Disconnected apps and UARs: what IAM teams need to fix now

TL;DR: Manual user access reviews are still the dominant model in many environments, but disconnected applications, limited APIs, and complex hybrid estates make them slow, error-prone, and hard to evidence, according to Cerby. The real issue is not just review fatigue: access governance breaks when controls cannot be consistently proved across the full application footprint.

NHIMG editorial — based on content published by Cerby: user access reviews, disconnected applications, and identity automation

By the numbers:

• 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows.
• 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

Questions worth separating out

Q: How should security teams handle user access reviews in disconnected applications?

A: Security teams should treat disconnected applications as governance exceptions that need explicit ownership, evidence rules, and compensating controls.

Q: Why do manual user access reviews create compliance risk?

A: Manual reviews create compliance risk because they depend on exports, spreadsheets, and human follow-up to prove that access was correctly evaluated and removed.

Q: What do organisations get wrong about user access review automation?

A: Organisations often automate only the easiest or most important applications and leave the rest to manual processing.

Practitioner guidance

• Map disconnected apps to governance exceptions Build an inventory of applications that cannot support automated entitlement discovery, review, or revocation.
• Define audit-ready evidence before the review cycle starts Specify which logs, attestations, and revocation records will satisfy internal audit or external review, then automate collection where possible.
• Extend lifecycle automation beyond the easiest systems Prioritise applications that hold sensitive financial, operational, or regulated access even when they are difficult to integrate.

What's in the full article

Cerby's full research covers the operational detail this post intentionally leaves for the source:

• How the Cerby Application Network extends existing IAM and IGA coverage to disconnected apps without custom integration work
• The manual review workflows that still consume days or weeks when applications lack SAML, SCIM, OAuth, or usable APIs
• Examples of how continuous monitoring and entitlement updates flow from connected apps into IGA review cycles
• Why some compensating GRC controls become unnecessary once automation covers more of the app estate

👉 Read Cerby's analysis of user access reviews in disconnected application environments →

Disconnected apps and UARs: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →