Disconnected apps and manual lifecycle work: what teams miss

TL;DR: Disconnected apps force manual joiner-mover-leaver workflows that consume thousands of hours, delay access changes, weaken auditability, and leave orphaned accounts active, according to Cerby and customer examples from monday.com and ClickUp. The real issue is not inconvenience but a structural lifecycle gap that keeps governance from reaching critical applications.

NHIMG editorial — based on content published by Cerby: the real cost of manual identity execution in disconnected apps

By the numbers:

• For monday.com, manual identity lifecycle work consumed 3,300+ hours per year and cost over $250,000 annually.
• Fully 20% of licenses were unnecessary, allowing the company to save more than $130,000 annually on app licensing.

Questions worth separating out

Q: How should security teams govern access in disconnected apps?

A: Security teams should treat disconnected apps as lifecycle exceptions and enforce a manual control model that records every joiner, mover, and leaver action.

Q: Why do disconnected apps increase security risk?

A: Disconnected apps increase risk because accounts can remain active after a user leaves or changes role, creating an uncontrolled access window.

Q: How do you know if lifecycle governance is working across all apps?

A: Lifecycle governance is working when access changes are completed quickly, consistently, and with evidence across every application, including the ones outside standard IAM coverage.

Practitioner guidance

• Inventory disconnected applications by lifecycle dependency Classify each app by how joiner-mover-leaver actions are executed today, then flag every system that still depends on tickets, email, scripts, or direct admin work as a lifecycle exception.
• Measure deprovisioning lag by application Track the time between a leaver or mover event and actual access removal in each disconnected app, then prioritise the longest gaps first because they create the largest uncontrolled access windows.
• Reconcile access evidence with application logs For apps outside central identity control, pair access review evidence with local logs and admin records so certifiers can verify who had access and when, even without SIEM integration.

What's in the full article

Cerby's full post covers the operational detail this analysis intentionally leaves for the source:

• Step-by-step examples of the manual workflows teams use for disconnected apps, including tickets, email chains, and direct admin actions.
• Specific cost breakdowns from customer examples, including time spent on provisioning, deprovisioning, and audit work.
• The practical mechanics of extending lifecycle automation to apps without standard identity APIs.
• The full argument for how lifecycle coverage changes audit evidence, access control, and license management.

👉 Read Cerby's analysis of the cost of manual identity execution in disconnected apps →

Disconnected apps and manual lifecycle work: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →