Enterprise identity programs look strong on paper. SSO is deployed. MFA is enforced. Lifecycle automation handles provisioning and deprovisioning. The metrics show mature coverage. What those metrics don't capture is the 30% of the application estate that never got connected in the first place — the applications that support core workflows, house sensitive data, grant privileged access, and keep operations running, while sitting entirely outside the identity controls that cover everything else. Ponemon Institute's 2026 research, conducted across 614 IT and security leaders and sponsored by Cerby, measured the consequences of that gap with enough specificity to make it uncomfortable to ignore.
Key Findings
30% of enterprise applications sit outside centralized identity systems on average — at an average application estate of 284 apps, that means most organizations are running more than 80 applications with no SSO, no centrally managed MFA, and no automated lifecycle management.
40% of those disconnected applications are business-critical, meaning they support core workflows, house sensitive data, or grant privileged access — roughly 32 business-critical applications per organization are managed entirely through manual workarounds.
77% of organizations experienced at least one cybersecurity incident in the past two years caused directly by the inability to secure disconnected applications, with the most common consequences being sensitive data exposure (45%), financial loss (44%), and unauthorized access (41%).
55% of organizations rely on password-only authentication for disconnected applications with no MFA enforced — the underlying authentication posture that makes the 77% incident rate a predictable rather than surprising outcome.
63% of organizations have failed an internal or external audit at least once due to gaps in securing disconnected applications; of those, 36% failed more than once, and only 19% report no audit findings related to this category at all.
46% of organizations can only produce audit evidence for disconnected applications through significant manual effort, and 16% say they cannot produce audit evidence for those applications at all — meaning audit-readiness collapses exactly where auditors look.
31.2 hrs per week is spent by teams maintaining or fixing automation workarounds for disconnected apps — custom scripts, RPA workflows, and scheduled exports that break whenever an application updates its interface, creating an ongoing maintenance burden that never ends.
68% of organizations report delayed or incomplete access removal after employee termination for disconnected applications, while access removal for connected applications runs on automated lifecycle workflows — the same departure, two entirely different outcomes depending on which layer the application sits in.
58% of organizations say the number of disconnected applications increased over the past 12 months, with AI-powered applications cited as a major driver — 87% of respondents say their organization has adopted AI or GenAI in some capacity, and most AI tools don't support SAML, OIDC, or SCIM.
56% of respondents say urgency to address disconnected applications has increased, with the top drivers being the growth of non-human identities managed outside IAM systems (53%), the inability to enforce consistent MFA (50%), and security incidents directly involving disconnected apps (49%).
38% of organizations say their Zero Trust or identity modernization initiatives are stalled specifically because of the disconnected layer — you cannot enforce least privilege to an application your identity system cannot reach, and you cannot automate access reviews for an application that has no API.
What This Report Covers
The Identity Coverage Gap
The report's central finding isn't that disconnected apps exist — every IAM team knows they do. The finding is the scale. At an average estate of 284 applications, 30% disconnected means most organizations are running more than 80 applications outside their identity control plane. The average organization has 69.7 applications not configured for SSO, 88.5 not protected by centrally managed MFA, and 60.2 that require administrators to log in manually to change access. Respondents rate their confidence in their identity program at 6.3 out of 10 on average — a number that reflects the connected layer, not the disconnected one. The gap between perceived maturity and actual coverage is the structural problem the entire report is built around.
Business-Critical Applications Are the Ones Left Unmanaged
The conventional assumption is that disconnected applications are low-stakes consumer or convenience tools that carry minimal risk. The data contradicts this directly. Forty percent of disconnected applications are business-critical — they support core workflows, house sensitive data, and grant privileged access. Organizations consistently assign the lowest operational priority to the very applications that create the highest exposure when left unmanaged. A business-critical application with no SSO, no centrally managed MFA, and no automated provisioning isn't a minor exception in an otherwise strong program. It's a significant exposure that identity program maturity metrics are specifically designed to miss, because those metrics only count the connected layer.
Security Incidents Are Already Happening at Scale
The report documents that 77% of organizations experienced at least one cybersecurity incident in the past two years tied directly to disconnected apps. Among those: 45% saw sensitive or confidential data exposure, 44% experienced financial loss, 41% had unauthorized access to systems or data, 39% dealt with operational disruption, and 31% faced fines or increased regulatory scrutiny. The authentication posture underneath this is straightforward — 55% of organizations rely on password-only authentication for disconnected apps. The most commonly cited risks in disconnected environments are excessive privileges (54%), users retaining access they no longer need (49%), lack of MFA (41%), weak or easily guessed credentials (37%), and orphaned or dormant accounts (36%). When an account in a disconnected application is compromised, the incident response playbook breaks down entirely: disabling accounts, resetting credentials, and validating the scope of access are all slower when those accounts aren't centrally managed.
Audit Readiness Collapses Where Identity Coverage Stops
The compliance dimension of the disconnected app problem is in some ways more immediately damaging than the security dimension because it surfaces on a predictable schedule. Sixty-three percent of organizations have failed an audit at least once specifically because of disconnected application gaps. Only 34% say they can consistently produce complete and accurate access records for disconnected apps. The core problem isn't the controls — it's the evidence. When access is managed outside centralized identity systems, compliance documentation depends on screenshots, manually assembled spreadsheets, and after-the-fact reconstruction. Manually assembled evidence is harder to defend under regulatory examination than continuously generated access records from an identity governance platform. An identity program that can't produce clean, continuous access records for 30% of its application estate isn't audit-ready. It's audit-exposed.
