This is the fourth and final post in our Modernizing identity lifecycle management series. Across the first three posts, we established that most enterprise application environments have a significant identity coverage problem, that the problem is structural and won't fix itself, and that the costs of leaving it unaddressed compound across operations, security, compliance, and budget.

The root cause is the app gap: the large majority of enterprise applications don't support identity standards like SAML, SCIM, or OIDC, which means they can't be connected to IAM and IGA solutions for automated provisioning, deprovisioning, or access governance. Every attempt to close that gap hits a ceiling. Custom connectors break when APIs change. Custom integrations become maintenance burdens. Manual processes don't scale.

In this post, we'll focus on what actually works: extending your existing IAM and IGA investments to reach the apps they've never been able to touch.

Extending LCM automation to disconnected apps: What won’t work and why

The motivation to close the app gap is clear. The harder question is how and why the most obvious approaches keep falling short.

Waiting for vendors to update their apps

App vendors aren't ignoring identity standards out of negligence. They're making rational business decisions not to prioritize them. Several structural reasons explain why:

• It's technically demanding. Implementing SCIM and user management APIs correctly requires specialized identity expertise that most product teams don't have in-house. Once built, these integrations require ongoing maintenance as standards evolve and endpoints change.
• Demand is narrow. SCIM and user management APIs are primarily valuable to large enterprises managing identity at scale. Vendors whose customer base skews toward small and mid-sized businesses have little reason to invest in capabilities most of their customers will never use.
• Competing priorities win. For most SaaS teams, identity standards sit well below core product features, performance, and growth-driving integrations on the roadmap. Until enterprise customers make it a procurement requirement, it stays at the bottom of the backlog.
• The monetization math doesn't work. SCIM and user management APIs are difficult to sell as standalone features. Rather than offering them broadly, vendors typically bundle them into enterprise licensing tiers alongside other premium features, which means the only way to unlock basic lifecycle management capabilities is to pay for an upgrade most organizations don't need.

For organizations managing dozens or hundreds of apps, waiting for vendors to prioritize this isn't a strategy.

Building connectors, one by one

Out-of-the-box connectors exist for the most widely deployed apps, but they rarely cover more than a fraction of an organization's library. For everything else, you have four options:

1. Hope that the IAM or IGA vendor builds (and commits to maintaining) the necessary connectors
2. Hope that the app vendor builds (and commits to maintaining) the necessary connectors
3. Contract with a third party to build (and to maintain) the connectors for you
4. Build and maintain the necessary connectors yourself (using some combination of low-code or no-code utilities provided by the IAM or IGA vendors)

Each of these options shares the same fundamental limitation: they're incremental, they're static, and they break. Every connector is hard-coded to a specific application state. Change a user management API or update a SCIM endpoint, and it stops working. With every new integration added, the maintenance burden grows. And for apps that don't expose user management APIs or SCIM endpoints at all, none of these options apply. There's no integration path to build, regardless of budget or tooling.

How Cerby enables scalable and resilient LCM automation

Closing the app gap requires automation that can reach thousands of apps at once, extend into on-prem environments, build integrations without depending on SCIM or APIs, and adapt when those apps change.

Expansive app coverage with the Cerby Application Network

Extending coverage one app at a time can't keep pace with the rate at which application libraries grow. Cerby addresses this through the Cerby Application Network, a collection of pre-built and fully validated integrations for thousands of apps. These aren't the same apps that IdPs and IGA solutions already connect to, they're the ones those solutions can't reach. No SCIM support, no user management APIs, no existing connector path. That's precisely the gap the Cerby Application Network is built to close.

Consider the example of monday.com: At the start of 2025, only 20% of the company’s applications were centrally managed through Okta via SAML or SCIM. Barely six months later, that figure soared to 78%, and nearly 200 applications that previously had no identity integration were now connected to Okta via Cerby, enabling centralized management, automated provisioning, and consistent governance.

Support for on-prem and private apps

On-premises and private apps aren't going anywhere, and they're notoriously difficult to integrate with IAM and IGA solutions.

The Cerby On-Premises Agent (OPA) creates a secure, outbound-only tunnel from your private network to the Cerby platform, enabling identity workflow automation for on-premises apps that normally aren’t reachable from the internet.

Installed in mere minutes, it does so without needing a VPN, or inbound firewall rules, or architectural changes.

When an app isn't in the network

The Cerby Application Network covers thousands of apps, but no network covers everything. When an app isn't already supported, Cerby uses UI automation and AI to build the integration, without requiring SCIM support, user management APIs, or custom development. It's faster than a traditional connector build and doesn't create the maintenance burden that comes with hand-coded integrations.

Self-healing automation

Apps change, APIs change, user interfaces change, often without notice and usually with immediate and acute consequences for static connectors, and manual workarounds.

Using a proprietary blend of automation technologies and artificial intelligence, Cerby:

• Automatically learns how to perform lifecycle management activities on a per-version, per-app basis
• Automatically detects when something in an application changes
• Automatically re-learns how to perform the LCM activities

When an app changes, Cerby detects it and adapts without requiring intervention from your team. That's the operational difference between static connectors that break and automation that holds.

Cerby automation in action: Real-world results for companies that have closed the gap

For monday.com, working with Cerby led to:

• 3,300+ IT hours saved annually in identity lifecycle work alone (part of more than $400,000 in total labor savings), thanks to fully automated LCM that grants or revokes access instantly and that immediately deprovisions apps when employees depart
• Compliance and audit readiness, with streamlined reviews replacing multi-week audit processes, saving over 2,400 hours annually on compliance activities
• Streamlined onboarding, with new hires getting instant, role-based access and a seamless SSO experience for every app they need, on day one
• More than $130,000 in software license savings, by reclaiming the 20% of licenses that weren’t being used, a cost that was simply not known until Cerby enabled centralized visibility

ClickUp had a similar experience, with Cerby leading to:

• 97% reduction in time spent managing user access manually for apps protected by Cerby
• 82% faster audit preparation for user access controls
• Plus strengthened security due to automated password rotations, real-time onboarding/offboarding, and frictionless MFA

Automating identity lifecycle management with Cerby

The app gap isn't a temporary problem waiting for vendors to catch up or standards to proliferate. As we've shown across this series, it's a structural feature of enterprise IT, one that creates compounding costs in operations, security, compliance, and budget.

Closing it requires automation that works in the environments organizations actually operate: hybrid, dynamic, and full of apps that will never support SCIM or expose user management APIs.

That's what Cerby is built to do.

Learn more about Cerby Identity Lifecycle Management (IdLCM) and the Cerby On-Premises Agent

Curious what manual identity execution is costing your organization? Download the infographic, The Real Cost of Manual Identity Execution, for a data-backed breakdown of the hidden impact.