Identity Fragmentation: The Hidden Cost of Managing IAM Across Multiple Applications

Your organisation has forty-three applications. Each one manages its own users. Each one has its own provisioning process, its own access review cycle, its own offboarding checklist item, and its own audit log in its own format.

In normal operations, this is manageable. Imperfectly, slowly, with more manual effort than any IT team would choose, but manageable. The fragmentation becomes visible under two conditions: when something goes wrong and you need to understand what happened across multiple systems simultaneously, or when an auditor asks for a complete picture of who has access to what across the entire application estate.

Both conditions reveal the same structural gap. Identity fragmentation does not just create operational overhead. It creates security exposures, compliance evidence gaps, and incident response delays that are proportional to the number of applications operating as independent identity silos. Each additional application that manages identity separately adds another point at which an offboarding can be missed, an access review can be incomplete, an audit trail can end.

This blog covers what identity fragmentation looks like architecturally, the three categories of cost it creates, and what the evidence and security posture change when identity is consolidated on a unified platform rather than managed separately per application.

What Identity Fragmentation Looks Like Architecturally

An organisation with forty-three applications and no centralised IAM platform has forty-three separate identity stores. Each application maintains its own user database with usernames and passwords specific to that application. Provisioning a new employee means creating accounts in each of the forty-three applications they need access to. Deprovisioning a departing employee means removing accounts from each of the forty-three applications they had access to. Changing a user’s access as they move between roles means updating their entitlements in each application where the role change affects their permissions.

An organisation that has deployed a centralised IAM platform with SSO but has not connected all applications to it has a partial fragmentation problem. The applications in the SSO catalogue are governed centrally. The applications outside the catalogue are still operating as independent identity silos. The provisioning and deprovisioning processes for the SSO applications are automated. The processes for the out-of-catalogue applications are manual.

The fragmentation problem intensifies as the application estate grows. Each new application added to the estate either goes through the integration effort to join the centralised identity framework or defaults to operating as an independent silo. Under time pressure and competing priorities, the default is the silo. The estate grows, the number of silos grows, and the gap between the centralised identity picture and the actual access state widens.

The Three Hidden Costs of Identity Fragmentation

The Security Cost: Offboarding Gaps and Orphaned Accounts

When a user leaves the organisation, access revocation must occur across every application they had access to. In a centralised IAM architecture with SSO and automated deprovisioning, the offboarding event triggers a single workflow that removes access across all connected applications. In a fragmented architecture, offboarding is a checklist: someone must manually identify every application the departing user had access to, initiate the revocation in each one, and verify that each revocation completed.

Checklists miss items. The application the departing employee used only occasionally but still had active credentials for is the one that gets missed. The niche internal tool that was provisioned informally two years ago and never added to the offboarding process is the one that retains the active account. The former employee who no longer has corporate email or directory access but still has credentials to a customer portal or a financial reporting tool is the security exposure that the offboarding checklist did not close.

The orphaned accounts that accumulate from missed offboardings are not monitored. The former employee’s account generates no alerts when it sits dormant. If the credentials are compromised, the compromise produces activity in an account that IT operations is not watching because it does not appear in the active user inventory. The blast radius of a compromised orphaned account in a customer portal or a financial system is significant.

The Compliance Cost: Access Review Gaps and Incomplete Evidence

ISO 27001 A.8.4 requires periodic review of user access rights across all information systems. SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles. DPDPA requires that access to personal data is governed by need-to-know and reviewed periodically. All of these requirements apply to the full application estate, not to the subset of applications connected to the centralised IAM platform.

In a fragmented architecture, the access review that runs through the IAM platform covers the applications in the platform. The applications outside the platform are either excluded from the review scope, covered by a separate manual process, or reviewed by a different team on a different cadence. The audit evidence for the full application estate is assembled from multiple sources with different formats, different timestamps, and different levels of completeness.

When an auditor asks for the access review evidence covering all applications containing sensitive data, the compliance team assembles a package from the IAM platform’s access review reports, separate exports from each out-of-catalogue application, and manual confirmation from application owners for systems that do not produce structured access reports. The package is incomplete, inconsistent, and assembled reactively rather than maintained continuously. The compliance posture is not the one the package represents.

The Operational Cost: Integration Overhead and Incident Response Delays

Identity fragmentation creates operational overhead that is persistent rather than one-time. Every application that manages identity independently requires separate provisioning and deprovisioning processes, separate password reset support, separate access request workflows, and separate monitoring. The IT team’s time spent on identity administration scales with the number of silos rather than with the number of users.

The incident response cost is less visible but higher. When a security incident occurs that involves compromised credentials or unauthorised access, the investigation must reconstruct the access picture across every application that may have been affected. In a fragmented architecture, this means querying the authentication logs of each application separately, correlating events across systems with different log formats and different timestamp conventions, and identifying every application where the compromised identity had an active account.

The time between an incident being detected and the organisation having a complete picture of its scope is directly proportional to the degree of identity fragmentation. In a centralised architecture, the identity platform’s audit trail shows every authentication event across all connected applications from a single query. In a fragmented architecture, each application’s log must be reviewed separately. For a significant incident involving a compromised privileged account, the difference between a two-hour investigation and a two-day investigation may be the difference between containing the incident and losing control of it. 

What Consolidation on a Unified Platform Changes

Akku’s full-stack IAM platform consolidates identity management across Workforce IAM, IGA, PAM, CIAM, MDM, and GPO onto a single platform with a shared identity foundation and a centralised audit trail. The 500+ pre-built application connectors covering cloud SaaS, on-premise, legacy, and custom-built applications reduce the integration effort required to bring applications into the central governance framework. 

When identity is consolidated, offboarding becomes a single event rather than a checklist. The user lifecycle management engine triggers a deprovisioning workflow that propagates access revocation to every connected application simultaneously. The offboarding record captures the revocation timestamp for every application in a single audit trail entry. The compliance evidence for ISO 27001 A.8.2 is complete and accurate without manual assembly.

Access reviews cover the full connected application estate from a single interface. The IGA access review generates a recertification campaign that includes every application in the platform, presenting reviewers with a unified view of each user’s entitlements across all systems. The access review evidence is produced as a structured report from the platform rather than assembled from multiple sources. The completeness of the review is determined by the completeness of the application integration, creating a clear operational objective: bring every application into the platform.

