Disconnected apps: the governance gap IAM teams keep missing

TL;DR: Fewer than 7% of roughly 10,000 applications support SCIM, leaving most enterprise apps outside automated provisioning, deprovisioning, and access governance workflows, according to Cerby. That app gap turns identity lifecycle management into manual work, with orphaned accounts, delayed removals, and fragmented audit trails becoming structural rather than exceptional.

NHIMG editorial — based on content published by Cerby: disconnected apps and the limits of identity lifecycle automation

By the numbers:

• 7% support SCIM (System for Cross-Domain Identity Management)., anagement).
• When 80% of an application portfolio is not connected to an IdP or IGA solution’s governance or provisioning workflows, lifecycle risk compounds quickly.

Questions worth separating out

Q: How should security teams govern applications that cannot support SCIM or IGA workflows?

A: Treat those applications as governed exceptions, not as covered assets.

Q: Why do disconnected apps create more identity risk than standardised SaaS applications?

A: Disconnected apps increase risk because provisioning, deprovisioning, and access reviews cannot be executed centrally or consistently.

Q: How do teams know whether manual identity processes are actually working?

A: They should measure whether the requested change was completed in the application, not whether a ticket was closed.

Practitioner guidance

• Inventory disconnected apps by lifecycle criticality Build a register that separates SCIM-enabled apps from apps that require manual provisioning, then rank them by sensitivity, user volume, and offboarding risk.
• Assign an exception owner for every manual workflow Name a control owner for each app that sits outside automated governance, and document who approves access, who executes changes, and how removals are verified.
• Recertify stale access in disconnected systems first Target apps with local identity stores, spreadsheets, or ticket-based administration for immediate access review, because those environments are most likely to hold orphaned accounts.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of how disconnected apps break provisioning and deprovisioning workflows in practice
• More detail on the manual handling patterns that create orphaned accounts and audit fragmentation
• The follow-on analysis of why the app gap persists as a structural feature of enterprise environments

👉 Read Cerby's analysis of why disconnected apps break identity lifecycle automation →

Disconnected apps: the governance gap IAM teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →