When most identity governance programs launch, the first conversation is always the same: which five or ten critical applications do we connect first? It is a reasonable place to start. But it comes at the expense of a more important question: how do we eventually get to 100%?
That question rarely gets asked, and almost never on day one. Instead, programs are built around a Phase One strategy that covers high-profile, connected systems and defers everything else. A recent report indicated that only 54% of applications are adequately integrated with an IGA platform. Even more telling, the 2025 State of IGA Report found that only 6% of organizations have achieved fully automated IGA processes.
More challenging apps, the disconnected, non-federated, and legacy applications remain unmanaged. Not because they aren't important, but because the traditional math of securing them doesn't scale.
The unit economics were never going to get you there
On-premises IGA deployments consistently run at roughly three times the licensing fee in professional services costs. Cloud-based alternatives are friendlier, but organizations still typically spend twice the subscription cost just to get the first third of applications integrated. That first wave, HR systems, joiner-mover-leaver workflows, the applications most subject to compliance, consumes most of the initial budget and the first one to two years of the program.
Every application that remains after that is, by definition, the hard one. Legacy systems with no easy way to connect them. Vendor-hosted platforms where SSO and automated provisioning are locked behind expensive enterprise tiers. Custom-built tools with no standard API. Connecting each of these routinely costs five to six figures per application. At those unit economics, 100% coverage is not a prioritization problem. It is a math problem.
The maintenance trap
The cost problem is compounded by a second one: custom connectors have no ongoing support model. Not from the IGA vendor. Not from the implementation team once the engagement closes. When an application changes its UI, updates its API, or modifies its permission structure, that connector breaks. Rebuilding it means starting over at the same cost.
Over a three-to-five-year program lifecycle, this maintenance burden quietly absorbs the budget that was supposed to fund new integrations. Teams that started with ambitions of full coverage find themselves spending most of their capacity keeping existing connections alive, with nothing left to onboard the next application.
What gets left behind
The applications that never make it into the IGA program follow a predictable pattern. Low user volume apps where a manual compensating control feels sufficient. Legacy systems and custom tools that are technically painful to integrate. Marketing platforms like Meta Business Suite or TikTok for Business that lack the protocols traditional connectors require. And anything that does not fall explicitly under a compliance framework gets filed as a risk exception and the team moves on.
The problem is that threat actors do not follow the same prioritization logic. They are not looking for your most compliance-relevant application. They are looking for the path of least resistance and ungoverned applications are exactly that. Over 80% of security incidents trace back to compromised credentials. The apps your IGA program deferred are not sitting safely outside the blast radius. They are the blast radius.
A risk exception is not a control. It is a documented acknowledgment that you chose to leave the door open.
The price of "good enough"
When partial coverage becomes the status quo, the risk does not disappear. It shifts into operational costs that are harder to see and harder to escape.
The first is the read-only trap. Because disconnected applications cannot be connected to core identity systems, access reviews become documentation exercises rather than enforcement mechanisms. It is a manual, time-consuming process that error-prone and hard to audit. The consequences are measurable: 47% of organizations have failed to meet regulatory compliance specifically because they could not govern their disconnected applications.
The second is the burden of manual identity lifecycle management. Without automated provisioning, admins must log into each application individually to manually execute lifecycle management tasks. This creates a recurring operational drain that scales with every hire, transfer, and departure across the organization. And when those manual steps get missed or delayed, ghost accounts persist, active credentials belonging to employees who have already left, sitting in systems with no one watching them
The third is the maintenance tax. Every custom connector your team keeps alive consumes capacity that could go toward expanding coverage. When an application updates its interface or changes its API, someone has to fix it, manually, expensively, and with no guarantee it won't break again. Over time this creates zero headroom, leaving the identity team fully occupied maintaining what exists with nothing left to build what's needed.
Breaking the cycle with a structural shift
When the cost of a single integration drops from five or six figures to three or four, the calculation inverts. At that price point, leaving an application unmanaged stops being a financial tradeoff and starts looking like security negligence.
That is what Cerby makes possible, working alongside your existing IGA platform. Cerby connects applications traditional connectors cannot reach: legacy systems, non-federated tools, anything sitting behind premium licensing for access to SCIM or user management APIs. And because Cerby takes responsibility for maintaining those connections, the maintenance burden disappears. When an application changes, our self-healing technology adapts automatically.
The same investment that used to get you to half of your application landscape can now cover all of it—with Cerby. Cerby surfaces the identity data from these disconnected systems and feeds it directly into your governance processes. Every risk they identify, they can act on. That is a materially different security posture and one the traditional model was never going to deliver.
Ready to close the gaps in your identity strategy? Download our Identity Governance solution brief or speak with our team to map your path to 100% coverage.