Notifications
Clear all
Topic starter
06/06/2026 2:33 am
TL;DR: Thirty percent of enterprise applications are disconnected from identity systems, many of them business-critical, leaving access, audit evidence, and lifecycle controls dependent on manual workarounds, according to Cerby. The maturity gap is no longer about SSO coverage alone, but whether identity programmes can reach the full application estate.
NHIMG editorial — based on content published by Cerby: The Hidden Cybersecurity Threat of Disconnected Apps
By the numbers:
- On average, 30% of enterprise applications are disconnected from identity systems, often translating to dozens of applications operating outside centralized control.
- The survey is based on 614 IT and security leaders at organizations with more than 500 employees across the United States.
Questions worth separating out
Q: How should security teams govern applications that cannot connect to an IdP?
A: Treat disconnected applications as a separate governance class, not as exceptions to be ignored.
Q: Why do disconnected apps create so many audit problems?
A: Because auditors need proof that access was granted, reviewed, and revoked consistently, not just a statement that policy exists.
Q: What breaks when identity automation stops at connected applications?
A: Lifecycle management breaks first, then access review quality, then confidence in the overall identity programme.
Practitioner guidance
- Inventory disconnected applications by control gap Create a registry of applications that cannot be reached through SAML, OIDC, SCIM, or your current IGA integrations.
- Build a separate evidence model for audits For each disconnected application, define who approves access, how changes are recorded, and what artifact proves revocation happened.
- Prioritise the highest-risk disconnected systems first Start with applications that store sensitive data, support core workflows, or have broad administrative access.
What's in the full report
Cerby's full blog covers the operational detail this post intentionally leaves for the source:
- The full survey benchmarks for how organisations manage disconnected SaaS and on-premises applications.
- The audit failure patterns and evidence-collection challenges behind disconnected application controls.
- The operational burden of manual provisioning, deprovisioning, and access review workarounds.
- The webinar context with Cerby and Ponemon Institute leaders discussing the findings in detail.
👉 Read Cerby's analysis of disconnected application risk and identity maturity →
Disconnected apps: what they mean for IAM teams now?
Explore further
06/06/2026 4:17 am
Disconnected application coverage is now an identity governance boundary, not an edge case. The article shows that many organisations still measure identity maturity by connected application coverage, while a substantial share of business systems remains outside that scope. That creates a false sense of completeness because the controls appear strong only where federation exists. Practitioners should treat disconnected apps as a separate governance class with its own lifecycle and evidence model.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag even after a known exposure.
A question worth separating out:
Q: Should organisations prioritise connected app coverage or disconnected app remediation first?
A: Disconnected app remediation should be prioritised where the affected systems are business-critical, sensitive, or heavily audited. Connected applications are easier to standardise, but the governance risk sits in the unreachable layer. Mature identity programmes expand coverage based on risk, not on whichever apps are simplest to integrate.
👉 Read our full editorial: Disconnected applications are the next identity maturity gap