Incident response benefits from the unified audit trail. A query for all authentication and access events involving a specific user identity returns results from every connected application in a single structured output. The investigation starts with a complete picture rather than building one from separate application logs. Command-level session recordings from PAM-proxied sessions answer questions about what happened inside privileged sessions, not just whether they occurred.

The Integration Approach

Bringing a fragmented application estate onto a unified IAM platform is a phased process. Akku’s 500+ pre-built connectors cover the most common SaaS applications with plug-and-play SSO integration. Legacy applications without modern protocol support are handled through credential replay SSO, which extends single sign-on to applications that cannot implement SAML or OIDC. Custom internal applications integrate through REST APIs and Akku’s SCIM provisioning interface.

Each application brought into the platform reduces the fragmentation surface by one silo. The offboarding checklist shrinks. The access review scope expands. The audit trail becomes more complete. The investment in each integration pays off in reduced manual process, improved compliance evidence quality, and faster incident response across the full lifetime of the application.

For financial services organisations where fragmented identity creates regulatory compliance gaps across RBI, SEBI, and DPDPA requirements, and for ITeS and BPO organisations where client data handling obligations require demonstrable access governance across all data-touching systems, the consolidation investment is not discretionary. It is the architectural prerequisite for the compliance posture the regulatory and contractual obligations require.

The Fragmentation Assessment

Count the applications in your environment that contain sensitive data, personal data, financial data, or privileged system access. Count how many of those are connected to your centralised IAM platform. The gap between the two numbers is the fragmentation surface. For each application in the gap, the offboarding process is manual, the access review is separate, and the audit trail ends at the perimeter of the application.

The question worth asking is not whether the fragmentation is manageable in normal operations. It is whether the fragmentation is acceptable at the moment of an incident, an audit, or a regulatory review. Those are the conditions under which the gaps become findings.

Explore Akku Workforce IAM  |  See Akku IGA Capabilities  |  Talk to the Akku Team

Questions IT and Architecture Teams Ask About IAM Consolidation

Q: How does Akku handle applications that do not support modern authentication protocols like SAML or OIDC?

A: Akku supports legacy applications without modern protocol support through credential replay SSO. Rather than federating identity using SAML or OIDC, the credential replay mechanism automates the submission of application-specific credentials on behalf of the authenticated user. The user authenticates to Akku with their corporate credentials and MFA, and Akku handles the legacy application’s login flow transparently. The user experiences single sign-on. The application receives its native credential. This extends SSO coverage to legacy applications that cannot be refactored to support modern federation protocols, allowing them to be included in the centralised identity framework without requiring application changes.

Q: What is the minimum viable integration scope for bringing an application into Akku’s centralised IAM framework?

A: The minimum viable integration is SSO connection, which brings the application’s authentication under the centralised identity layer. With SSO, every login to the application is authenticated through Akku, MFA is enforced, contextual access policies apply, and the authentication event is captured in the Akku audit trail. The provisioning integration, which automates account creation and removal through SCIM, is the next layer and covers the full lifecycle governance requirement. For applications where SSO is the only feasible integration, SSO alone closes the authentication visibility gap and enables the contextual access controls that the centralised platform provides.

Q: How does Akku’s unified audit trail differ from aggregating logs from individual applications into a SIEM?

A: Aggregating application logs into a SIEM produces a centralised log store, but the logs from each application retain their native format, field naming conventions, and event taxonomy. Correlating events across applications requires parsing each format separately and normalising fields before cross-application queries can run. Akku’s unified audit trail captures authentication and access events from all connected applications in a consistent, structured format at the identity platform layer, before the event reaches the application’s own logging infrastructure. The event schema is consistent across all connected applications: the same field names, the same event taxonomy, the same timestamp format. Cross-application queries run without normalisation because the data is already in a consistent format.

Q: How does IAM consolidation affect the time to provision a new joiner across a large application estate?

A: In a fragmented architecture, provisioning a new joiner across forty applications requires forty separate provisioning actions, either manual or through separate per-application automation. Total provisioning time scales with the number of applications and the speed of each individual process. In Akku’s consolidated architecture with SCIM-based provisioning, a single joiners event triggers simultaneous provisioning across all connected applications. The provisioning engine sends SCIM requests to each application’s endpoint in parallel. For an application estate of forty connected applications, the provisioning completes in the time required for the slowest application to respond to its SCIM request, typically seconds to minutes, rather than the cumulative time of sequential manual provisioning across all applications.

Q: What compliance frameworks most directly require identity consolidation?

A: No compliance framework explicitly requires a single IAM platform. However, multiple frameworks impose requirements that are structurally easier to satisfy with a consolidated platform than with a fragmented one. ISO 27001 A.8.2 requires access rights to be removed when employment terminates across all information systems: this requires a complete inventory of every application a user had access to, which is only reliable from a centralised platform. SOC 2 CC6.3 requires access to be modified based on role changes across all systems: manual processes across fragmented applications create the risk of missed updates. DPDPA requires that access to personal data is governed by need-to-know and reviewed periodically: a consolidated platform produces the access review evidence across all personal data systems from a single process. In each case, consolidation reduces the compliance risk by making the required control technically reliable rather than dependent on manual completeness.

Q: How does Akku’s platform consolidation approach handle custom-built internal applications?

A: Custom-built internal applications can be integrated into Akku’s centralised IAM framework through several mechanisms depending on the application’s architecture. Applications that can implement SAML 2.0 or OIDC for authentication can be federated directly. Applications that expose a user management API can be connected through Akku’s SCIM provisioning interface for automated provisioning and deprovisioning. Applications without API access can be included through credential replay SSO for authentication governance. The choice of integration mechanism is determined by the application’s technical capabilities rather than by Akku’s platform limitations. For custom applications, Akku’s REST API provides programmatic access to identity, authentication, and access management functions that can be embedded into the application’s own access management logic.

PAM Coverage Gaps on Linux: Why SSH Sessions Are Your Highest-Risk Ungoverned Access

Your PAM platform covers privileged access. Ask your infrastructure team how much of it, and the answer will involve a percentage. Ask which systems are excluded, and the answer will almost certainly include Linux servers accessed directly over SSH.

PAM coverage metrics count the accounts that are under management on the PAM platform. A Windows server with RDP access through the PAM session proxy is counted. A Linux server that engineers connect to directly via SSH, bypassing the PAM platform entirely because the integration was deferred or never built, is not counted. The metric looks acceptable. The exposure is real.

