Disconnected apps: what identity teams need to govern better

TL;DR: Disconnected apps now make up a large share of enterprise SaaS and legacy estates, and the source article argues that identity teams still govern them with tickets, spreadsheets, and manual password updates, creating visibility, compliance, and remediation gaps according to Cerby. Manual control can extend coverage, but it does not scale as a durable identity governance model.

NHIMG editorial — based on content published by Cerby: The Rise of Disconnected Apps and the Growing Challenge for Identity Teams

By the numbers:

• 65% of SaaS applications used within organizations are, ons are not approved by IT.
• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified.

Questions worth separating out

Q: How should security teams govern disconnected apps that do not support SAML or SCIM?

A: Treat them as explicit exceptions in the identity programme.

Q: Why do disconnected apps create so much risk for IAM teams?

A: They break the normal identity control loop.

Q: What do teams get wrong about manual access reviews for disconnected applications?

A: They confuse completion with control.

Practitioner guidance

• Classify disconnected applications as governed exceptions Build an inventory of apps that cannot support SAML, SCIM, or API-driven identity workflows, then assign each one an owner, review cadence, and remediation path.
• Connect access reviews to enforcement steps Require every certification outcome to trigger a follow-up action for session termination, credential rotation, or deprovisioning where the application supports it.
• Replace spreadsheet governance with traceable workflows Move onboarding, offboarding, and entitlement cleanup out of email and spreadsheets so evidence, ownership, and remediation status live in one auditable record.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how Cerby bridges disconnected apps into existing governance workflows.
• Specific descriptions of access request, UAR, and remediation flows for apps without SAML or SCIM.
• Details on session-kill and credential rotation behaviour after a review outcome.
• Implementation context around the Cerby and Okta integration shown at Oktane 2025.

👉 Read Cerby's analysis of disconnected app governance and identity automation →

Disconnected apps: what identity teams need to govern better?

Explore further

View Full Forum →  |  NHI Foundation Course →