Your HR system talks to Okta. Okta uses the system for cross-domain identity management (SCIM) specification to create and remove accounts. On paper, your identity and access management (IAM) is a well-oiled machine.
But here's the reality: 20-40% of your applications likely live outside this automated loop. They exist in spreadsheets, email chains, or worse—are completely untracked.
Many IT leaders believe that by deploying an identity provider (IdP), group-based provisioning, and single sign-on (SSO)/SCIM, they have solved access management. The dashboards are green, the audit logs are populated, and everything appears securely locked down. The cracks, however, show in subtle ways:
- A former contractor is found to still have active access to Slack and Github during a quarterly review—that your IdP can't see
- A license renewal uncovers a dozen orphaned accounts across non-SCIM tools
- An auditor asks about a tool the business adopted without IT's knowledge
This is the "mirage of automation."
You see the controlled, visible part of your landscape and assume it's the whole picture. Meanwhile, a significant portion of your apps and identities, especially contractors, non-SCIM applications, and newly adopted AI tools, are managed manually, inconsistently, or not at all.
These disconnected apps aren't just an inconvenience. With 53% of breaches involving orphaned accounts that should have been deprovisioned, they are a critical security risk.
Assuming your organization is 100% automated isn't cautious—it's a liability. True security begins with acknowledging the disconnected app gap.
Key takeaway
An organization is only as secure as its least-visible application. Provisioning blindness is a pervasive challenge, but with a modern approach that prioritizes visibility, you can effectively manage risk across your entire access landscape.
Understanding provisioning blindness
Provisioning blindness isn't just a technical gap; it's a flawed perspective. It's the assumption that your IdP's dashboard represents the complete truth of access in your organization. But an IdP can only manage what it's connected to.
What about everything else?
Disconnected apps
Think of your IdP as a security guard at the front door. Disconnected apps are the side entrances, loading docks, and unlocked windows that the guard can't see. These might be legacy platforms that predate your SSO implementation, niche SaaS tools adopted by individual departments, or systems inherited through acquisitions. Many lack SCIM support entirely, or your team chose lower-tier plans to avoid the "SSO tax," leaving them completely outside your automated workflows.
User access for these apps is often managed "off the books" in spreadsheets, email chains, or Slack DMs, creating an unreliable and fragmented record of who has access to what.
Unmanaged identities
This problem is compounded by identities that never enter your central directory. Contractors, vendors, consultants, and employees from newly acquired companies often hold credentials to critical systems without being tied to a primary HR record. These "digital ghosts" multiply rapidly, especially in contractor-heavy companies, and are rarely included in access reviews. When someone leaves, their accounts are frequently overlooked during offboarding.
Provisioning blindness is the gap between the world your automation sees and the reality of your entire access landscape. The risk isn't in what's on your dashboard; it's in what's missing.
Root causes: why apps remain disconnected
To solve provisioning blindness, you have to understand why it persists, even in mature organizations with sophisticated identity infrastructure.
Legacy system limitations
Many applications were built before modern identity standards like SSO or SCIM existed. They may have proprietary authentication methods or lack APIs entirely, making integration technically infeasible or prohibitively expensive. Even when APIs exist, the effort required to build and maintain custom integrations often outweighs the perceived benefit—until a security incident forces the conversation.
Integration costs and vendor priorities
SaaS vendors often place SSO and SCIM integrations behind steep enterprise paywalls—a.k.a the "SSO tax." A tool that costs $10 per user per month might jump to $25 per user per month for enterprise features like automated provisioning. This forces companies into a difficult trade-off: pay premium rates across dozens of apps, invest scarce engineering resources in custom development, or manage access manually.
The pace of SaaS and AI adoption
Business units adopt new tools, especially AI-driven SaaS tools, at lightning speed to stay competitive. A creative team can sign up for a new AI-powered design tool with a corporate credit card long before IT has a chance to vet its security posture or plan an integration. The explosion of generative AI tools has accelerated this adoption. Teams are experimenting with new apps much faster than IT departments can assess and integrate them.
Shadow IT and the need for agility
Departments need to be nimble. They spin up tools for short-term projects, pilot new solutions, or solve an immediate problem, often bypassing official procurement channels. This "shadow IT" creates a sprawling, invisible backlog of unmanaged applications that IT departments discover only during renewals or security audits.
