Notifications
Clear all
Topic starter
24/06/2026 6:53 pm
TL;DR: Disconnected applications still leave nearly half of enterprise apps outside traditional identity systems, with manual workflows preserving blind spots and governance gaps, according to Cerby’s on-demand webinar, which argues that agentic AI can automate parts of identity security. The practical issue is not more automation alone, but extending lifecycle control into the last mile of identity.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: What breaks when disconnected applications are not brought into identity governance?
A: When disconnected applications sit outside the identity system, provisioning, review, and offboarding become inconsistent and hard to evidence.
Q: Why do disconnected apps create more risk than other identity exceptions?
A: Disconnected apps create more risk because they often combine manual fulfilment, weak revocation, and poor visibility in the same place.
Practitioner guidance
- Inventory disconnected applications by lifecycle risk Classify each app by who owns provisioning, who can revoke access, and whether recertification can be evidenced without manual reconstruction.
- Map every manual workflow to a revocation path Document how access is removed for each disconnected app, then test whether that path works when the original requestor is unavailable.
- Extend review evidence into the edge cases Require audit-ready proof for every exception app, including approval history, entitlement state, and offboarding confirmation.
What to expect at the briefing
Cerby's full webinar covers the operational detail this post intentionally leaves for the source:
- The webinar shows how disconnected applications are handled in real identity workflows, including where spreadsheets and help desk queues still sit in the process.
- It previews practical ways to extend identity lifecycle management into applications that do not support native centralised control.
- The session explains what agentic AI can automate today, and where it still cannot replace enforceable governance evidence.
- It frames real breach scenarios linked to disconnected apps for teams that need operational context rather than just the concept.
👉 Watch Cerby's on-demand webinar on agentic AI and the identity last mile problem →
Disconnected apps and the identity last mile gap: are controls keeping up?
Explore further
25/06/2026 3:54 am
Disconnected apps are an identity governance problem, not an integration nuisance. When nearly half of enterprise applications sit outside traditional identity systems, the issue is not cosmetic fragmentation. It is that the organisation has more access paths than it can govern consistently, which turns lifecycle management into an exception process instead of a control function. Practitioners should treat disconnected applications as first-order identity infrastructure.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable for access in disconnected applications?
A: Accountability should sit with the application owner, the identity governance function, and the business approver together, because disconnected access usually spans multiple teams. If one group cannot revoke or prove access changes on its own, accountability is shared but must still be explicit. Without named ownership, exceptions become permanent rather than temporary.
👉 Read our full editorial: Agentic AI and disconnected apps expose the identity last mile