The sessions that fall outside PAM coverage on Linux are not low-risk exceptions. SSH access to Linux servers is where root operations happen, where service account credentials are used, where configuration changes are made, where database queries run as administrative users. These are the highest-privilege sessions in most infrastructure environments. They are also the sessions most likely to be conducted outside the PAM governance layer, with no session recording, no keystroke logging, no approval workflow, and no credential management.

This blog covers why Linux SSH access ends up outside PAM coverage in most deployments, what that gap looks like in terms of audit evidence and security posture, and how Akku PAM’s SSH session proxy closes the coverage gap without requiring agents on target systems.

What PAM Coverage Metrics Actually Measure

PAM platforms measure coverage in terms of accounts under management: privileged accounts whose credentials are stored in the vault, whose sessions flow through the session proxy, and whose access is governed by the platform’s approval and policy workflows. A target system is considered covered when the PAM platform is positioned between the user and the system for every privileged session.

Coverage gaps occur when target systems exist in the environment that are not connected to the PAM session proxy. Users access those systems directly, using credentials they hold independently of the vault. The sessions are not recorded. The commands are not logged. The credentials are not managed. The access governance framework that applies to covered systems does not apply.

The gap is often not visible in the PAM dashboard because the dashboard shows the systems that are under management. Systems that were never connected to the PAM platform do not appear as gaps. They simply do not appear. An accurate coverage assessment requires comparing the PAM platform’s target system inventory against the full infrastructure estate and identifying the systems that are present in one but not the other. For most organisations that have not conducted this comparison explicitly, the gap is larger than expected.

Why Linux SSH Stays Outside PAM Coverage

Linux servers are frequently the last category of infrastructure to be brought under PAM management for several reasons that are individually defensible but collectively produce a significant governance gap.

First, the integration complexity argument. Windows RDP sessions can be proxied through most PAM platforms with minimal configuration because RDP is a well-standardised protocol with broad support in PAM tooling. SSH integration requires configuring the SSH session proxy to intercept connections, managing SSH key rotation alongside password credentials, and handling the variety of SSH-based access patterns in a Linux environment: interactive shells, SFTP file transfers, SCP copies, port forwarding, and multiplexed sessions. This is manageable but requires more integration effort than RDP, and the effort is deferred when PAM deployment is phased.

Second, the operations team resistance argument. Infrastructure engineers who use SSH daily for server management, deployment operations, and troubleshooting have workflows built around direct SSH access. Introducing a session proxy layer changes the connection workflow. Engineers who connect through a PAM portal instead of directly via their SSH client experience friction in their normal operations. This resistance is manageable with a well-designed onboarding process, but it is a real factor in why Linux SSH integration is deferred in PAM deployments that prioritise quick wins.

Third, the legacy argument. Many Linux servers in production environments have been accessible via SSH for years, with access managed through local user accounts, SSH key pairs distributed informally, and sudo configurations that are maintained operationally rather than governed centrally. Bringing these systems under PAM management requires cleaning up the existing access model, which is a project in itself. The cleanup is deferred until the integration work is scheduled, and both items stay on the backlog.

The result is a PAM deployment that covers a high percentage of Windows infrastructure while leaving Linux SSH access outside the governance framework. The coverage metric reflects the Windows coverage. The Linux gap is not measured.

What Ungoverned SSH Sessions Look Like Versus PAM-Proxied Sessions

A privileged SSH session on a Linux server that is not under PAM management produces the following evidence trail: an authentication event in the system’s auth.log showing the user connected, and a session duration. What it does not produce is any record of what the user did inside the session.

The commands executed, the files accessed, the configurations changed, the processes started or stopped, the queries run against databases: none of this is captured in the server’s standard authentication log. The server’s shell history file captures some commands, but shell history is stored locally on the server, is not tamper-evident, can be cleared by the user, and requires individual server access to retrieve. It is not an audit-grade evidence source.

A PAM-proxied SSH session through AkkuReka produces a fundamentally different evidence set. Every keystroke is captured in a structured log with millisecond-precision timestamps. The full session is recorded as a searchable SMART Audit Trail that can be replayed in the Akku admin console. Commands that match blocked patterns, attempts to escalate privileges, file operations on sensitive paths: all are captured and flagged in real time. The session recording is sealed on session close, stored with AES-256 encryption, and cannot be modified or deleted by the session user.

The difference in evidence quality is the difference between knowing that a privileged user connected to a server and knowing exactly what they did while they were there. For a post-incident investigation, the PAM-proxied session record is the one that answers the investigation’s questions. The ungoverned session record answers only the first question, who connected, and leaves everything else to manual reconstruction.

Why SSH Is Your Highest-Risk Ungoverned Access

Root Access

Linux server administration frequently involves root access, either through direct root login or through sudo elevation. Root access on a Linux server is effectively unrestricted: a root session can read any file, modify any configuration, delete any data, and create or remove any user account on the system. Root sessions that occur outside the PAM governance framework leave no command-level audit trail. The organisation cannot determine what a root session did without reviewing shell history on the server itself, assuming the history was not cleared and the server is still accessible.

Service Account Operations

Linux infrastructure frequently uses service accounts for scheduled processes, deployment pipelines, and application-to-infrastructure connections. Service accounts often hold elevated privileges because the processes they run require privileged operations. Service account credentials in many environments are static, shared across multiple users or systems, and never rotated because rotation requires updating every process that uses the credential. A service account credential that is used for direct SSH access to a production server, outside the PAM governance framework, is a privileged access pathway with no individual attribution, no session recording, and credentials that are widely known and rarely changed.

Blast Radius

Linux servers in most infrastructure environments are not isolated. They are networked systems with connections to databases, internal services, shared file systems, and other servers. A privileged SSH session on a Linux server can be used as a lateral movement pivot: once inside, the user can initiate connections to other systems on the internal network, use credentials stored on the server to authenticate to downstream systems, and access data that the server processes or stores. The blast radius of a compromised or misused privileged SSH session extends well beyond the initial target system.

How Akku PAM Closes the Linux SSH Coverage Gap

Akku PAM’s AkkuReka session proxy supports SSH proxying for Linux and Unix servers using an outbound worker model. The AkkuReka worker is deployed in the same network segment as the target Linux infrastructure. It initiates an outbound TLS 1.3 connection to the Akku cloud: no inbound firewall ports are required on the target network or target systems. No agent is installed on the Linux server. The worker handles all SSH session routing between the Akku cloud and the target.