M&A and organizational complexity
Mergers and acquisitions don't just combine companies; they collide identity systems. Each deal introduces new email domains, disparate directories, and a fleet of disconnected apps. What was once a manageable identity landscape now becomes a complex web of systems that resist quick integration, creating new blind spots overnight.
The challenge of achieving full visibility
Even when IT leaders acknowledge that blind spots exist, illuminating them is a formidable task that goes beyond "trying harder."
Fragmented identity data creates the first hurdle. User information is scattered across HR systems, Active Directory, Google Workspace, other cloud platforms, and departmental spreadsheets. There's no single source of truth for who has access to what, making it challenging to build a complete picture of the access landscape.
Next, the sheer volume of shadow IT overwhelms traditional approaches to identity management. AI adoption is outpacing security governance by a 4:1 margin. What starts as a manageable list of a few disconnected apps becomes hundreds of tools across scores of departments, each with their own access patterns and business logic.
Technical barriers compound the problem. Building custom integrations for non-SCIM applications requires specialized skills and ongoing maintenance. Even companies with strong engineering teams are torn between building integrations for disconnected apps or focusing on core business initiatives. As a result, there's a growing backlog of unmanaged apps.
A lack of centralized governance allows the cycle to continue. Without clear, enforced policies for application procurement and onboarding, shadow IT thrives. By the time the IT department discovers the new app, it is likely to have several users and contain sensitive information, which makes either integration or removal politically challenging.
Finally, resource constraints force IT teams to constantly navigate trade-offs between security, productivity, and operational overhead. If they block new tools, they hurt business agility. If they attempt to manually manage app access, they consume valuable time that's better spent elsewhere. And if they accept the risks, they end up willingly compromising security. Since none of these options are scalable, the company is always behind the curve.
Early warning signs of provisioning blindness
Provisioning blindness doesn't announce itself with a blaring alarm. It whispers through operational pain points that many IT teams dismiss as normal inefficiencies.
⚠️ Watch for these warning signs:
- An audit flags a user account that belonged to someone who left six months ago.
- You're paying for 50 licenses of a SaaS tool, but only 30 employees are actually using it.
- The IT helpdesk spends an inordinate amount of time manually adding and removing users from non-integrated apps.
- The user list exported from your CRM doesn't match the active accounts in your marketing automation platform.
- A merger exposes dozens of "unknown" applications that now need to be secured.
If these sound familiar, you're likely dealing with a larger, hidden problem.
The persistence and risk of manual workflows
Despite ambitious goals for automation, manual processes for disconnected apps aren't disappearing. They persist due to legacy systems that can't be automated, the business need for agility, and simple cost constraints.
The danger is that manual processes are inherently fragile. A missed offboarding email means a former contractor retains access to sensitive repositories. A typo in a spreadsheet may grant the wrong person admin privileges. Even an overlooked access request during a busy week can lock an employee out of a critical tool, hampering productivity.
Each manual touchpoint introduces human error into security-critical workflows.
Rather than fighting this reality, companies acknowledge the problem and take steps to reduce the associated risks.
- They standardize and document manual workflows to make them repeatable and auditable.
- They also prioritize automation efforts on the most critical or high-risk applications.
- Most importantly, they implement regular, mandatory reviews of all manually-managed accounts to make sure that nothing falls through the cracks because of the assumption that someone else will handle it.
How organizations of different sizes are affected
While provisioning blindness is universal, its shape changes with organizational scale and maturity.
Small and mid-sized organizations often lack dedicated identity management staff and the budget for enterprise-grade solutions. They rely heavily on spreadsheets and email chains to track access, and business agility frequently overrides governance. Thus, shadow IT becomes the norm.
Such organizations face a cruel irony: they need automation the most, but cannot afford the enterprise plans that enable it. The SSO tax hits hardest when they're forced to choose between automated provisioning for a critical application versus manual identity management across several important ones.
On the other hand, large enterprises face staggering complexity that money alone can't solve. Multiple business units operate like independent companies, each with their own preferred vendors and tools. Acquisitions introduce completely new technology stacks overnight, and legacy technology built over decades resists integration efforts.
While large enterprises may have more resources, they also have a larger attack surface to protect. Thus, they still struggle with identity sprawl and fragmented governance across a vast and complicated environment.
No organization is immune. The only difference is the scale of the blind spots.
