Zero trust governance gaps in apps and identities: where teams fail

TL;DR: Zero Trust governance breaks down when organisations cannot enforce policies, maintain visibility across apps and identities, or automate access actions at scale, according to Cerby and cited Ponemon findings. The result is a compliance-friendly posture that still leaves disconnected applications, delayed revocation, and unmanaged access paths outside effective control.

NHIMG editorial — based on content published by Cerby: Zero Trust governance gaps and disconnected applications

By the numbers:

• 52% of organizations experienced a cybersecurity incident caused by the inability to secure disconnected applications.
• 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

Questions worth separating out

Q: How should security teams govern disconnected applications in a Zero Trust programme?

A: Security teams should inventory disconnected applications, assign explicit business owners, and wrap them with compensating controls where federation or provisioning is not available.

Q: Why do disconnected applications weaken Zero Trust governance?

A: Disconnected applications weaken Zero Trust because they sit outside the identity control plane, so access can be granted, maintained, or removed inconsistently.

Q: How do you know if Zero Trust governance is actually working?

A: Zero Trust governance is working when access decisions are enforceable across the full application estate, revocation happens quickly, and audit evidence is generated by the control process rather than assembled later.

Practitioner guidance

• Map disconnected applications first Inventory every application that cannot support standard identity automation, then classify it by business criticality, data sensitivity, and manual control dependency.
• Enforce revocation outside business hours Remove access deprovisioning from manual working-hour processes where possible and make revocation event-driven for high-risk access paths.
• Automate evidence generation with control execution Tie access review, password rotation, MFA enrollment, and lifecycle actions to systems that produce audit-ready evidence as they run.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• How Cerby extends enforcement to applications that do not support standard APIs or modern federation protocols
• The step-by-step automation examples for password rotation, MFA enrollment, and lifecycle management across unsupported apps
• The specific compliance-evidence workflow used to support GRC reporting and audit readiness
• The walkthrough of Zero Trust implementation steps mapped to protect surface, transaction flows, policy creation, and monitoring

👉 Read Cerby's analysis of Zero Trust governance gaps in disconnected applications →

Zero trust governance gaps in apps and identities: where teams fail?

Explore further

View Full Forum →  |  NHI Foundation Course →