User access reviews are breaking under disconnected app sprawl

At a glance

What this is: This is an analysis of why user access reviews fail in modern environments and how disconnected apps make compliance, auditability, and remediation harder.

Why it matters: It matters because IAM, IGA, PAM, and compliance teams need evidence that access is both limited and reviewable across human users, third parties, and non-human identities.

By the numbers:

• 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows.
• 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

👉 Read Cerby's analysis of user access reviews in disconnected application environments

Context

User access reviews are the governance check that proves access still matches business need. In practice, they have become difficult to run because modern estates combine SaaS, hybrid cloud, legacy applications, managed and unmanaged devices, and large populations of human and non-human identities.

The main problem is not the principle of review. It is the operating reality: many applications lack the standards, APIs, or integrations needed for automation, so teams fall back to exports, spreadsheets, email approvals, and manual audit trails. That creates slow, expensive processes and weakens confidence in the evidence used for compliance.

This is why UARs now sit at the intersection of IAM, IGA, PAM governance, and broader identity lifecycle management. The control is still required, but the way it is executed often no longer matches the scale or complexity of the environment.

Key questions

Q: How should security teams handle user access reviews in disconnected applications?

A: Security teams should treat disconnected applications as governance exceptions that need explicit ownership, evidence rules, and compensating controls. If the app cannot provide automated entitlement data or revocation signals, the review process must account for manual steps, acceptance criteria, and verification of the final access change. Otherwise, the control looks complete on paper but remains weak in practice.

Q: Why do manual user access reviews create compliance risk?

A: Manual reviews create compliance risk because they depend on exports, spreadsheets, and human follow-up to prove that access was correctly evaluated and removed. That approach increases error rates, slows down revocation, and makes audit evidence harder to defend. In regulated environments, the control can fail even when a team believes it completed the review.

Q: What do organisations get wrong about user access review automation?

A: Organisations often automate only the easiest or most important applications and leave the rest to manual processing. That creates a false sense of control because the review burden simply shifts to the least integrated systems. Real maturity comes from expanding coverage, not from polishing a partial automation island.

Q: Who is accountable when a user access review fails to catch improper access?

A: Accountability usually sits with the system owner, the identity governance function, and the business approver, because each has a role in entitlement visibility, certification, and remediation. In regulated industries, auditors and insurers may also examine whether the organisation could prove timely review and revocation. Shared responsibility does not remove ownership.

Technical breakdown

Why disconnected applications break user access review automation

UAR automation depends on structured identity and entitlement data flowing between application systems and governance platforms. When an app does not support SAML, SCIM, OAuth, or usable APIs, the review process loses machine-readable entitlement updates, timely revocation signals, and reliable audit evidence. Teams then reconstruct the control manually from exports, screenshots, emails, and spreadsheets. That is not just inefficient. It creates a control environment where the evidence trail is fragmented, slow to assemble, and easy to dispute during audit or incident response.

Practical implication: catalogue which critical applications still lack automation paths and treat them as formal governance exceptions, not temporary inconvenience.

How UAR evidence becomes fragile in hybrid and app-sprawl environments

A defensible UAR needs more than a list of users and privileges. It needs proof that access was reviewed on time, revocations were actioned, and lifecycle processes kept pace with role changes, third-party access, and app churn. In hybrid estates, the evidence is distributed across IGA tools, ticketing systems, logs, and manual attestations. The more disconnected the environment, the more the organisation depends on human interpretation to connect those records. That weakens consistency and makes it harder to show that the control operated continuously rather than episodically.

Practical implication: define what counts as audit-ready evidence before review cycles begin, then automate collection for every system that can support it.

What automated lifecycle control changes for identity governance

Lifecycle control means access is provisioned, reviewed, and revoked through repeatable workflows rather than ad hoc effort. In UAR programmes, lifecycle maturity matters because reviews are only as reliable as the upstream entitlement data and downstream revocation process. If automation reaches only a small subset of critical apps, the organisation still has to patch the gaps manually, which means the control remains partially dependent on spreadsheets and follow-up emails. Broadening lifecycle coverage does not remove governance. It makes governance measurable across more of the estate.

Practical implication: prioritise app coverage expansion for the systems that carry the highest entitlement risk, not just the easiest integrations.

Threat narrative

Attacker objective: The attacker aims to use unreviewed or poorly governed access to change business-critical actions, avoid detection, and create financial or compliance damage.

1. Entry occurs when attackers or fraudsters exploit weakly governed access in a third-party or disconnected application, often through a vendor account or an overexposed entitlement path.
2. Escalation follows when standing access, poor oversight, or delayed review lets the actor modify payment details, privileges, or control settings before anyone notices.
3. Impact is realised through fraud, compliance failure, or broader abuse of the identity control gap, such as unauthorised financial transfer or audit refusal.

Breaches seen in the wild

• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Disconnected application coverage is the real UAR governance gap. User access reviews assume entitlements can be discovered, exported, and validated across the estate. That assumption fails when critical systems lack APIs or standards support, because the review becomes a hand-built reconstruction instead of a continuous control. The implication is not simply more tooling. It is that governance coverage is only as strong as the least connected application in the chain.

