Disconnected app access: what IAM teams are missing in marketing

TL;DR: Disconnected apps are creating a governance gap that leaves access removal incomplete, audit records fragmented, and business-critical accounts tied to individuals rather than corporate identity, according to Ponemon Institute research commissioned by Cerby. The real problem is not just inconvenience: identity programmes built around connected apps still fail when shared passwords, MFA handoffs, and offboarding gaps dominate the marketing stack.

NHIMG editorial — based on content published by Cerby: disconnected app access and the identity gaps it creates in marketing operations

By the numbers:

• 68% of organizations report delayed or incomplete access removal after an employee leaves.
• 77% of organizations experienced at least one cybersecurity incident in the past two years caused by their inability to secure disconnected apps.
• 34% of incidents involving disconnected apps specifically included social media platforms like Meta, LinkedIn, X, and Instagram.

Questions worth separating out

Q: How should security teams govern disconnected applications in marketing and business operations?

A: Security teams should inventory disconnected applications, assign accountable owners, and bring them into joiner-mover-leaver and access review processes.

Q: Why do disconnected apps create more risk than connected apps in IAM programmes?

A: Disconnected apps create risk because they bypass the identity controls that make access measurable and revocable.

Q: How do you know if disconnected app governance is actually working?

A: Look for complete application inventory, documented ownership, timely revocation after departure, and audit-ready evidence for each critical account.

Practitioner guidance

• Map disconnected applications to named owners Build an inventory of business-critical apps that sit outside SSO and SCIM, then assign a primary business owner and a technical backup for each one.
• Remove shared MFA handoffs from production access Eliminate workflows where one person holds the password and another person receives the code by phone or chat.
• Extend offboarding checks to disconnected tools Add disconnected applications to every joiner-mover-leaver checklist so revocation is verified across the full toolset, not only the systems already tied to the identity provider.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source: the lived workflow breakdown behind social media access, Meta Business Manager recovery, and offboarding failure.

• The exact marketing-team access workflow that depended on spreadsheets, Slack messages, and phone-based MFA handoffs.
• The Vercel offboarding failure and how a missed admin role turned into a production website outage.
• The Ponemon survey methodology and the full set of disconnected-app findings across 614 IT and security leaders.
• The article's original discussion of why enterprise identity features often sit behind pricing tiers that smaller teams do not buy.

👉 Read Cerby's analysis of disconnected app access and identity gaps in marketing →

Disconnected app access: what IAM teams are missing in marketing?

Explore further

View Full Forum →  |  NHI Foundation Course →