TL;DR: Integration depth, automated maintenance, and direct provisioning are what let identity programmes keep pace with hundreds of apps across hybrid environments, because connectivity has become the critical failure point in IGA, according to Lumos. The real lesson is that access sprawl is now a control-plane problem, not an exception-handling problem.
NHIMG editorial — based on content published by Lumos: How We Use AI to Build Integrations at Lumos
Questions worth separating out
Q: How should security teams govern direct provisioning into application targets?
A: Treat direct provisioning as a privileged control path, not just an integration shortcut.
Q: Why does app integration coverage affect identity governance outcomes?
A: Because access policy cannot be enforced consistently in systems that are not connected to the governance plane.
Q: What do IAM teams get wrong about automation in connector development?
A: They often assume automation alone makes an integration trustworthy.
Practitioner guidance
- Inventory every privileged connector path Map which integrations can read identities, assign entitlements, or write access directly into target systems, then classify those paths as governance-critical.
- Separate fast integration from trusted integration Require each new connector to pass entitlement mapping checks, least-privilege validation, and rollback testing before it is allowed to provision access in production.
- Tie connector maintenance to lifecycle ownership Assign an owner for every integration so that schema changes, API deprecations, and access-model drift are reviewed as lifecycle events rather than ad hoc break-fixes.
What's in the full article
Lumos's full blog covers the operational detail this post intentionally leaves for the source:
- How the integration factory is organised across research, build, test, release, and post-release support
- Examples of the internal frameworks used to generate and validate connectors at scale
- The AWS Identity Center connector details, including direct provisioning into end systems
- What the custom SDK exposes for listing accounts, permissions, and access paths
👉 Read Lumos's blog on autonomous identity integrations and app connectivity →
Autonomous identity integrations: what it means for IAM teams?
Explore further
Integration depth is now an identity governance control, not just an engineering metric. When organisations cannot integrate the long tail of applications, they fall back to manual provisioning, partial recertification, and exception-based access administration. That creates a fragmented governance surface where policy is enforced only in the systems that are easiest to connect. Practitioners should treat connector coverage as part of control effectiveness, not deployment convenience.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance operates without complete inventory data.
A question worth separating out:
Q: How can organisations tell whether connector maintenance is keeping pace?
A: Look for stale mappings, failed sync jobs, unresolved API changes, and recurring manual exceptions in provisioning or access review workflows. Those signals show the integration layer is drifting away from the current application state and no longer supporting reliable governance.
👉 Read our full editorial: Autonomous identity integrations expose the IGA control plane gap