The impact of identity sprawl
The result of disconnected apps and unmanaged processes is identity sprawl: the uncontrolled proliferation of user accounts across your entire digital ecosystem. It's the digital equivalent of a city with no zoning laws or central registry of residents.
The consequences are severe. The attack surface expands exponentially. Every orphaned account becomes a potential entry point for attackers. Each of these accounts represents a credential that can be compromised, sold on the dark web, or exploited by insider threats.
Offboarding becomes a security nightmare. During workforce reductions or when high-impact contractors leave, IT teams struggle to identify every system they have accessed. The process devolves into frantic messages to department heads asking them to "check if the contractor still has access to that CRM" while fervently hoping that nothing gets missed.
Compliance audits expose the gaps. When auditors ask for a complete list of who has access to which apps, the response becomes a patchwork of reports from different tools and manual spreadsheets. You can't demonstrate compliance with access controls if you don't have a full picture of all the accounts in the first place.
The operational burden compounds over time. What starts as managing access for a few disconnected tools grows into hours of weekly manual work. IT teams are constantly playing catch-up and discovering new applications during renewal cycles.
Thus, identity sprawl is a systematic vulnerability that grows more problematic as the organization grows.
The ROI of solving provisioning blindness
Addressing provisioning blindness delivers clear, immediate returns that justify the investment from the beginning.
Hard cost savings appear quickly. You can typically reclaim 15-25% of your SaaS spend by eliminating unused licenses and orphan accounts. These savings show up directly in the next renewal invoices.
Audit preparations reduce from months to weeks. Previously, SOC2 audits consumed entire quarters of preparation time, but now they need minimal IT involvement. Compliance teams can demonstrate complete access visibility without chasing down account information across departments.
Breach risk drops significantly. Orphaned accounts from former employees represent one of the most common and preventable attack vectors. The global average cost of a data breach is $4.4 million, so preventing even one security incident pays for identity management solutions many times over.
IT productivity multiplies. Earlier, teams that spent 10-15 hours per week on manual deprovisioning and access reviews can now spend that time on strategic initiatives. The IT department can enable business growth and innovation instead of chasing down orphaned accounts.
So, the question isn't whether you can afford to solve provisioning blindness; it's whether you can afford not to do so.
Overcoming the barriers to comprehensive provisioning
Moving past provisioning blindness requires tackling both technical and organizational hurdles. Start with what's achievable instead of aiming for perfection.
- For legacy systems: Use middleware, robotic process automation (RPA), or at a minimum, automated user list exports for regular review. The goal is to gain visibility into these systems, even if full automation isn't immediately feasible.
- For companies with budget constraints: Start with high-impact integrations on your most critical or high-risk applications, and use the resulting security and efficiency gains to build the business case for further investment.
- For organizational resistance: Secure executive sponsorship by framing the problem in terms of business risk and compliance exposure, not just IT inconvenience. When leadership understands that provisioning blindness causes audit failures and security vulnerabilities, support follows.
Governance as a continuous cycle
Solving provisioning blindness requires establishing a continuous process that evolves with your organization, not a one-time project.
Its key elements are:
- Define clear ownership for app onboarding, access reviews, and offboarding for all applications, especially disconnected ones. Without designated accountability, gaps inevitably emerge during transitions and organizational changes.
- Implement automated discovery tools to continuously scan for new shadow IT.
- Foster a culture of shared responsibility where security is everyone's job, not just IT's burden. When business units understand their role in identity governance, they become partners in maintaining visibility rather than sources of new blind spots.
Best practices for remediation
Effective organizations combine process and technology to close the visibility gap.
Unify access data
Use a central platform to aggregate user and app data from your IdP, HR system, financial platforms, and even CSV exports from disconnected apps. This creates a single source of truth that spans both connected and disconnected environments.
Leverage SaaS management platforms (SMPs)
SaaS management software is designed to complement your IdP. These tools focus specifically on discovering disconnected apps and automating the cleanup of orphaned accounts and unused licenses that traditional identity systems can't reach.
Automate remediation
Even simple one-click workflows to deprovision users from disconnected apps can save hundreds of hours and eliminate significant risk. The goal is to reduce manual touchpoints that introduce human error.
Maintain continuous audit readiness
Aim for a state where you can generate comprehensive reports on user access across your entire application portfolio at a moment's notice, not just the systems your IdP manages.
Emerging trends raising the stakes
While the recent explosion of AI tools highlights the problem, several other trends are amplifying the urgency to address it.
