You’ve built a serious identity program.
Your identity provider (IdP) is deployed. SSO covers commonly used applications. MFA is enforced. Joiner-mover-leaver processes are automated. Your IGA platform governs your most critical applications. By most measures, your identity posture looks mature and well-controlled.
But there’s a category of applications in your environment that sits completely outside all of it.
These are disconnected applications: SaaS tools and on-prem apps, including key business apps, legacy systems, and an accelerating wave of AI-powered tools, that don’t support identity standards like SAML, OIDC, or SCIM. They can’t be federated into via your IdP. They can’t be governed by your IGA platform. They fall outside MFA enforcement, automated provisioning workflows, and access certifications.
And according to new Ponemon Institute research, they’re far more widespread, more business-critical, and more damaging than most leaders realize.
The uncomfortable reality is this: the applications your identity solutions can’t reach are often the ones attackers exploit and auditors flag.
Introducing the research
To better understand this gap, Cerby commissioned the Ponemon Institute to study how organizations are managing, or failing to manage, disconnected applications.
The result is The Hidden Cybersecurity Threat: Disconnected Apps, based on an independent survey of 614 IT and security leaders at organizations with more than 500 employees across the United States, including significant representation from large enterprises.
Ponemon designed the survey, collected the data, and conducted the analysis independently. Cerby sponsored the research but had no influence over the methodology or findings. The result is a dataset that is both credible and difficult to ignore, and one that challenges how many organizations think about identity maturity today.
The scale of the problem is larger than most expect
Most organizations assume disconnected applications are a small edge case. They’re not.
On average, 30% of enterprise applications are disconnected from identity systems, often translating to dozens of applications operating outside centralized control.
What makes this especially concerning is the nature of those applications. Many are not low-risk or peripheral tools. A meaningful portion are business-critical systems that support core workflows, store sensitive data, and grant user access that matters to the business.
Yet access to these applications is often managed through the same manual processes and mechanisms identity programs were designed to eliminate: tickets, spreadsheets, direct admin logins, and weak credentials. Instead of consistent enforcement, organizations rely on fragmented, people-driven processes that are difficult to scale and even harder to audit.
And the problem is not shrinking. With the continued growth of SaaS and the rapid adoption of AI-powered tools, organizations report that the number of disconnected applications is increasing, often faster than identity programs can keep up.
A compliance problem hiding in plain sight
For many teams, the first place this gap becomes visible is during an audit.
The research shows that a majority of organizations have failed audits due to gaps in securing disconnected applications. The issue isn’t just missing controls, it’s missing evidence.
Auditors don’t simply ask whether controls exist. They ask for proof that those controls are consistently applied. For disconnected applications, that proof is often manual, fragmented, and difficult to defend.
Access records are reconstructed from spreadsheets, screenshots, and exported data. Evidence is assembled after the fact instead of generated continuously. What should be a straightforward process becomes time-consuming and error-prone.
For organizations operating under SOC 2, ISO 27001, HIPAA, or PCI DSS, this is not just inefficiency. It is a material compliance risk that can lead to audit findings, delays, or even failure.
The operational burden no one budgets for
The impact of disconnected applications extends beyond security and compliance. It shows up in day-to-day operations in ways that are easy to recognize but hard to quantify.
When identity systems can’t reach an application, the work doesn’t disappear. It shifts to people.
Provisioning happens through tickets and email. Administrators log into applications one by one to grant or update access. Deprovisioning is delayed or missed entirely. Access reviews take longer and require manual coordination across teams.
To compensate, many organizations build automation workarounds using scripts, RPA, or workflow tools. While these approaches can reduce some manual effort, they introduce a new problem: maintenance. These integrations are often brittle and require constant attention as applications change.
Over time, this creates a steady operational drag. Teams spend time maintaining workarounds instead of advancing their security program, and identity operations become slower, more complex, and more resource-intensive.
The real impact: stalled identity maturity
The most important takeaway from the research is not just that disconnected applications create risk. It’s that they limit how far identity programs can mature.
You cannot enforce consistent authentication policies on applications your identity system cannot reach. You cannot automate lifecycle management without integrations. You cannot achieve meaningful Zero Trust coverage across only part of your environment.
Disconnected applications are not an edge case. They are one of the largest remaining gaps in IAM programs, and they are actively holding back broader identity and security initiatives.
A shift in how identity maturity is defined
For years, identity maturity has been measured by how well organizations secure connected applications.
That definition is no longer sufficient.
True identity maturity depends on how consistently organizations can extend identity controls and automation across their entire application environment, including the disconnected layer.
Organizations that measure themselves only on what’s connected are, in effect, measuring only part of the problem.
Download the full report
This blog highlights only a portion of the findings.
The full Ponemon report provides detailed benchmarks across security, compliance, and operations, along with data to assess your organization’s identity coverage, insight into why the problem persists, and a practical framework for improving identity maturity.
👉 Download the full report: The Hidden Cybersecurity Threat: Disconnected Apps
Join an upcoming webinar
To go deeper, join an upcoming session with Matt Chiodi (Cerby) and Mike Fitzpatrick (Distinguished Fellow, Ponemon Institute).
They’ll walk through the findings, share context behind the data, and discuss what identity and security leaders should be doing now.
👉 Register for the webinar here
The takeaway
Disconnected applications have been hiding in plain sight.
The progress identity teams have made is real, but it applies only to the applications they can reach. The Ponemon research makes one thing clear: the gap that remains is neither small nor low-risk.
Closing it will define the next stage of identity maturity.