When a user requests SSH access to a Linux server through Akku PAM, the session flows through AkkuReka. AkkuArka generates a unique ephemeral SSH credential for the session, injects it at the protocol layer, and revokes it permanently on session close. The user never sees the credential. The Linux server’s sshd receives a connection authenticated with a session-scoped credential that does not exist before the session opens and cannot be reused after it closes.

Every keystroke in the SSH session is captured in a structured log. The full session is recorded as a searchable SMART Audit Trail. Command blocking is configurable at the session role level: specific commands, patterns, or privilege escalation attempts can be blocked at the session proxy layer before they execute on the target system. A blocked command is logged with the actor identity, timestamp, and the blocked command string.

Bringing Linux SSH under PAM coverage does not require retiring existing SSH access workflows. The AkkuReka deployment runs alongside existing infrastructure. Access is redirected through the session proxy by updating the target entry in the PAM platform’s target system configuration. Engineers continue to use their existing SSH clients; the connection is proxied transparently. The session recording and command logging operate at the proxy layer without changes to the Linux server’s sshd configuration.

The Coverage Assessment

Pull the list of Linux servers in your infrastructure estate. Cross-reference it against the target system list in your PAM platform. The systems present in the infrastructure estate but absent from the PAM target list are your ungoverned privileged access surface. For each one, assess whether it is accessible via SSH by engineers with root or elevated privileges. If it is, and it is not under PAM coverage, every privileged SSH session on that server since the last time you checked is without a command-level audit trail.

For organisations under ISO 27001 A.8.15, which requires that user activity logs cover privileged access, or under PCI-DSS Requirement 10, which requires logging and monitoring of all access to system components in the cardholder data environment, an ungoverned Linux SSH pathway is a compliance gap regardless of what percentage of the rest of the infrastructure is covered.

Explore Akku PAM and AkkuReka |  Talk to the Akku Team

Questions Security and Infrastructure Teams Ask About Linux PAM Coverage

Q: Does extending PAM coverage to Linux SSH require installing an agent on each Linux server?

A: No. Akku PAM uses an outbound worker model. The AkkuReka worker is deployed in the same network segment as the target Linux infrastructure on any Linux host, container, or VM. It initiates an outbound TLS 1.3 connection to the Akku cloud and handles all session proxying between the cloud and the target systems. No agent is installed on the target Linux servers. The server’s sshd configuration does not need to be changed. The worker has network-level access to the target servers on SSH port 22 and handles the proxied connection.

Q: How does AkkuArka manage SSH key credentials versus password credentials for Linux server access?

A: AkkuArka supports both SSH private key credentials and password credentials for Linux server access. For servers configured for key-based authentication, AkkuArka generates a per-session SSH key pair, registers the public key with the target server’s authorised_keys file at session open, and removes it at session close. The private key never leaves the Akku platform and is never visible to the user. For servers configured for password authentication, AkkuArka generates a unique session-scoped password, injects it at the protocol layer, and changes or removes it at session close. Both credential types are managed through AkkuVault with AES-256-GCM encryption.

Q: How does command blocking work at the SSH session proxy layer?

A: Command blocking in Akku PAM is configured at the session role level. Administrators define a command policy for each role that specifies blocked command patterns: specific commands, regular expression patterns, or privilege escalation indicators such as sudo su, su root, or chmod 777. When AkkuReka intercepts a keystroke sequence in an SSH session that matches a blocked pattern, it prevents the command from being transmitted to the target system, returns an appropriate response to the client indicating the command was blocked, and logs the blocked attempt with the actor identity, timestamp, and the blocked command string. The target server never receives the blocked command.

Q: What does the SMART Audit Trail for an SSH session contain?

A: The SMART Audit Trail for an SSH session captured through AkkuReka contains the full session recording with every keystroke logged at millisecond-precision timestamps, the complete command history in structured format indexed for search, the session metadata including actor identity, target system, session start and end timestamps, session duration, and termination reason. The recording is stored with AES-256 encryption in Akku’s audit storage and is accessible through the admin console for in-browser playback without requiring download. Forensic search within the recording is available by timestamp range, command string, or keyword. The audit trail record is append-only and tamper-evident.

Q: How does Akku PAM handle SSH access in air-gapped or isolated network environments?

A: Akku PAM’s outbound worker model is specifically designed for environments where inbound connections from external systems are not permitted. The AkkuReka worker is deployed inside the isolated network segment and initiates all connections outbound to the Akku cloud over TLS 1.3 on port 443. The isolated network’s firewall only needs to permit outbound HTTPS traffic from the worker host to the Akku cloud endpoints. No inbound ports are opened, and the target systems remain inaccessible from the internet. This model works equally well for air-gapped environments with restricted egress using proxy configurations, and for environments with private VPCs where the worker is deployed within the VPC.

Q: How does Akku PAM’s Linux SSH coverage integrate with the broader zero-trust access model?

A: Every SSH session request through Akku PAM is evaluated against the full zero-trust policy set before the session is opened: device posture from Akku MDM, geo-location, IP reputation, time-of-day, RBAC role, and JIT window if configured. A user whose device is not compliant with MDM policy, whose source IP is in a blocked range, or who is connecting outside their permitted access hours will not be granted a session regardless of whether they hold the correct SSH credentials. This extends the zero-trust access model to Linux SSH infrastructure, applying the same contextual access evaluation that governs application access to privileged infrastructure sessions.

SCIM Connector Failures Are Silent. The Access Gaps They Leave Are Not.

Your SCIM provisioning connector ran its last sync six hours ago. It failed. Nobody received an alert. Nobody knows.

The employee who left the organisation this morning still has active entitlements in the three applications connected through that SCIM integration. The access revocation that should have happened at offboarding ran, the IGA platform recorded the deprovisioning event, but the sync that would have propagated that revocation to the downstream applications failed silently. The IGA record shows the account as deprovisioned. The application still has an active user. 

The new joiner who started today does not have access to the applications they need for their role. The provisioning sync that should have created their entitlements failed for the same reason. Their manager has raised a ticket. IT is investigating. Day one is half over.

Both scenarios have the same root cause: SCIM connectors fail without generating user-facing alerts, and most IAM platforms have no health monitoring layer that detects the failure state and surfaces it to the administrator before it produces a downstream consequence.

This blog covers how SCIM provisioning works at the protocol level, why failures are architecturally silent, what the two categories of silent failure produce as access gaps, and how Akku’s Provisioning Connector Health Monitoring detects and surfaces connector failures before they become security exposures or operational incidents.

How SCIM Provisioning Works and Why Failures Are Silent

SCIM 2.0 is a REST-based protocol for automating user provisioning between an identity platform acting as the identity provider and downstream applications acting as service providers. The identity provider sends HTTP requests to the service provider’s SCIM endpoint: POST to create a user, PUT or PATCH to modify attributes, and DELETE to remove a user. The service provider processes the request and returns a status code indicating success or failure. 

In a working integration, when the IGA platform triggers a deprovisioning event for a departing employee, the provisioning engine generates a SCIM DELETE request to each connected application’s SCIM endpoint. If all endpoints return 200 or 204 status codes, the deprovisioning is confirmed complete. The user’s access is revoked in all connected applications simultaneously.

Failure modes occur at several points in this chain. The SCIM endpoint may be temporarily unavailable due to the application’s own maintenance window or a network issue. The endpoint may return an error response: 429 rate limiting, 503 service unavailable, 401 authentication failure from an expired API token, or 400 bad request from a schema mismatch after an application update. The identity provider’s outbound connection may be blocked by a firewall rule change. Any of these produces a failed sync.

The critical architectural point is that most SCIM implementations handle failures by logging the error internally and moving on. The administrator interface shows the last successful sync timestamp. It does not prominently surface failed syncs in a way that creates operational urgency. An administrator who is not specifically looking for connector errors will not see them. The failure is silent until something downstream surfaces the consequence.

Two Categories of Silent Failure and What They Produce

Failed Deprovisioning Syncs

When a SCIM connector fails to deliver a DELETE or PATCH deactivation request to a downstream application, the user’s account in that application remains active after their offboarding is recorded in the IGA platform. The IGA record shows the deprovisioning completed. The application has an active account with valid credentials.

For applications containing sensitive data, this is an active security exposure. A former employee who still knows their application credentials, or whose credentials are retrievable through a password manager they used during employment, retains functional access to the application. The access is invisible to the IGA governance layer because the IGA record shows it as revoked.

For ISO 27001 A.8.2 and SOC 2 CC6.3, the evidence standard for deprovisioning is a record showing access was revoked across all connected systems. A silent SCIM failure means the evidence record is inaccurate: it shows revocation that did not actually occur. For a post-incident investigation or an access audit, the discrepancy between the IGA record and the actual application access state is a material finding.

Failed Provisioning Syncs

When a SCIM connector fails to deliver a POST request for a new joiner, the user’s account is not created in the downstream application. The IGA platform shows the provisioning event as triggered. The application has no user account. Day one access is broken.

Provisioning failures are typically discovered by the new joiner when they attempt to access the application and find no account exists. This produces a support ticket, an IT investigation, and a delay that can range from hours to days depending on the application and the team. The operational cost is real. The security cost is that the investigation reveals a gap in the provisioning architecture that may have produced similar silent failures for other users without triggering a support ticket because the affected user had not yet attempted to access the application.

Why These Failures Are Hard to Detect Without Health Monitoring

IAM platforms typically surface SCIM connector status through a log interface that records sync events. An administrator can query the log for failed sync events. The log is accurate and complete. The problem is that this requires someone to actively look for failures. No alert fires. No dashboard turns red. No notification reaches the IT operations team unless they have built a custom monitoring process around the log data.

In practice, the frequency of log review depends on operational discipline rather than automated detection. An IT team managing dozens of SCIM connectors across a large application estate cannot manually review every connector’s sync logs daily. The failure accumulates undetected until a downstream consequence, a former employee attempting access, a new joiner raising a ticket, an auditor finding a discrepancy, makes it visible.

The second detection gap is that failed syncs do not always produce immediate consequences. A failed deprovisioning sync for a departing employee who does not attempt to re-access the application goes undetected indefinitely. The orphaned account accumulates in the downstream application, visible in the application’s user list but absent from the IGA access record. This is precisely the category of access gap that periodic access reviews are designed to catch, but catching it requires the access review to cover the downstream application’s actual user list rather than only the IGA-provisioned entitlements.

What Akku’s Provisioning Connector Health Monitoring Delivers

Akku’s Provisioning Connector Health Monitoring introduces a dedicated health layer that continuously evaluates the operational status of each configured SCIM connector. Rather than relying on an administrator to review sync logs, the health monitoring layer proactively detects connector failures and surfaces them to the administrator console with the information needed to diagnose and remediate the failure before it produces a downstream access gap. The health monitoring capability integrates with Akku IGA‘s provisioning engine and covers all configured SCIM connectors across the application estate. 

The health monitoring layer tracks each connector across four status dimensions. Connectivity status confirms whether the connector can reach the application’s SCIM endpoint. Authentication status confirms whether the API token or OAuth credentials used by the connector are valid and have not expired. Sync status confirms whether the most recent provisioning and deprovisioning events processed by this connector resulted in successful SCIM responses from the application. Latency status confirms whether the connector’s response time is within the expected range, flagging degraded performance that may indicate a future failure before it produces an error. 

When any connector’s health status moves from healthy to degraded or failed, the Akku admin console surfaces an alert with the connector name, the failure type, the timestamp of the first failure event, and the number of provisioning and deprovisioning events that were queued or failed during the outage window. This gives the IT operations team the information they need to prioritise remediation based on the access impact: a connector failure during an active offboarding event carries higher priority than a connector failure for an application with no pending provisioning activity.

For connectors that have been degraded or failed, the health monitoring layer identifies the pending provisioning events that were not delivered. When the connector is restored, Akku’s provisioning engine replays the queued events to close the access gap. Failed deprovisioning events are replayed first to prioritise closure of active access exposures. The audit trail records the original deprovisioning event, the connector failure period, and the replay event with timestamps, producing a complete evidence chain for audit purposes.

The Compliance and Security Implications

ISO 27001 A.8.2 requires that access rights are removed when employment terminates. The compliance evidence is a deprovisioning record showing access was revoked. When a SCIM connector fails silently, the IGA record shows revocation but the application state does not reflect it. Health monitoring provides the visibility to detect this discrepancy and close it before the evidence record is used in an audit. 

SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles and responsibilities. A failed SCIM provisioning event that blocks a new joiner’s access on day one is a CC6.3 deviation: the access authorisation exists in the IGA record but has not been implemented in the application. For financial services organisations under RBI Cybersecurity Framework requirements for access control and for ITeS and BPO organisations where day-one access to client systems is an operational requirement, the provisioning failure has regulatory and contractual implications beyond the immediate IT inconvenience.

DPDPA Rules 2025 requires that data fiduciaries implement technical measures to protect personal data from unauthorised processing. A failed deprovisioning sync that leaves a former employee with active access to a system containing personal data is an unauthorised processing pathway. Health monitoring that detects the failure immediately and triggers remediation is the technical control that closes this exposure.

What to Check in Your Current Provisioning Architecture

For each SCIM connector in your IGA platform, answer these three questions. First: does a connector failure generate an alert that reaches the IT operations team without requiring manual log review? If the answer is no, failed syncs are accumulating undetected. Second: for the last five employee offboardings, does the deprovisioning record in your IGA platform show revocation confirmed by SCIM response from every connected application, or only that the deprovisioning event was triggered? If only triggered, the confirmation layer is missing. Third: for the last five new joiners, was day-one access available in all provisioned applications? If there were access issues on any day one, a provisioning connector failure was the likely cause.

Explore Akku IGA and Provisioning  |  Talk to the Akku Team

Questions IT and IAM Teams Ask About Provisioning Connector Health

Q: What is the SCIM 2.0 protocol response flow when a provisioning event succeeds versus fails?

A: In a successful SCIM provisioning flow, the identity provider sends an HTTP POST, PUT, PATCH, or DELETE request to the service provider’s SCIM endpoint. A successful response returns HTTP 200 OK, 201 Created for POST, or 204 No Content for DELETE. The identity provider records the successful response and marks the provisioning event as complete. In a failure flow, the service provider returns an error status: 401 Unauthorized for an expired token, 429 Too Many Requests for rate limiting, 503 Service Unavailable for endpoint downtime, or 400 Bad Request for a schema mismatch. The identity provider logs the error response. Whether it retries, queues the event, or marks it as failed depends on the platform’s error handling implementation. Most implementations log the failure but do not surface it prominently.

Q: How does Akku’s health monitoring distinguish between a transient connector failure and a persistent failure?

A: Akku’s health monitoring classifies connector failures by duration and failure type. A single failed sync event on an otherwise healthy connector is classified as a transient event and logged without triggering an alert, given that transient network issues, brief endpoint maintenance windows, and rate limit responses are normal operational occurrences for active connectors. A connector that fails on two or more consecutive sync cycles, or that returns an authentication failure, is classified as degraded and triggers an alert. A connector that has been in a failed state for a configurable duration threshold is classified as failed and escalates the alert. This tiered classification reduces alert noise from transient issues while ensuring that persistent failures that produce access gaps are surfaced promptly.

Q: What happens to provisioning events that were queued during a connector outage?

A: Provisioning and deprovisioning events that occur while a connector is in a failed or degraded state are queued by Akku’s provisioning engine with the original event timestamp. When the connector health status returns to healthy, the queued events are replayed in chronological order. Deprovisioning events are prioritised in the replay queue to close active access exposures before processing pending provisioning events for new joiners. Each replayed event is recorded in the audit trail with the original event timestamp, the connector failure period, and the replay execution timestamp, creating a complete evidence chain that shows both the original intent and the actual execution.

Q: How does an expired API token cause a silent SCIM connector failure?

A: SCIM connectors authenticate to the service provider’s endpoint using either a static API token or OAuth 2.0 client credentials. API tokens have expiry dates set by the application vendor, ranging from 30 days to indefinite depending on the application. When a token expires, the SCIM endpoint returns a 401 Unauthorized response to all subsequent requests. The provisioning engine logs the 401 response as a connector error. Without health monitoring, this error sits in the log. The connector has been broken since the token expired, and every provisioning and deprovisioning event since that date has failed silently. Akku’s health monitoring detects the 401 response on the first failure, classifies it as an authentication failure requiring attention, and alerts the administrator with the connector name and the failure type so the token can be rotated before the outage accumulates further access gaps.

Q: How does connector health monitoring integrate with Akku IGA’s access review process?

A: Akku IGA’s access review process certifies entitlements based on the IGA’s access records. If a SCIM connector failure has caused a deprovisioning event to fail, the IGA record shows the entitlement as revoked while the application still has an active account. The connector health monitoring layer surfaces this discrepancy by flagging connectors that have experienced deprovisioning failures and identifying the specific provisioning events that were not delivered. This allows the access review to include a verification step confirming that the IGA record and the application access state are consistent, rather than relying solely on the IGA record as evidence that access was revoked.

Q: What is the difference between a SCIM sync failure and a SCIM schema mismatch?

A: A SCIM sync failure is an infrastructure or connectivity issue: the connector cannot reach the endpoint, the token has expired, or the endpoint is returning server errors. The SCIM protocol exchange is failing before the provisioning logic executes. A SCIM schema mismatch is a protocol-level incompatibility: the identity provider is sending attributes in a format or structure that the service provider does not accept, producing a 400 Bad Request response. Schema mismatches typically occur after application updates that change the service provider’s accepted SCIM schema, or after changes to the identity provider’s attribute mapping configuration. Both produce failed sync events, but they require different remediation: infrastructure failures require connectivity or authentication fixes, while schema mismatches require the attribute mapping to be updated to match the service provider’s current schema.

Android MDM Background Location Tracking: Why Foreground-Only APIs Miss Most of the Shift

Your MDM platform reports device location. What it does not tell you is how much of the shift that location data actually covers.

Android distinguishes between foreground location and background location at the API level. Foreground location APIs deliver updates while the requesting application is the active process on the device screen. The moment the user switches to another application, the MDM app moves to the background and foreground location updates stop. For a field employee who opens the MDM app once at the start of their shift and then works through a delivery app, a warehouse management system, or a customer service application for the rest of the day, the MDM platform’s location data ends shortly after the shift begins.

This is not a configuration gap or a connectivity issue. It is an architectural characteristic of how Android manages location access for applications that are not in the foreground. The distinction between foreground and background location access is enforced at the operating system level through Android’s permission model and process lifecycle management. 