Manual UARs turn control evidence into a labour problem. When reviews depend on spreadsheets, email approvals, and log stitching, the control exists only as long as human effort can sustain it. That is why manual identity workflows routinely create security, compliance, and operational issues. For organisations under SOX, HIPAA, or sector-specific review obligations, this makes auditability a recurring operating risk rather than a one-off project.

UARs are no longer just an access control exercise, they are a lifecycle integrity test. Reviews expose whether joiner, mover, and leaver processes actually keep pace with app sprawl, third-party access, and entitlement change. If revocation is slow or incomplete, the review process becomes ceremonial. Practitioners should read this as a signal that lifecycle quality now determines whether access governance is defensible at all.

Continuous review coverage is becoming the baseline for identity governance maturity. Once organisations extend automation beyond a narrow set of critical systems, they can replace reactive audit prep with ongoing evidence generation. That changes the operating model for IGA, GRC, and PAM teams alike. The practical conclusion is that review maturity is now measured by app coverage, evidence freshness, and revocation fidelity, not by the existence of a policy document.

UAR failure increasingly exposes third-party identity risk, not just employee access risk. The article’s Baltimore example shows how vendor access can move money, while the broader discussion shows how extended workforce identities sit inside the same governance burden as employees. That makes access review a cross-identity discipline. Practitioners should stop treating third-party accounts as an edge case and govern them as part of the core identity estate.

From our research:

• 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows, according to The 2024 ESG Report: Managing Non-Human Identities.
• Another finding from that research shows that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For a wider governance baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how lifecycle control supports continuous review and revocation.

What this signals

UAR modernisation is becoming a coverage problem, not a policy problem. As app estates expand, teams will be judged less on whether a review policy exists and more on whether they can evidence review and revocation across the full application footprint. The practical signal is to map disconnected systems now, because the systems outside automation are where audit risk accumulates first.

The next maturity step is to collapse the gap between identity governance and operational proof. Pairing lifecycle automation with NIST Cybersecurity Framework 2.0 style control ownership makes it easier to show that access decisions were not just made, but executed and verified. That is where GRC and IAM programmes converge.

Lifecycle integrity debt: when access reviews rely on manual stitching, every additional application increases the amount of evidence work required just to keep the control believable. Organisations should expect third-party, legacy, and regulated systems to remain the hardest part of the programme, and plan coverage expansion accordingly.

For practitioners

• Map disconnected apps to governance exceptions Build an inventory of applications that cannot support automated entitlement discovery, review, or revocation. Assign risk owners, review cadence, and compensating controls for each one so disconnected access is treated as a managed exception rather than an invisible gap.
• Define audit-ready evidence before the review cycle starts Specify which logs, attestations, and revocation records will satisfy internal audit or external review, then automate collection where possible. If a control cannot produce consistent evidence, it is not ready for repeated user access review.
• Extend lifecycle automation beyond the easiest systems Prioritise applications that hold sensitive financial, operational, or regulated access even when they are difficult to integrate. The goal is to reduce spreadsheet dependency across the highest-risk entitlement paths first.
• Treat third-party accounts as first-class identities Include vendor, contractor, and partner access in the same review and revocation workflows used for employees. Special handling should be limited to the approval logic, not to the governance standard applied to the account.
• Measure revocation fidelity, not just review completion Track whether access changes are actually removed after approval, and whether that removal occurs across all connected systems. A completed review without verified revocation still leaves the organisation exposed.

Key takeaways

• User access reviews fail when disconnected applications force teams back to spreadsheets, email, and manual evidence collection.
• The scale of the problem is already visible: manual identity workflows have produced security, compliance, or operational issues for 46% of leaders surveyed.
• Practitioners should extend automation, define audit-ready evidence, and govern third-party access as part of the core identity estate.

Key terms

• User Access Review: A user access review is a formal check that compares assigned access with current business need. It is meant to confirm that each account still needs its privileges and that excessive or stale access is removed. In mature programmes, the review also produces evidence that the check happened on time and was acted on.
• Disconnected Application: A disconnected application is a system that cannot easily integrate with identity governance tools because it lacks standards support, usable APIs, or stable automation hooks. These apps force teams into manual exports and approvals, which weakens consistency and makes lifecycle governance harder to prove across the estate.
• Lifecycle Integrity: Lifecycle integrity is the degree to which identity provision, review, and revocation happen through repeatable and verifiable processes. It matters because access governance fails when entitlement changes outpace the organisation’s ability to update records, validate approvals, and remove access across all relevant systems.
• Compensating Control: A compensating control is an alternative safeguard used when the ideal control cannot be fully automated or enforced. In identity governance, it often means extra review steps, manual verification, or secondary sign-off. These controls reduce risk, but they also increase labour and can become fragile if used too broadly.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerby: user access reviews, disconnected applications, and identity automation. Read the original.