A SCIM gap is the space between directory synchronisation and the real permission objects inside an application. When roles, projects, workspaces, or service accounts are not fully covered, lifecycle controls may look complete while effective access continues outside the directory record.
Expanded Definition
A SCIM gap occurs when directory synchronisation creates the impression that identity lifecycle controls are complete, but the application still contains permission-bearing objects that SCIM does not fully model. In NHI and IAM practice, that usually means roles, workspaces, projects, groups, API clients, or service accounts exist outside the exact scope of the directory record. Definitions vary across vendors because SCIM is a provisioning protocol, not a universal entitlement schema, so no single standard governs every downstream permission model.
The practical issue is not whether users are synced, but whether the real access surface is synced with equal fidelity. That distinction matters in systems where one identity can fan out into many effective privileges, especially for agents, service accounts, and automated workflows. The NIST Cybersecurity Framework 2.0 emphasises governance, access control, and continuous oversight, which is exactly where SCIM gaps belong operationally. NHI programmes documented in the Ultimate Guide to NHIs show that lifecycle completeness is often overstated when applications retain local permissions after directory deprovisioning.
The most common misapplication is treating successful SCIM provisioning as proof that all effective access has been removed, which occurs when local application roles or workspace memberships remain intact after the directory object changes.
Examples and Use Cases
Implementing SCIM rigorously often introduces product and governance friction, because the directory becomes only one source of truth while application-specific access rules still require reconciliation. Organisations have to weigh cleaner lifecycle automation against the cost of modelling and auditing non-standard entitlements.
- A SaaS platform supports SCIM for user accounts, but project-level roles are assigned inside the app and never removed when the user is deactivated in the directory.
- An AI agent platform provisions service accounts through SCIM, yet tool-specific permissions remain attached to the account after offboarding, leaving dormant access behind.
- A contractor leaves, directory sync succeeds, and the account is disabled, but workspace memberships in shared collaboration systems remain active until a manual review catches them.
- A DevOps team rotates access through automation, but token-linked application roles are outside the SCIM model, so the lifecycle record looks clean while real access persists.
These cases align with the governance concerns in Ultimate Guide to NHIs, where visibility and offboarding remain hard because identities often outnumber human users by a wide margin. The same pattern is consistent with NIST Cybersecurity Framework 2.0 guidance on asset, access, and continuous monitoring discipline.
Why It Matters in NHI Security
SCIM gaps matter because they create a false sense of control. When security teams trust the directory alone, they can miss the permissions that actually govern data access, admin actions, or API invocation. In NHI environments this is especially risky, because service accounts and agents often hold broad, persistent entitlements that are easy to overlook once automation is in place.
NHI research from Ultimate Guide to NHIs shows that only 20% of organisations have formal offboarding and revocation processes for API keys, and even fewer have mature rotation procedures. That finding matters here because a SCIM gap is often the mechanism by which “offboarded” access remains usable in practice. In Zero Trust programmes, the gap also undermines NIST Cybersecurity Framework 2.0 expectations for ongoing validation of access and change control. When a SCIM connector is added without entitlement reconciliation, organisations may believe they have closed the lifecycle loop while leaving high-value permissions untouched.
Organisations typically encounter SCIM gaps only after a revoked account still accesses a workspace, API, or admin console, at which point the mismatch between directory state and effective privilege becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers gaps between identity provisioning and secret or entitlement lifecycle. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed continuously, not assumed from sync status. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires verifying actual privilege state, including non-directory access paths. |
Inventory non-directory permissions and remove lingering application entitlements after deprovisioning.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
