SCIM gaps in disconnected apps: what IAM teams need to fix

TL;DR: Disconnected apps without SCIM or APIs leave onboarding, offboarding, and access review processes manual, fragmented, and error-prone, according to Cerby’s analysis of identity automation gaps. The real issue is not SCIM itself but the governance gap it exposes when identity policy cannot reach every application.

NHIMG editorial — based on content published by Cerby: SCIM and identity automation across disconnected applications

By the numbers:

• 58% of organizations say former employees have retained access to systems after departure, largely due to apps without SCIM or API-based automation.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should security teams manage access in applications that do not support SCIM?

A: They should classify those applications as identity exceptions and assign explicit operational ownership for provisioning, deprovisioning, and evidence capture.

Q: Why do disconnected apps create so much IAM risk?

A: Disconnected apps create risk because identity changes no longer propagate automatically, so access can outlive the business event that should have removed it.

Q: How do organisations know whether identity lifecycle automation is actually working?

A: They should measure execution coverage, revocation delay, and audit completeness across the full app estate, not just in the IdP.

Practitioner guidance

• Inventory disconnected applications by business criticality Classify every app that lacks SCIM, federation, or a reliable user management API, then rank them by sensitivity, access volume, and offboarding impact.
• Measure offboarding delay across non-integrated systems Track the time between an identity change in the source system and account revocation in each disconnected application.
• Extend access review evidence beyond the IdP Require application-level exports, approvals, and revocation records for tools that do not support automated certifications.

What's in the full article

Cerby's full analysis covers the operational detail this post intentionally leaves for the source:

• The specific lifecycle gaps that appear when SCIM is unavailable in legacy, social, and on-premises systems
• The identity automation workflow Cerby describes for disconnected applications across provisioning, updates, and deprovisioning
• The compliance reporting and access review mechanics behind automated audit trails in non-integrated apps
• The practical coverage model for extending identity governance beyond systems that already support enterprise standards

👉 Read Cerby's analysis of SCIM gaps in disconnected identity environments →

SCIM gaps in disconnected apps: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →