Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Disconnected apps: what identity teams need to govern better


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Disconnected apps now make up a large share of enterprise SaaS and legacy estates, and the source article argues that identity teams still govern them with tickets, spreadsheets, and manual password updates, creating visibility, compliance, and remediation gaps according to Cerby. Manual control can extend coverage, but it does not scale as a durable identity governance model.

NHIMG editorial — based on content published by Cerby: The Rise of Disconnected Apps and the Growing Challenge for Identity Teams

By the numbers:

Questions worth separating out

Q: How should security teams govern disconnected apps that do not support SAML or SCIM?

A: Treat them as explicit exceptions in the identity programme.

Q: Why do disconnected apps create so much risk for IAM teams?

A: They break the normal identity control loop.

Q: What do teams get wrong about manual access reviews for disconnected applications?

A: They confuse completion with control.

Practitioner guidance

  • Classify disconnected applications as governed exceptions Build an inventory of apps that cannot support SAML, SCIM, or API-driven identity workflows, then assign each one an owner, review cadence, and remediation path.
  • Connect access reviews to enforcement steps Require every certification outcome to trigger a follow-up action for session termination, credential rotation, or deprovisioning where the application supports it.
  • Replace spreadsheet governance with traceable workflows Move onboarding, offboarding, and entitlement cleanup out of email and spreadsheets so evidence, ownership, and remediation status live in one auditable record.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how Cerby bridges disconnected apps into existing governance workflows.
  • Specific descriptions of access request, UAR, and remediation flows for apps without SAML or SCIM.
  • Details on session-kill and credential rotation behaviour after a review outcome.
  • Implementation context around the Cerby and Okta integration shown at Oktane 2025.

👉 Read Cerby's analysis of disconnected app governance and identity automation →

Disconnected apps: what identity teams need to govern better?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Disconnected app governance is really a lifecycle governance problem, not just a tooling gap. The source article shows that identity teams still rely on tickets, spreadsheets, and manual password work when applications do not integrate with SAML or SCIM. That means the issue is not simply lack of automation. It is the absence of a dependable lifecycle path for onboarding, certification, and offboarding across applications that remain operationally essential. Practitioners should treat disconnected apps as a governed population, not a fringe exception.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
  • Only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why residual access remains a recurring governance problem.

A question worth separating out:

Q: Who should be accountable when disconnected app access is not removed properly?

A: The accountable owner should be the business and technical owner of the application, with identity teams defining the control standard and audit evidence requirements. If no named owner can act on remediation, the application is not actually governed, no matter how many reviews it passes.

👉 Read our full editorial: Disconnected app governance is the identity blind spot teams miss



   
ReplyQuote
Share: