Notifications
Clear all
Topic starter
08/06/2026 4:16 pm
TL;DR: Disconnected apps are the fastest-growing blind spot in enterprise identity security because they bypass SAML, OIDC, SCIM, and governance workflows, leaving teams with manual provisioning, shared credentials, and unrevoked access, according to Cerby. The core issue is not coverage alone but the identity perimeter assumption that every business app can be centrally governed.
NHIMG editorial — based on content published by Cerby: disconnected apps and the last-mile identity security gap
By the numbers:
- The average organization now uses over 100 SaaS applications.
- 52% of organizations experienced a security incident tied to SaaS access mismanagement.
- 41% of IT leaders admit that shared credentials are still in use for at least one critical system.
Questions worth separating out
Q: How should security teams govern disconnected apps that do not integrate with IAM?
A: Security teams should classify disconnected apps by the controls they lack, then apply compensating governance outside the usual identity stack.
Q: Why do disconnected apps increase identity and access risk?
A: Disconnected apps increase risk because they break the chain between authentication, entitlement management, and offboarding.
Q: What do security teams get wrong about Zero Trust and disconnected apps?
A: Teams often assume Zero Trust is complete once the main identity platform is hardened.
Practitioner guidance
- Classify applications by governance reach Separate apps that support central authentication, lifecycle provisioning, and audit logging from those that do not.
- Eliminate local account workarounds Replace spreadsheeted credentials, shared inbox passwords, and ad hoc access requests with controlled alternatives.
- Reconcile access outside the IGA queue Review contractor, agency, and legacy application access directly in the target system, not only through the central governance platform.
What's in the full article
Cerby's full article covers the operational detail this post intentionally leaves for the source:
- App-by-app examples of where SAML, OIDC, or SCIM coverage breaks down in real enterprise estates
- The manual provisioning patterns that security teams use when lifecycle automation is unavailable
- The business workflow examples that keep disconnected apps in active use despite identity blind spots
- The source's full argument on how to extend the identity perimeter without replacing the existing stack
👉 Read Cerby’s analysis of disconnected apps and identity security blind spots →
Disconnected apps: what IAM teams are missing in the last mile?
Explore further
08/06/2026 5:49 pm
Disconnected apps are an identity perimeter problem, not just an integration problem. The conventional IAM model assumes applications can be brought inside standard authentication and provisioning workflows. That assumption fails when business-critical apps sit outside SAML, OIDC, or SCIM coverage, because the programme loses control over who enters, who retains access, and who leaves cleanly. The implication is that identity governance must be measured by reachable applications, not by system count.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- Our research also shows: only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, a confidence gap that mirrors the blind spots created by disconnected applications.
A question worth separating out:
Q: How do organisations reduce manual provisioning risk in legacy applications?
A: Organisations reduce risk by assigning explicit business ownership, separating administrative from end-user access, and creating a documented offboarding path for every legacy application. If automation is impossible, the process still needs timestamps, approvals, and revocation proof. Manual does not have to mean uncontrolled, but it must be auditable and consistently executed.
👉 Read our full editorial: Disconnected apps are breaking enterprise identity security controls
