Use a connector strategy that separates transport from identity modelling. Standardise the objects you need to govern, such as users, groups, roles, entitlements, and grants, then use configuration where possible and code only where necessary. The goal is not faster sync alone, but faster movement from discovery to reviewable access control.
Why This Matters for Security Teams
Unmanaged applications are usually not a technology problem first. They are an identity governance problem with a timing problem attached. If an app cannot be brought under review quickly, access reviews, entitlement cleanup, and audit evidence all stall. That is where teams get stuck: waiting on bespoke development while unknown access continues to accumulate.
The practical goal is to make an application legible to governance before every deeper integration is finished. That means standardising the identity objects IGA needs to see, even when the transport layer is different from system to system. NHI Management Group’s research shows why this matters: only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges. See the Ultimate Guide to NHIs — Key Challenges and Risks and the OWASP Non-Human Identity Top 10 for the underlying risk pattern.
In practice, many security teams encounter entitlement sprawl only after a platform has already become business-critical and too complex to retrofit cleanly.
How It Works in Practice
The fastest path into IGA is to separate the connector into two layers: transport and identity modelling. Transport handles how data is retrieved, while identity modelling defines what the application means in governance terms. Standard objects should include users, groups, roles, entitlements, grants, and ownership metadata. Once those objects are consistent, the application can be reviewed, certified, and governed even if the upstream system is unusual.
Most teams should start with configuration, not code. Use configurable mappings for common attribute translation, entitlement normalisation, and account matching. Reserve code only for exceptions such as custom APIs, non-standard paging, or systems that expose data in a way the IGA platform cannot natively interpret. This keeps the integration maintainable and shortens the path from discovery to access review.
A workable pattern is:
- discover the application and its identity surfaces
- map the smallest governance model that supports certification
- pull accounts and entitlements into a standard schema
- assign ownership so review tasks have an accountable approver
- expose changes through recurring sync or event-driven updates where available
This approach aligns with the broader lifecycle and visibility guidance in the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, which both emphasise operational control before perfect completeness.
For governance leaders, this also fits the NIST Cybersecurity Framework 2.0 expectation that identity-related controls support repeatable risk management rather than one-off remediation, especially when paired with standard review workflows and documented exceptions. These controls tend to break down when the application exposes no reliable entitlement API and access data can only be reconstructed from logs or manual exports.
Common Variations and Edge Cases
Tighter connector standardisation often increases upfront mapping effort, requiring organisations to balance speed of onboarding against fidelity of the access model. Best practice is evolving here: there is no universal standard for how much detail every unmanaged app must expose before IGA can govern it, so teams should aim for the minimum model that supports certification and remediation.
Legacy systems often need a hybrid approach. A read-only connector may be enough to inventory accounts and surface privileged access, while provisioning and deprovisioning remain manual until the platform can support stronger integration. In heavily regulated environments, that interim state should be explicitly time-boxed and tracked as an exception, not treated as a permanent design.
Another edge case is SaaS shadow IT with limited admin access. In those cases, governance may begin with imported CSVs, SSO logs, and owner attestations before a direct connector is approved. That is not ideal, but it is often better than waiting for a perfect integration while access remains invisible. The Guide to the Secret Sprawl Challenge is useful here because unmanaged apps often hide secret sprawl alongside identity sprawl.
For teams measuring maturity, the right test is not whether every app is fully automated on day one. It is whether each unmanaged application can be brought into a reviewable state without a long development cycle and without losing ownership, entitlement clarity, or evidence quality.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged apps often expose NHI sprawl and excess privileges. |
| NIST CSF 2.0 | PR.AA-04 | Identity governance depends on consistent access control and review. |
| NIST CSF 2.0 | GV.OV-01 | IGA onboarding needs ownership, oversight, and measurable governance outcomes. |
Assign accountable owners and track whether each connector yields reviewable access evidence.
Related resources from NHI Mgmt Group
- How should security teams handle disconnected applications that sit outside identity tooling?
- How should security teams measure whether IGA is reducing risk?
- How can teams use AI without weakening security accountability?
- How should security teams implement segregation of duties across multiple business applications?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
