Most leaders who've thought carefully about disconnected apps frame it as an operational problem. Too many tickets. Too much manual work. Not enough automation coverage. That framing isn't wrong, but it understates the problem considerably.
The consequences of disconnected apps don't stay inside the IT queue. They show up in security incidents, audit findings, and budget waste that most organizations never trace back to their root cause. In this post, we'll make that connection explicit.
The many downstream consequences of manual LCM workflows
A far-reaching consequence of this disconnect is that it prevents organizations from automating identity lifecycle management for these apps.
Instead, IT teams are forced to introduce, execute, and continually manage manual provisioning and deprovisioning workflows. In practice, this usually means a mix of tickets, emails, logging into apps, and writing and maintaining brittle scripts.
The inability to automate identity lifecycle management for disconnected apps isn't just an inconvenience. It's a root cause, one with a predictable chain of consequences that compound across operations, security, compliance, and cost.
Operational drag for IT, security, IAM teams … and everyone else
With so many apps used by so many people within today’s organizations, members of the IT, security, and IAM teams, as well as app owners, spend a disproportionate amount of time:
- Handling access tickets
- Troubleshooting workflows
- Reconciling user permissions across disconnected systems
- Manually creating, updating, or deactivating users
These reactive, repetitive tasks introduce delays and slow down efficiency, and consume resources that should be focused on higher-value initiatives.
For example, Lior Zagury, Director of Global IT at monday.com shared with us that manual identity lifecycle work consumed 3,300+ hours per year, the equivalent of more than two full-time employees, costing the company over $250,000 annually.
Similarly, Alex Raducanu (Sr. Systems Engineer) and William Levie (Sr. Manager, IT & Facilities Operations) of ClickUp explained to us that hundreds of hours were spent annually on manual account provisioning, deactivation, and user access audits.
All of these manual activities pull personnel away from more strategic work, and its impacts go beyond IT, security, IAM teams, and app owners. It impacts everyone:
- New hires might be forced to wait days or weeks for access to fundamental applications
- Credential resets that could happen instantly with automation instead take much longer, with employees locked out of apps until the reset is complete
- Employees who change jobs face similar access delays, with provisioning lagging behind the expectation that someone in a new role can hit the ground running
These aren't edge cases, they're the default experience in any organization where lifecycle automation stops at the boundary of standards-compliant apps.
Security gaps, blind spots, and slower investigations
Manual JML processes don't just create delays, they create windows. The time between a leaver's last day and the deactivation of their accounts across disconnected apps is a period of uncontrolled access. For a single employee that window might be days. Across an organization processing dozens of access changes per month, it's a persistent condition.
Orphaned accounts are the most direct result, credentials that remain active after an employee departs are a well-documented attack vector, available for credential stuffing, reuse from prior breaches, or misuse by the former employee themselves. The risk is most acute in on-premises environments, where fragmented identity stores, limited MFA enforcement, and shared accounts combine with the weakest lifecycle controls in the enterprise.
In ClickUp's case, SaaS administrators struggled to deprovision users across time zones quickly, often leading to lingering access and the associated risks that come with it.
The visibility problem compounds the access problem. Because disconnected apps sit outside IAM control, they typically lack centralized logging and don't feed into SIEM or identity analytics tools. When an incident does occur, security teams are forced to manually log into individual applications to reconstruct who had access and when. In environments with dozens of disconnected apps, this turns an hours-long investigation into a days-long one. And because these apps frequently lack SSO and MFA enforcement, the blast radius of a compromised account is larger than it would be in a federated environment.
Compliance gaps and audit challenges
Disconnected apps typically fall outside normal auditing and reporting pipelines, forcing compliance teams to collect evidence manually and remediate issues by hand. For instance, monday.com’s experience was that audits meant piecing together logs from disconnected systems with no centralized visibility.
Even periodic access reviews, straightforward when identity data is centralized, become slow, inconsistent, error-prone, and difficult to audit, with companies turning to manually updating shared spreadsheets as a best-effort substitute.
So, in addition to security teams lacking visibility into who has access to what, disconnected apps create a situation where administrators lack audit trails and compliance teams struggle to verify control coverage. Ultimately, this means that IGA programs fail to deliver on their promise or requirements, undermined by an inability to connect to critical apps. The deeper issue is that audit findings in this area don't just reflect process immaturity, they reflect a structural inability to connect governance processes to the systems they're supposed to govern.
Bloated app license costs
The same visibility gap that creates security and compliance exposure has a direct financial consequence that often goes unnoticed: organizations end up paying for access that shouldn't exist.
For example, when monday.com used Cerby to extend IAM coverage and visibility to the vast majority of their apps, they were able to identify unused and overprovisioned licenses. This allowed them to reclaim unused seats that were assigned to users who didn’t need them or were inactive.
And it turned out that fully 20% of licenses were unnecessary, allowing the company to save more than $130,000 annually on app licensing.
Realizing the promise of automation
The pattern across all of these consequences is the same: workarounds exist, but they don't scale. Tickets get processed eventually. Audits get completed somehow. Licenses get reviewed once a year. But each workaround depends on people doing consistently and accurately what should be handled automatically and that dependency compounds as headcount grows, as the app library expands, and as the pace of joiners, movers, and leavers accelerates.
The question isn't whether organizations can survive with manual processes. Most do, for a while. The question is what it's actually costing them, in hours, in exposure, in audit findings, and in access that should have been removed months ago, and whether that cost is visible enough to act on.
Extending automated identity lifecycle management
Organizations need to find a scalable way to extend lifecycle automation to apps that lack identity standards and user management APIs, and to keep it working as those apps change over time.
In our next post, we'll look at what it actually takes to extend lifecycle automation beyond the boundary of standards-compliant apps, including what's worked for organizations that have already closed the gap.
Curious what manual identity execution is costing your organization? Download the infographic, The Real Cost of Manual Identity Execution, for a data-backed breakdown of the hidden impact.
