Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SCIM gaps in disconnected apps: what IAM teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Disconnected apps without SCIM or APIs leave onboarding, offboarding, and access review processes manual, fragmented, and error-prone, according to Cerby’s analysis of identity automation gaps. The real issue is not SCIM itself but the governance gap it exposes when identity policy cannot reach every application.

NHIMG editorial — based on content published by Cerby: SCIM and identity automation across disconnected applications

By the numbers:

Questions worth separating out

Q: How should security teams manage access in applications that do not support SCIM?

A: They should classify those applications as identity exceptions and assign explicit operational ownership for provisioning, deprovisioning, and evidence capture.

Q: Why do disconnected apps create so much IAM risk?

A: Disconnected apps create risk because identity changes no longer propagate automatically, so access can outlive the business event that should have removed it.

Q: How do organisations know whether identity lifecycle automation is actually working?

A: They should measure execution coverage, revocation delay, and audit completeness across the full app estate, not just in the IdP.

Practitioner guidance

  • Inventory disconnected applications by business criticality Classify every app that lacks SCIM, federation, or a reliable user management API, then rank them by sensitivity, access volume, and offboarding impact.
  • Measure offboarding delay across non-integrated systems Track the time between an identity change in the source system and account revocation in each disconnected application.
  • Extend access review evidence beyond the IdP Require application-level exports, approvals, and revocation records for tools that do not support automated certifications.

What's in the full article

Cerby's full analysis covers the operational detail this post intentionally leaves for the source:

  • The specific lifecycle gaps that appear when SCIM is unavailable in legacy, social, and on-premises systems
  • The identity automation workflow Cerby describes for disconnected applications across provisioning, updates, and deprovisioning
  • The compliance reporting and access review mechanics behind automated audit trails in non-integrated apps
  • The practical coverage model for extending identity governance beyond systems that already support enterprise standards

👉 Read Cerby's analysis of SCIM gaps in disconnected identity environments →

SCIM gaps in disconnected apps: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

SCIM coverage is now a governance boundary, not a feature checklist. The article shows that lifecycle automation only has real value where it reaches the applications that matter. When critical tools sit outside SCIM coverage, identity policy stops at the integration edge and the organisation inherits manual exceptions, stale access, and broken evidence chains. Practitioners should treat coverage gaps as an identity governance design problem, not an implementation nuisance.

A few things that frame the scale:

  • 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to the State of Secrets Sprawl 2025.
  • Another finding shows that 38% of secrets incidents in collaboration and project management tools like Slack, Jira, and Confluence are classified as highly critical or urgent.

A question worth separating out:

Q: Who is accountable when access remains active after a user leaves?

A: Accountability sits with the identity, application, and business owners jointly, because the control failure usually spans process and integration. If the app cannot receive automated lifecycle events, someone must own the exception, the delay, and the evidence trail. Regulated programmes should also map this to access governance obligations under their internal controls and external audit requirements.

👉 Read our full editorial: SCIM gaps are leaving disconnected apps outside identity control



   
ReplyQuote
Share: