TL;DR: Manual user access reviews are still the dominant model in many environments, but disconnected applications, limited APIs, and complex hybrid estates make them slow, error-prone, and hard to evidence, according to Cerby. The real issue is not just review fatigue: access governance breaks when controls cannot be consistently proved across the full application footprint.
NHIMG editorial — based on content published by Cerby: user access reviews, disconnected applications, and identity automation
By the numbers:
- 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows.
- 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.
Questions worth separating out
Q: How should security teams handle user access reviews in disconnected applications?
A: Security teams should treat disconnected applications as governance exceptions that need explicit ownership, evidence rules, and compensating controls.
Q: Why do manual user access reviews create compliance risk?
A: Manual reviews create compliance risk because they depend on exports, spreadsheets, and human follow-up to prove that access was correctly evaluated and removed.
Q: What do organisations get wrong about user access review automation?
A: Organisations often automate only the easiest or most important applications and leave the rest to manual processing.
Practitioner guidance
- Map disconnected apps to governance exceptions Build an inventory of applications that cannot support automated entitlement discovery, review, or revocation.
- Define audit-ready evidence before the review cycle starts Specify which logs, attestations, and revocation records will satisfy internal audit or external review, then automate collection where possible.
- Extend lifecycle automation beyond the easiest systems Prioritise applications that hold sensitive financial, operational, or regulated access even when they are difficult to integrate.
What's in the full article
Cerby's full research covers the operational detail this post intentionally leaves for the source:
- How the Cerby Application Network extends existing IAM and IGA coverage to disconnected apps without custom integration work
- The manual review workflows that still consume days or weeks when applications lack SAML, SCIM, OAuth, or usable APIs
- Examples of how continuous monitoring and entitlement updates flow from connected apps into IGA review cycles
- Why some compensating GRC controls become unnecessary once automation covers more of the app estate
👉 Read Cerby's analysis of user access reviews in disconnected application environments →
Disconnected apps and UARs: what IAM teams need to fix now?
Explore further
Disconnected application coverage is the real UAR governance gap. User access reviews assume entitlements can be discovered, exported, and validated across the estate. That assumption fails when critical systems lack APIs or standards support, because the review becomes a hand-built reconstruction instead of a continuous control. The implication is not simply more tooling. It is that governance coverage is only as strong as the least connected application in the chain.
A few things that frame the scale:
- 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows, according to The 2024 ESG Report: Managing Non-Human Identities.
- Another finding from that research shows that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when a user access review fails to catch improper access?
A: Accountability usually sits with the system owner, the identity governance function, and the business approver, because each has a role in entitlement visibility, certification, and remediation. In regulated industries, auditors and insurers may also examine whether the organisation could prove timely review and revocation. Shared responsibility does not remove ownership.
👉 Read our full editorial: User access reviews are breaking under disconnected app sprawl