded, coverage will eventually regress.

Coverage economics, not policy intent, determine whether 100% governance is achievable. The article makes clear that the challenge is structural: expensive integrations, brittle connectors, and uneven support models. That is why identity teams should evaluate IGA programs as an operating model problem, not a feature checklist. The field needs to stop calling partial reach “good enough” when the uncovered systems remain fully usable by attackers and users alike.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the lifecycle lens behind this problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Coverage debt: identity programs that stop at the first set of integrations will continue to accumulate blind spots as the long tail of disconnected applications grows. The practical signal is simple: if the backlog of manual exceptions is not shrinking, the programme is preserving risk rather than reducing it.

The strongest operating model shift is to measure whether governance outcomes can be enforced, not just reviewed. If offboarding, certification, and entitlement changes still depend on tickets and manual admin work, the identity program is not yet controlling its real attack surface.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, the broader identity lesson is that unmanaged surfaces tend to persist until they are made expensive to ignore, according to the Ultimate Guide to NHIs.

For practitioners

• Inventory unmanaged applications by control gap Classify every application that cannot currently enforce automated provisioning, deprovisioning, or access review outcomes. Separate technical infeasibility from budget-driven deferral so the backlog reflects real control gaps rather than informal exceptions.
• Quantify connector maintenance as a recurring cost Track how often custom connectors break after UI, API, or permission changes and assign that effort to the program cost baseline. Use the data to decide whether to keep funding break-fix support or replace the integration pattern.
• Escalate read-only reviews as failed control enforcement Flag any application where access certification cannot result in direct revocation. A review that cannot change state should be reported as an exception to the governance board, not counted as mature control coverage.
• Link offboarding to every remaining manual system Document which applications still require admins to execute leaver actions manually and assign named ownership for each one. Tie that list to periodic review so orphaned and ghost accounts do not persist outside the normal identity lifecycle.

Key takeaways

• Partial IGA coverage creates a false sense of control because disconnected applications remain outside enforceable governance.
• The scale of the problem is operational as well as security-related, with manual maintenance and read-only reviews consuming program capacity.
• Teams should measure whether access decisions can be executed in the target system, because enforcement is what turns governance into risk reduction.

Key terms

• Disconnected Application: An application that cannot be governed through the organisation’s standard identity plane because it lacks reliable integration, federation, or provisioning hooks. These systems often require manual administration, which makes lifecycle changes slower, less auditable, and more likely to leave stale access behind.
• Read-only Review: An access review process that records certification outcomes but cannot enforce them in the target application. It creates the appearance of governance while leaving entitlement changes dependent on manual follow-up, which weakens auditability and allows risk to persist after the review closes.
• Connector Maintenance Burden: The recurring operational effort required to keep a custom application integration functioning as the target system changes. This burden includes UI changes, API updates, and permission model shifts, and it often consumes the same resources needed to expand coverage to additional applications.
• Coverage Debt: The accumulation of unmanaged applications and manual exceptions that results when identity governance cannot reach the full application estate. It is not just technical debt. It is a governance shortfall that leaves parts of the environment outside enforceable lifecycle and access controls.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerby: identity governance programs and the cost of partial application coverage. Read the original.