Distributed workforces have fundamentally changed how organizations operate. Remote and hybrid models mean more contractors, more endpoints, and more applications adopted outside central IT oversight. When teams work across different time zones and locations, the informal coordination that once helped track access breaks down entirely.
Mergers and acquisitions create constant identity chaos as organizations absorb new systems, users, and applications overnight. Each deal introduces disparate technology stacks that resist quick integration, causing blind spots to proliferate across the combined entity.
Stricter regulatory frameworks demand increasingly rigorous proof of access control. The Sarbanes-Oxley Act (SOX), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA) require organizations to demonstrate comprehensive visibility into access controls. Compliance auditors are no longer satisfied with reports from your IdP alone—they expect complete coverage.
Zero Trust architecture adoption makes provisioning blindness a fundamental obstacle. The core principle of "never trust, always verify" is impossible to achieve if you don't know what you need to verify.
These trends aren't slowing down, so organizations that don't address the problem will find themselves unable to meet the operational, security, and compliance demands of the modern business environment.
The path forward: from blindness to clarity
Perfect automation across every single application is a myth. But 100% visibility is achievable.
The path forward is clear:
- Start by inventorying all your applications and identities, not just the ones connected to your IdP. This means discovering shadow IT, cataloging legacy systems, and mapping contractor access patterns that exist outside your central directory.
- Prioritize remediating the riskiest gaps first, like orphaned accounts and unmanaged contractor access to critical systems. Focus on high-impact wins that demonstrate immediate security and operational value.
- Use the data on cost savings and risk reduction to build a compelling case for expanded investment. Hard numbers from license reclamation and time savings create momentum for addressing the broader provisioning blindness challenge.
Remember, the goal is systemic visibility and control that scales with your organization's growth and complexity.
Frequently asked questions
Several warning signs indicate identity management blind spots: discovering user accounts belonging to people who left months ago during audits, paying for unused SaaS licenses, spending excessive time manually managing non-integrated apps, finding mismatched user lists between connected systems, or uncovering "unknown" applications during mergers. If your IT team regularly handles manual provisioning requests or discovers apps during license renewals rather than through systematic discovery, you likely have significant blind spots affecting 20-40% of your applications.
Disconnected apps persist due to several factors: legacy systems built before modern identity standards like SCIM existed, vendor "SSO tax" that makes enterprise integration expensive (often jumping from $10 to $25+ per user monthly), rapid adoption of AI and SaaS tools that outpaces IT integration by 4:1, shadow IT where departments adopt tools independently, and M&A activity that introduces new technology stacks overnight. Even mature organizations with sophisticated IdPs face these challenges because automation can only manage what it's connected to.
Identity management blind spots create substantial costs: organizations typically reclaim 15-25% of SaaS spending by eliminating orphaned accounts and unused licenses, with the global average data breach cost at $4.4 million—making prevention of even one incident highly valuable. Manual provisioning processes consume 10-15 hours weekly for IT teams, SOC2 audit preparations extend from weeks to months, and 53% of breaches involve orphaned accounts that should have been deprovisioned. The question isn't whether you can afford to solve these blind spots, but whether you can afford not to.
Start with comprehensive discovery to inventory all applications and identities, not just those connected to your IdP. Prioritize high-risk gaps like orphaned contractor accounts and critical legacy systems first. Use SaaS management platforms to complement your existing IdP by discovering disconnected apps and automating cleanup of accounts your traditional identity systems can't reach. For legacy systems, implement middleware, RPA, or automated user list exports for regular review. Focus on achieving 100% visibility rather than 100% automation—perfect automation across every application is unrealistic, but complete visibility is achievable.
Legacy systems require a pragmatic approach focused on visibility and risk reduction rather than full automation. Implement automated user list exports for regular review, use middleware or robotic process automation (RPA) where possible, and establish documented manual workflows that are repeatable and auditable. Prioritize these systems based on risk level and criticality to business operations. The goal is gaining visibility into who has access, even if full automated provisioning isn't technically feasible. Regular mandatory access reviews become critical for these manually-managed systems to ensure nothing falls through the cracks.
Sanjeev NC started his career in IT service desk and moved to ITSM process consulting, where he has led award-winning ITSM tool implementations. Sanjeev was also a highly commended finalist for Young ITSM Professional of the Year in itSMF UK’s annual awards.
