The proliferation of specialized business applications has made it easier for organizations to address distinct needs, but comes with a hidden cost for Identity and Access Management (IAM) and Identity Governance and Administration (IGA).

When applications provide out-of-the-box support for modern identity standards such as SAML or OIDC for authentication, and SCIM for user lifecycle management (LCM), integrating them with an identity provider (IdP) can be straightforward. In these cases, LCM activities including provisioning, deprovisioning, and executing governance processes can be automated without much difficulty.

However, this idealized scenario is the exception, rather than the norm.

In this Modernizing Identity Lifecycle Management series, we'll:

• Expose the gap between IAM’s promise and its actual coverage reality
• Explain why the app coverage gap is permanent and how current workarounds fall short
• Explore the operational, security, and compliance costs that result
• Explain how to extend identity lifecycle automation to the disconnected apps that are currently outside IAM and IGA control

Identity 101: The reality of disconnected apps

Engineers often used the term “necessary, but insufficient.” It describes a component that is required for a solution but cannot solve the problem alone.

For most IT and security leaders, the IdP has become “necessary but insufficient.” Despite well-planned and diligently executed IAM programs, many business-critical apps remain disconnected from centralized identity control.

This “app gap” exists for two primary reasons:

• Standards support is limited: Applications supporting identity standards represent only a fraction of the apps that enterprises use
• Legacy and private hurdles: On-premises apps present obstacles to integration with IAM solutions

Standards support is the exception, not the norm

Today’s application environments have never been more diverse. Organizations manage hundreds of applications across SaaS, cloud, on-premises, mobile, thick client, and legacy systems.

These applications vary widely in how they authenticate users, what protocols they support, and whether they integrate with modern identity tools at all. For identity teams, this creates two distinct challenges.

The first is authentication. Applications that don't support SAML or OIDC can't be federated through an IdP, meaning users authenticate directly to the app rather than through centralized identity controls.

The second, and the focus of this series, is lifecycle management. Applications that don't support SCIM or expose user management APIs can't be connected to IGA systems for automated provisioning, deprovisioning, or access governance. These are the disconnected apps that fall outside the reach of identity lifecycle automation entirely.

Identity lifecycle management in the real world

Consider how many applications your organization uses. Now consider how many of those were evaluated for identity standards support before procurement. For most organizations, the honest answer is: not many. The result is an app library that has grown faster than the identity infrastructure designed to manage it. When Cerby examined approximately 10,000 applications, we found a startling reality: Fewer than 7% support SCIM (System for Cross-Domain Identity Management). And this isn’t just a theoretical problem.

Lior Zagury (Director of Global IT at monday.com) shared with us that, “We hit a wall at 150 applications. The rest didn’t support standards like SAML or SCIM. Traditional identity tools couldn’t bridge that gap.”

Those 150 applications represented only about 20% of the company’s app library. When 80% of an application portfolio is not connected to an IdP or IGA solution’s governance or provisioning workflows, lifecycle risk compounds quickly. Departed employees may retain active accounts for days or weeks. Role changes may not trigger access reviews. Temporary access may never expire. Over time, orphaned accounts accumulate and audit trails fragment across systems that cannot be centrally reconciled.

On-premises and private apps are integration nightmares

While SaaS is the visible face of modern IT, on-premises and private web apps remain the functional heart of most enterprises. Unlike SaaS applications, these systems typically maintain their own local identity stores with limited outbound connectivity and no vendor-managed update path. Integrating them with modern identity infrastructure usually requires firewall changes, VPNs, and significant infrastructure investment and even then, connectors are often incomplete, unstable, and easily broken.

As a result, these apps frequently sit outside the standard identity perimeter, managed through local credentials and administered independently of the centralized controls that govern the rest of the environment. This creates a dangerous paradox: the internal systems hosting an organization's most sensitive data and critical workloads are often the ones with the weakest identity oversight. When lifecycle processes can't reach these systems, identity teams lose the ability to answer a foundational question: who has access to what and should they still?

Manual execution becomes the default

Joiner, mover, and leaver processes still need to happen across every application in the environment, connected or not. Access still needs to be granted, updated, and revoked. Without automation to handle it, that work falls to people. But with human-centric workflows, come human-centric errors.

For the applications that fall outside IAM and IGA control, there is no easy automation. Manual workflows fill the gap. In practice, that means provisioning tickets routed through helpdesk queues, onboarding checklists that depend on three people being available at the right time, and offboarding processes that run on email chains and good intentions. It means IT administrators logging into individual applications to create, update, or deactivate accounts one at a time. It means shared spreadsheets tracking who requested access to what and when and whether anyone ever followed up.

For IT, this is a visibility and oversight nightmare with no single pane view of the app and user ecosystem. For organizations with mature IAM programs, this is the quiet reality behind the automation story: the standards-based apps are handled, and everything else runs on manual user provisioning and tribal knowledge. And when manual processes govern access, the foundational promise of identity lifecycle management, that the right people have access to the right resources, for the right amount of time, becomes impossible to keep at scale.

An inconvenient truth

Many IT, security, and governance leaders believe they've automated identity management, when the reality is that they've only automated the low-hanging fruit. This isn't a failure of leadership, effort, or intent. It's the emergent outcome of an increasingly complex IT infrastructure, one where the app gap is not an edge case but a permanent feature of enterprise environments.

Which raises an uncomfortable question: if the app gap is a permanent feature, why isn't it being treated like one? In our next post, we'll explore the structural reasons why the app gap persists and why the most obvious solutions aren't actually solving it.

Curious what manual identity execution is costing your organization? Download the infographic, The Real Cost of Manual Identity Execution, for a data-backed breakdown of the hidden impact.