Disconnected apps in EMEA: what IAM teams need to fix now

TL;DR: EMEA enterprises are seeing identity and access management strain as SaaS sprawl, regulatory fragmentation, and lean teams leave many applications outside core IAM controls, according to Cerby. The result is not just higher risk but a widening operational burden that makes identity debt a governance problem, not only a security one.

NHIMG editorial — based on content published by Cerby: disconnected apps and unmanaged identities in EMEA

By the numbers:

• 60% of SaaS applications are integrated into core, into core IAM platforms on average.
• 25% of helpdesk tickets were identity-related in one, ted in one Israeli scale-up.
• Bots and automation tools made up 60% of active identities in one AI-focused Israeli company.

Questions worth separating out

Q: How should security teams govern disconnected applications that sit outside core IAM?

A: Security teams should start by identifying every business-critical application that bypasses the identity provider, then assign ownership, lifecycle rules, and offboarding responsibility for each one.

Q: Why do unmanaged corporate identities create so much operational risk?

A: Unmanaged identities create risk because they force security and IT teams to rely on memory, tickets, and app-specific cleanup instead of a consistent lifecycle process.

Q: What do organisations get wrong about NHI lifecycle governance?

A: Many organisations treat bots and automation accounts as exceptions rather than as identities that need owners, purpose, and retirement.

Practitioner guidance

• Inventory applications outside core IAM coverage Create a living register of apps that do not fully integrate with the identity provider, then rank them by business criticality, data sensitivity, and offboarding risk.
• Measure identity-related operational drag Track helpdesk volume, offboarding duration, and unresolved access issues as identity governance metrics, not only support metrics.
• Fold bots and automation into lifecycle control Require every non-human identity to have an owner, a purpose, and a retirement condition.

What's in the full article

Cerby's full analysis covers the operational detail this post intentionally leaves for the source:

• Specific examples of how Israeli teams are handling app onboarding and offboarding at scale.
• The practical workflow problems behind delayed access removal and helpdesk-heavy identity operations.
• How brand, compliance, and delivery teams end up in conflict over new application access.
• The article's first-hand observations from security and IT leaders working through these trade-offs.

👉 Read Cerby's analysis of disconnected apps and unmanaged identities in EMEA →

Disconnected apps in EMEA: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →