Zero trust (ZT) works when deployed consistently, but you can’t apply it to apps that are disconnected from your identity infrastructure. When we think of enterprise apps, we often focus on major SaaS apps like M365 and SalesForce. However, countless disconnected apps lurk in the background, posing significant risks to your organization.

What Are disconnected apps?

Disconnected apps, sometimes called non-standard, non-federated, or unmanaged apps, do not support APIs and common identity and security standards such as SAML, SCIM, OIDC, and so forth. While Shadow IT usually refers to SaaS used without IT and security approval, disconnected apps, including on-premise, OT, legacy, and cloud, fall across the IT infrastructure spectrum. Security and IT professionals frequently perceive these apps as either legacy or Shadow IT. Nothing could be farther from the truth. Consider the following research that explains why so many apps fall into this category. Standards like SAML, SCIM, and APIs struggle with broad industry adoption.


Research by Cerby on the top 10,000 enterprise apps

According to a recent Ponemon study, 49% of organizations don't track how many disconnected apps they have, and only 21% are confident they know all such apps in use​. Whether it’s a marketing team's analytics tool or a finance department's treasury app, disconnected apps can slip through the cracks, leaving a massive gap in security oversight.

Ubiquity of disconnected across departments

Disconnected apps are more pervasive than you might think. Here are some familiar places you’ll find them in nearly every industry:

  • Clinical or Healthcare Operations: EHRs are widely used for managing patient data.
  • Finance: apps used for expense management, financial forecasting and treasury (typically via national banks).
  • Operations: Scheduling or project management apps used by different teams.
  • Marketing: Tools for social media (Meta Business Manager, Instagram, LinkedIn, etc.), influencer tracking, or campaign management that often handle public information but are highly sensitive due to potentially negative impacts on the brand from misinformation.

The Ponemon Institute report found disconnected apps are used across all application categories, from 47% in eCommerce to 45% in CRM systems​. The widespread use of these apps makes it nearly impossible for IT to manage them effectively with manual methods.

Why these apps pose a risk

  1. Manual processes: Disconnected apps typically require manual effort to complete critical security and identity processes, including managing credentials, rotating passwords, provisioning and deprovisioning users, assigning access permissions, and more. This introduces human error into processes, increasing the risk of unauthorized or retained access. In addition, it’s a drag on productivity–on average, it takes 7 hours to provision access to standard apps, costing $437.50 per employee. In contrast, deprovisioning takes even longer​ (ever had a call to deprovision access at 2 AM on a Saturday?).
  2. Lack of visibility: Disconnected apps are often opaque to IT teams. Their lack of central management means they operate outside of most governance frameworks.
  3. Compliance and audit risks: Many organizations struggle to secure disconnected apps in compliance with regulations. Ponemon found that 47% of organizations have failed to meet regulatory requirements due to the inability to secure these apps, which can lead to financial penalties and loss of business​. 

SOX and disconnected apps

For organizations subject to regulatory compliance like SOX (Sarbanes-Oxley Act), disconnected apps pose a serious compliance risk. SOX mandates strict internal controls and financial reporting, requiring clear audit trails and secure data management. When disconnected apps used by finance or other departments operate outside IT oversight, they can easily violate SOX requirements by creating data security and auditability gaps. For example, unmonitored financial apps could lead to unauthorized access or failure to log critical changes, putting the organization at risk of non-compliance and hefty fines. The lack of visibility and control over these apps means IT teams often cannot verify who accessed data, how it was processed, or whether it aligns with SOX compliance standards. This increases the likelihood of audit failure and exposes the company to regulatory noncompliance risks.

Zero trust: the key to securing disconnected apps

Disconnected apps highlight a core issue in modern security strategies: the traditional “trust but verify” model no longer applies. This is where zero trust architecture becomes critical. ZT is built on the principle of "never trust, always verify," meaning that no app, device, or user is trusted by default, even inside the corporate network.

ZT assumes visibility and control, but disconnected apps operate outside your identity perimeter, creating blind spots in your security strategy.

To secure these apps, you need a way to bring them into your identity perimeter. This is where solutions like Cerby come into play. Connecting disconnected apps to your identity management platforms gives you the visibility and control needed to enforce zero trust frameworks consistently across all apps.

In the next blog, we’ll explore how to integrate disconnected apps into your zero trust architecture and share best practices for protecting them within your broader security framework. Stay tuned!