The consequence for IT teams managing field device fleets is that the location compliance picture the MDM dashboard presents is accurate for the brief window when the MDM app is actively in use and incomplete for the majority of the working shift. For organisations where device location data underpins workforce compliance, client contractual obligations, or regulatory requirements around where corporate data is being accessed, the gap is operational rather than theoretical.

This blog covers how Android’s location API architecture creates this gap, what foreground-only location tracking produces as a dataset versus what background location tracking produces, and how Akku MDM’s background location tracking capability closes the gap with configurable reporting intervals across the full shift.

How Android Location APIs Work: The Foreground and Background Distinction 

Android’s location subsystem is built around two distinct access modes that carry different permission requirements and different OS-enforced behaviours. 

Foreground Location Access

An application that holds the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permission can request location updates while it is the active foreground application. Android delivers these updates at the requested interval as long as the app remains in the foreground. When the user navigates away from the app, the process moves to the background and the OS restricts or suspends the location update stream. Applications that declare a foreground service can maintain location access while backgrounded, but the foreground service notification is visible to the user and the service consumes battery proportionally to the update frequency.

Standard MDM clients that use foreground location access without a persistent foreground service produce location data only during active app use. For device management workflows where administrators periodically open the MDM app to check in, this means location data is available at the moment of each check-in and absent between them. The result is a sparse dataset of point-in-time locations rather than a continuous track of device position throughout the shift.

Background Location Access

ACCESS_BACKGROUND_LOCATION is a separate, more restrictive Android permission that allows an application to receive location updates even when it is not in the foreground. Android 10 introduced this as a distinct permission requiring explicit user grant. Android 11 and later further restricted background location access: it cannot be requested at the same time as foreground location. The user must first grant foreground location, then separately grant background access through the system settings, where the option reads explicitly as ‘Allow all the time’ rather than ‘While using the app.’

Applications with background location access can use Android’s WorkManager, AlarmManager, or a persistent background service to request location updates at configurable intervals throughout the device’s operational period, regardless of which application the user has open. The location data produced is a continuous track rather than a sparse set of check-in points. Battery consumption is proportional to the reporting interval and can be managed by configuring a longer interval for non-time-sensitive use cases.

What Foreground-Only Location Tracking Produces as a Dataset

For a field employee running an eight-hour shift, a foreground-only MDM location implementation produces a dataset that looks like this: location recorded at app open at shift start, location recorded at any subsequent manual check-in or app interaction, location recorded at shift end. The hours between those interactions produce no location data.

The dashboard shows the device as compliant because the enrollment state is active and the last known location is within an expected range. What the dashboard does not show is that the last known location is two hours old and the device may have been anywhere in the interim. For organisations managing field employees who handle sensitive physical assets, access restricted customer locations, or operate in environments where real-time device location is a contractual or regulatory requirement, a two-hour-old location data point is not location tracking. It is a check-in log.

The gap matters differently depending on the use case. For healthcare organisations where clinical staff carry devices with access to patient data, a foreground-only location implementation cannot verify that the device remained within the permitted care environment throughout the shift. For ITeS and BPO organisations with client data handling obligations that include location-based access restrictions, a sparse location dataset does not satisfy the continuous compliance requirement. For logistics and field operations where route adherence and location verification are operational requirements, foreground-only tracking produces data too sparse to be operationally useful.

What Akku MDM’s Background Location Tracking Delivers

Akku MDM’s background location tracking for Android uses the ACCESS_BACKGROUND_LOCATION permission combined with a configurable periodic location worker. The worker runs at an administrator-defined interval throughout the device’s operational period, independent of which application is active on the device screen. Location updates are reported to the Akku MDM console in real time and stored with device identifier, timestamp, latitude and longitude coordinates, and accuracy radius.

The administrator console displays the continuous location track for each enrolled device, showing position at each reporting interval throughout the shift rather than at manual check-in points. For a device running a thirty-minute reporting interval over an eight-hour shift, the administrator receives sixteen location data points covering the full operational period. For environments requiring tighter tracking, shorter intervals are configurable.

The background location capability integrates with Akku MDM’s existing compliance monitoring and group-based policy framework. Administrators can apply background location tracking as a policy to specific device groups, specific user groups within the organisation, or the full enrolled device fleet. Devices that do not grant the background location permission can be flagged as non-compliant in the Akku MDM compliance dashboard, triggering the existing non-compliance workflow. 

The location data produced by background tracking feeds into the same centralised reporting that Akku MDM uses for audit readiness. For compliance exercises requiring evidence that corporate devices remained within permitted locations throughout a defined period, the background location track provides the continuous timestamped dataset that foreground-only check-in logs cannot.

The Permission Grant Process and User Experience

Because Android requires background location to be granted through a separate, explicit user action, the enrollment and permission grant workflow requires specific handling. Akku MDM’s Android enrollment flow presents the foreground location permission request as part of initial device enrollment. After the foreground permission is granted, the enrollment flow directs the user to the system settings to grant the ‘Allow all the time’ background location permission.

The user-facing explanation presented at this step is configurable by the administrator. For corporate-owned devices where the organisation controls the device use policy, the background location requirement can be stated as a condition of device enrollment. For BYOD devices, the permission grant remains subject to the user’s acceptance, and the MDM can be configured to flag devices where background location permission has not been granted as having a policy exception rather than as enrollment-blocked.

This distinction between corporate-owned and BYOD handling reflects the broader Akku MDM architecture, which maintains work profile isolation on Android to separate corporate data from personal data. Background location tracking applies to the device as a whole rather than to the work profile, which means the permission grant and the privacy disclosure to the user need to be consistent with the organisation’s BYOD policy.

The Compliance Context

For healthcare organisations managing Android devices that carry access to patient data, continuous location tracking supports the requirement to demonstrate that protected health information was accessed only from permitted locations. HIPAA does not specify a location tracking requirement for devices, but organisations that use location-based access controls as a technical safeguard under HIPAA Section 164.312(a)(1) need the location data to be continuous rather than sparse to satisfy the control.

For ITeS and BPO organisations with client contractual requirements around where data can be accessed, background location tracking provides the continuous location evidence that spot-check foreground logs cannot. For field operations and logistics environments where device location tracking is an operational requirement tied to route compliance and asset tracking, background location data at configurable intervals produces the operational dataset the use case requires.

