Notifications
Clear all
Topic starter
06/06/2026 11:07 am
TL;DR: Disconnected enterprise apps create an app gap that blocks SCIM, SAML, and OIDC-driven lifecycle automation, forcing manual provisioning and brittle custom connectors, according to Cerby. The governance problem is structural: access review, deprovisioning, and audit readiness cannot scale when identity standards are missing at the application layer.
NHIMG editorial — based on content published by Cerby: modernizing identity lifecycle management for disconnected applications
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern applications that do not support SCIM or SAML?
A: They should treat those applications as lifecycle exceptions that still need full governance, not as exempt systems.
Q: What breaks when identity lifecycle management depends on custom connectors?
A: Custom connectors usually fail when the target application changes its API, data model, or interface.
Q: How do organisations know if disconnected app governance is actually working?
A: They should measure how many apps are covered, how quickly access is removed at leaver events, and how much manual work remains for provisioning and audit prep.
Practitioner guidance
- Map the disconnected-app inventory first Identify which applications in scope still lack SCIM, SAML, OIDC, or usable user management APIs, then rank them by lifecycle volume and audit impact.
- Separate brittle connectors from resilient automation Review every custom integration for hard-coded dependencies on API endpoints, version-specific UI behaviour, or manual fallback steps.
- Extend lifecycle controls into private apps Use outbound-only automation patterns where on-premises or private applications cannot be reached through standard internet-connected identity flows.
What's in the full article
Cerby's full post covers the operational detail this post intentionally leaves for the source:
- The application-network coverage model and how it reaches apps that SCIM and SAML cannot touch.
- The on-premises agent design for private applications that are not internet reachable.
- The self-healing automation workflow for app UI and API changes.
- The monday.com and ClickUp implementation outcomes that quantify labour, audit, and license savings.
👉 Read Cerby's post on extending identity lifecycle automation to disconnected apps →
Disconnected apps and identity lifecycle automation: what works now?
Explore further
06/06/2026 11:44 am
The app gap is a lifecycle governance failure, not an application inconvenience. When most enterprise apps cannot speak SCIM, SAML, or OIDC, the IAM programme cannot reach them through normal lifecycle controls. That means provisioning, deprovisioning, and access certification drift into manual work, ticket chains, and one-off scripts. The implication is straightforward: lifecycle maturity has to be measured against actual application coverage, not against the existence of an IAM stack.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when disconnected apps remain outside identity governance?
A: Accountability sits with the identity and application owners together, because the control failure is shared. IAM teams own the governance model, while application owners own the integration feasibility and lifecycle evidence. If either side treats the gap as someone else’s problem, the application remains outside effective access control.
👉 Read our full editorial: Extending identity lifecycle automation to disconnected apps
