TL;DR: Zero Trust governance breaks down when organisations cannot enforce policies, maintain visibility across apps and identities, or automate access actions at scale, according to Cerby and cited Ponemon findings. The result is a compliance-friendly posture that still leaves disconnected applications, delayed revocation, and unmanaged access paths outside effective control.
NHIMG editorial — based on content published by Cerby: Zero Trust governance gaps and disconnected applications
By the numbers:
- 52% of organizations experienced a cybersecurity incident caused by the inability to secure disconnected applications.
- 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.
Questions worth separating out
Q: How should security teams govern disconnected applications in a Zero Trust programme?
A: Security teams should inventory disconnected applications, assign explicit business owners, and wrap them with compensating controls where federation or provisioning is not available.
Q: Why do disconnected applications weaken Zero Trust governance?
A: Disconnected applications weaken Zero Trust because they sit outside the identity control plane, so access can be granted, maintained, or removed inconsistently.
Q: How do you know if Zero Trust governance is actually working?
A: Zero Trust governance is working when access decisions are enforceable across the full application estate, revocation happens quickly, and audit evidence is generated by the control process rather than assembled later.
Practitioner guidance
- Map disconnected applications first Inventory every application that cannot support standard identity automation, then classify it by business criticality, data sensitivity, and manual control dependency.
- Enforce revocation outside business hours Remove access deprovisioning from manual working-hour processes where possible and make revocation event-driven for high-risk access paths.
- Automate evidence generation with control execution Tie access review, password rotation, MFA enrollment, and lifecycle actions to systems that produce audit-ready evidence as they run.
What's in the full article
Cerby's full article covers the operational detail this post intentionally leaves for the source:
- How Cerby extends enforcement to applications that do not support standard APIs or modern federation protocols
- The step-by-step automation examples for password rotation, MFA enrollment, and lifecycle management across unsupported apps
- The specific compliance-evidence workflow used to support GRC reporting and audit readiness
- The walkthrough of Zero Trust implementation steps mapped to protect surface, transaction flows, policy creation, and monitoring
👉 Read Cerby's analysis of Zero Trust governance gaps in disconnected applications →
Zero trust governance gaps in apps and identities: where teams fail?
Explore further
Zero Trust fails where enforcement stops and policy becomes aspirational. A Zero Trust programme is only as strong as the systems it can actually govern at runtime. Once disconnected applications, legacy workflows, or manual exceptions sit outside that control plane, the organisation has policy language without operational enforcement. The implication is that teams must measure Zero Trust by coverage and enforceability, not by documentation.
A few things that frame the scale:
- 52% of organizations experienced a cybersecurity incident caused by the inability to secure disconnected applications, according to The 2024 ESG Report: Managing Non-Human Identities.
- 85% of organizations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when access remains active in a disconnected application?
A: Accountability sits with the application owner and the identity governance team together, because both the control gap and the exception management process determine whether access persists. If the organisation cannot revoke access in time or prove who approved it, the governance model has failed regardless of whether a policy exists.
👉 Read our full editorial: Zero trust governance gaps leave apps and identities exposed