The Hidden Operational Tax — 31.2 Hours Every Week
When centralized identity systems don't reach an application, the work doesn't disappear. It shifts to people. Fifty-one percent of organizations use tickets or email to manage provisioning for disconnected apps. Forty-three percent provision accounts by logging directly into applications. Fifty-two percent of organizations use automation workarounds — custom scripts, RPA, scheduled imports — to bridge the gap, and those organizations spend an average of 31.2 staff hours per week maintaining or fixing those tools when they break due to application updates or interface changes. Add to that the 39% more time spent on access reviews for disconnected apps compared to connected ones, and the 24% of organizations that estimate between 31% and 50% of disconnected app licenses are unused due to lack of automated provisioning. This is the hidden tax: manual work that doesn't produce governance value, it just keeps things running.
Why the Problem Persists
Sixty-two percent of identity leaders report a significant increase in awareness of disconnected app risks over the past two years. The problem isn't ignorance — the barriers are structural. Thirty-six percent cite applications that don't support identity standards (SAML, OIDC, SCIM) as their primary constraint. Thirty-eight percent cite the high cost of developing custom connectors. Thirty-seven percent cite limited IAM staffing. The assumption that SaaS vendors would modernize and eventually support enterprise identity standards has not held in practice, particularly in specialized verticals where vendors don't face enough enterprise pressure to prioritize it. AI is accelerating the problem: 87% of respondents say their organization has adopted AI or GenAI in some capacity, and most AI-powered applications don't support SAML, OIDC, or SCIM, meaning every new AI tool an employee adopts expands the unmanaged identity surface.
The AI Wildcard
The report devotes a dedicated section to AI as a structural accelerant. Among organizations that have adopted AI tools, 26% report 51 to 100 AI-created or AI-powered applications that lack SAML, OIDC, or SCIM support. Twenty-four percent report more than 100 such applications. Only 6% report none. AI-powered applications arrive in the environment without integration planning, often without IT knowledge, and typically without the identity standards support that would allow them to be brought under centralized control. The identity surface is expanding faster than the identity program can follow it using traditional approaches. The same shadow AI problem that creates credential exposure — documented in SentinelOne's 2026 research — creates identity exposure through disconnected apps. Both problems have the same root cause: deployment velocity outpacing the governance infrastructure underneath it.
The Four-Level Maturity Framework
The report closes with a practical maturity model that maps identity automation across four levels. Level 1 is connected-only maturity: disconnected apps sit entirely outside centralized control, access is password-based, and most organizations can't even produce a complete inventory of what's in use. Level 2 is visibility and partial controls: organizations recognize the problem and start inventorying disconnected apps, but provisioning and deprovisioning are still not automated and MFA isn't consistently enforced. Level 3 is the critical inflection point: security controls and lifecycle automation begin operating across both connected and disconnected applications. Level 4 is the target state: controls, automation, and governance applied uniformly across the full estate, with audit evidence generated continuously rather than assembled manually. Based on the survey data, most organizations sit between Level 1 and Level 2. Reaching Level 3 requires solutions capable of extending automation to applications outside traditional identity standards — which is the market gap Cerby, the report's sponsor, was built to address.
Our Take
AI Governance Take
The Ponemon/Cerby research lands at exactly the right moment for GAIG's audience because it quantifies a problem that's been getting structurally worse since AI deployment accelerated. Every AI tool that employees adopt without IT involvement — every Claude integration built outside the procurement process, every OpenAI API key generated during rapid prototyping, every GenAI application embedded in a business unit workflow — adds another application to the disconnected layer. The 87% AI adoption figure in this report, combined with the finding that most AI applications don't support identity standards, means the disconnected app problem is compounding faster than it was two years ago and faster than traditional identity governance approaches can address it.
The audit findings are the most immediately actionable part of this research for compliance leads. Sixty-three percent have already failed an audit because of this gap. The report is explicit about why: auditors ask for proof, and proof for disconnected applications requires manually assembled spreadsheets, screenshots, and after-the-fact reconstruction that is hard to defend as evidence of consistent control. As EU AI Act obligations come into force for high-risk AI systems, the compliance evidence requirement extends to AI deployments specifically — and AI tools are among the fastest-growing category of disconnected applications. An identity program that can't produce continuous access records for its AI tool estate isn't ready for the compliance scrutiny that's coming.
The Zero Trust implication deserves direct attention. Thirty-eight percent of organizations say their Zero Trust initiatives are stalled by the disconnected layer. Zero Trust architectures are built on the principle that no access is trusted without verification. That principle has a hard boundary at applications your identity system can't reach. If 30% of your application estate sits outside your identity control plane, 30% of your application estate is operating outside your Zero Trust architecture regardless of how mature the connected layer is. The organizations that close the disconnected app gap aren't just reducing identity risk — they're unblocking the broader security architecture investments they've already made.
