Identity consolidation and app coverage: what IAM teams need now

TL;DR: Identity-focused M&A in late 2025, combined with faster identity automation and AI-driven discovery, is pushing comprehensive app coverage from a future goal to an operational expectation, according to Cerby and the executives it cites. The real test is no longer whether identity matters, but whether enterprises can govern the applications they already own before coverage gaps become technical debt.

NHIMG editorial — based on content published by Cerby: 2026 identity consolidation and the five trends shaping IAM programs

By the numbers:

• The average enterprise has 370+ applications and over 40% don’t support the necessary standards or APIs to connect to existing identity tooling.
• Many enterprises now use AI-powered tools, and 15% of employees are sharing sensitive data with these platforms.
• For every employee, there are now 100 machine identities.

Questions worth separating out

Q: How should security teams handle disconnected applications that sit outside identity tooling?

A: Treat disconnected applications as part of the identity perimeter, not as exceptions to ignore.

Q: Why do disconnected apps create persistent IAM risk?

A: Disconnected apps create persistent risk because they often bypass the controls that make identity programmes effective: onboarding, access review, change tracking, and deprovisioning.

Q: How do you know if identity coverage is actually improving?

A: Track the percentage of applications under governed access control, and separate that metric from total seat counts or login volumes.

Practitioner guidance

• Measure identity coverage by application class Segment your application estate into governed, partially governed, and unmanaged groups, then weight the gap by business criticality.
• Prioritise last-mile applications first Target marketing tools, social platforms, HR and finance portals, and on-premise systems that lack standard connectors.
• Constrain AI to deterministic identity tasks Allow AI to assist with discovery, workflow generation, and anomaly detection, but keep permission grants and secret handling inside deterministic controls with explicit approvals.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• How Cerby defines the practical path to 100% app coverage across disconnected tools
• The specific operational examples behind the monday.com coverage increase and what changed in six months
• The budgeting and staffing model Cerby describes for treating identity as a dedicated function
• How the article frames AI-assisted discovery without letting AI take over sensitive identity decisions

👉 Read Cerby’s analysis of 2026 identity consolidation and app coverage →

Identity consolidation and app coverage: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →