Disconnected Apps: The Silent Threat Behind 77% of Enterprise Breaches

ALAMEDA, Calif. – April 08, 2026 – A staggering 77% of enterprises have suffered at least one cybersecurity incident directly linked to a burgeoning and often-ignored class of software: disconnected applications. A new report from identity security firm Cerby and the independent Ponemon Institute reveals a critical vulnerability in corporate defenses, where applications operating outside of centralized security controls are creating a massive and actively exploited attack surface.

The study, titled “The Hidden Cybersecurity Threat: Disconnected Apps,” surveyed 614 IT and security leaders and paints a grim picture of the consequences. For the organizations breached, nearly half (44%) suffered direct financial loss, 31% faced regulatory scrutiny, and almost 50% experienced the exposure of sensitive or confidential data. These are not minor security oversights; they are systemic failures with devastating business impact, stemming from a problem that is both widespread and growing.

The Expanding Shadow Risk

Disconnected applications are business tools that are not, or cannot be, integrated with a company's central identity systems, such as Single Sign-On (SSO). While security teams have historically treated these apps as low-priority edge cases, the research shows they are now a core part of the enterprise ecosystem. On average, 30% of a company's applications fall into this category. In a typical environment of 284 applications, this equates to over 80 tools operating in the shadows.

Alarmingly, 40% of these disconnected apps are considered business-critical, housing sensitive data, supporting essential workflows, and granting privileged access. This shadow inventory includes everything from social media platforms like X, Meta, and LinkedIn—implicated in 34% of reported incidents—to specialized financial software and legacy systems vital for daily operations.

"This is quickly becoming a compounding problem for security teams,” said Matt Chiodi, chief strategy officer at Cerby, in the report's announcement. “Disconnected applications are increasing in number and importance, but they remain outside the reach of core identity controls. This growth without governance is driving real-world incidents, audit failures and a widening gap between perceived and actual security.”

The financial fallout extends beyond the immediate breach. The average cost of a data breach has soared to $4.45 million, according to industry-wide studies, with incidents involving compromised credentials being among the most expensive. When a third of an organization's applications lack centralized password policies, multi-factor authentication (MFA), and automated de-provisioning, the risk of such a breach escalates dramatically.

AI Adoption Fuels the Fire

The report identifies a powerful new accelerant for this problem: the explosive adoption of Artificial Intelligence. A remarkable 87% of organizations report using AI or Generative AI tools, but more than half of this adoption is happening without any oversight from IT or security teams. This trend, dubbed “Shadow AI,” represents the next evolution of shadow IT, where employees, eager for productivity gains, independently adopt tools like ChatGPT, Gemini, and others.

This unmanaged adoption introduces a flood of new, disconnected applications into the enterprise environment. Employees may inadvertently feed sensitive corporate data—intellectual property, customer lists, financial projections—into public AI models, creating a severe risk of data leakage. Research from outside the Cerby report confirms this trend, with some studies showing nearly 90% of enterprise GenAI usage is invisible to the organization and that a majority of employees will bypass security controls to use their preferred AI tools.

The challenge for security leaders is that outright bans are proving ineffective. Instead, the proliferation of Shadow AI underscores the urgent need for security frameworks that can discover, manage, and secure applications regardless of how they are adopted or whether they support traditional security standards.

A Failing Security Paradigm and the Audit Wake-Up Call

The rise of disconnected apps exposes a fundamental flaw in the current identity and access management (IAM) playbook. Traditional IAM, Identity Governance (IGA), and Privileged Access Management (PAM) solutions are built for a world of well-behaved applications that support standards like SAML, OIDC, and SCIM. They are not equipped to manage the 30% of applications that don't, leaving a significant gap that 63% of identity leaders now agree is one of the largest remaining in their security programs.

This gap creates immense operational friction. The Ponemon report found that IT and security teams spend an average of 31.2 hours per week—nearly a full-time employee's workload—on manual workarounds for these applications. This includes manually provisioning and de-provisioning users, resetting passwords, and painstakingly gathering data for audits.

This manual effort is not only inefficient but also highly error-prone, a fact reflected in the report’s audit findings. A stunning 63% of organizations admitted to failing an internal or external audit at least once due to their inability to secure disconnected applications; of those, 36% failed multiple times. These failures occur because, without a centralized system, there is no consistent way to prove who has access to what, enforce least-privilege principles, or ensure that a former employee's access has been fully revoked across all platforms.

As application environments continue to expand, driven by departmental purchasing and AI experimentation, this identity gap is widening. The report concludes that organizations can no longer afford to treat these applications as exceptions. The path forward requires a paradigm shift: redefining the scope of identity security based on risk, not just on integration capability. This involves gaining full visibility into the entire application landscape and finding ways to extend core controls like credential management, MFA, and lifecycle automation to every tool, ensuring that access is consistently governed and continuously auditable across the entire digital ecosystem.