Under DPDPA Rules 2025, the collection of background location data from employee devices constitutes processing of personal data. Organisations implementing background location tracking are required to ensure that the processing is based on a legitimate purpose, that employees are informed of the tracking, and that the data is retained only for the period necessary for the stated purpose. Akku MDM’s group-based policy model supports scoping background location tracking to specific device groups, allowing organisations to apply tracking only to the roles and use cases where it is operationally justified rather than to the entire enrolled fleet. 

What to Check in Your Current MDM Location Configuration

Open your MDM console and pull the location history for three enrolled Android devices used by field employees. Count the number of location data points recorded during a standard eight-hour shift. If the count is in single digits, the MDM is using foreground-only location access. The location compliance dashboard is showing you check-in points, not continuous shift coverage.

Check the Android permission state for the MDM app on those devices. If the location permission shows as ‘While using the app’ rather than ‘Allow all the time’, background location access has not been granted. The MDM platform is architecturally limited to foreground-only reporting. For environments where continuous location coverage is operationally or contractually required, Akku MDM’s background location tracking capability closes the gap without requiring a change to the device management model.

Explore Akku MDM Capabilities  |  Talk to the Akku Team 

Questions IT and Security Teams Ask About Android MDM Background Location Tracking

Q: What is the technical difference between ACCESS_FINE_LOCATION and ACCESS_BACKGROUND_LOCATION on Android?

A: ACCESS_FINE_LOCATION grants an application the ability to receive precise location updates from GPS and network sources. It is classified as a foreground permission on Android 10 and later, meaning it allows location access only while the app is in the foreground or while a foreground service is running with the location foreground service type declared. ACCESS_BACKGROUND_LOCATION is a separate permission that extends location access to background operation, allowing the app to receive location updates regardless of whether it is the active foreground application. Android 11 and later require this permission to be granted separately through system settings, where the user explicitly selects ‘Allow all the time’ rather than ‘While using the app.’ The two permissions have different grant flows and different battery impact profiles.

Q: How does Akku MDM implement background location reporting without draining the device battery?

A: Akku MDM’s background location worker uses Android’s WorkManager with a configurable periodic task interval. WorkManager is battery-optimised by design: it batches work requests with other background operations and respects Android’s Doze and App Standby restrictions while still delivering location updates at the configured interval. Administrators set the reporting interval based on operational requirements. A thirty-minute interval produces sixteen data points over an eight-hour shift with minimal battery impact. Shorter intervals are available for environments requiring tighter tracking, with the understanding that battery consumption scales with reporting frequency.

Q: What happens to the background location track if the device loses connectivity mid-shift?

A: Akku MDM’s location worker stores location events locally on the device when the MDM platform is not reachable. On connectivity restoration, the stored events are uploaded to the Akku console with their original timestamps. The location track in the admin console reflects the full shift coverage, including the offline period, not just the connected periods. This is relevant for field environments where network connectivity is intermittent, such as warehouses with coverage gaps or field sites outside urban areas.

Q: How does DPDPA apply to background location tracking of employee devices?

A: Under DPDPA Rules 2025, background location tracking of an employee’s Android device constitutes processing of personal data. The data fiduciary, which is the employing organisation, is required to ensure the processing is based on a legitimate purpose, that the employee is informed of the tracking, and that the data is not retained beyond the period necessary for the stated purpose. For corporate-owned devices, the employment agreement and device use policy can establish the legitimate purpose and notification requirement. For BYOD devices, the explicit permission grant required by Android for background location access serves as part of the user notification, but the organisation should ensure the permission request is accompanied by a clear explanation of what data is collected, how it is used, and how long it is retained.

Q: Can background location tracking be applied to specific device groups rather than the entire enrolled fleet?

A: Yes. Akku MDM’s group-based policy assignment allows background location tracking to be applied at the organisational unit or user group level. An administrator can enable background location for field operations devices while leaving office-based devices on foreground-only location or no location tracking. This allows the organisation to scope continuous location tracking to the roles and use cases where it is operationally justified and to maintain a clear, defensible basis for the processing under DPDPA and similar data protection requirements.

Q: How does background location tracking interact with Akku MDM’s work profile isolation on BYOD devices?

A: Work profile isolation on Android separates corporate applications and data from personal applications and data within the same device. The work profile runs as a separate user space, but location services operate at the device level rather than at the profile level. Background location tracking granted to the Akku MDM app applies to the device as a whole, not only to the work profile. This means background location data is collected from the full device, not only from work profile activity. For BYOD deployments, this distinction should be addressed explicitly in the device use policy and the permission grant flow, so that employees understand the scope of location data being collected before granting the permission.

Your Offboarding Checklist Has a Gap. It’s Called SAP.

What is the most sensitive system in your organisation? Not the most technically complex. The one with the highest concentration of data that would cause the most damage if a former employee retained access to it after leaving.

For most manufacturing, financial services, and retail organisations, the answer is SAP. The general ledger. Accounts payable. Supplier pricing. Production schedules. Customer master data. Financial reporting. All of it was governed, transacted, and stored in an ERP system that was running before your IAM platform existed and is still running outside your IAM platform’s provisioning scope.

When an employee leaves, your central IAM offboarding workflow closes their Active Directory account, disables their email, revokes their SSO access, and produces a ULM deprovisioning record showing that access was removed on the date of departure. The offboarding record looks complete.

The SAP account is still active.

Not because the SAP Basis team forgot. Because SAP user management was never connected to the central IAM offboarding workflow. The notification has to travel from HR to IT to the SAP Basis team manually. Whether it arrives, how quickly it is acted on, and whether the deprovisioning is verified are entirely dependent on a manual communication chain that breaks regularly and leaves no evidence when it does.

This blog covers why SAP sits outside most identity governance architectures, what that gap looks like under ISO 27001, SOC 2, DPDPA, and RBI, and what connecting SAP to the central IAM offboarding workflow produces as evidence and security outcome. 

Why SAP Is Structurally Excluded From Most IAM Governance

SAP has its own user administration layer. SU01 manages individual user accounts. Role assignments are handled through the SAP role framework, separate from the RBAC model in the central directory. Authentication in SAP can run through SSO but frequently does not, or runs through a different SSO configuration than the one the central IAM platform manages.

In most organisations, SAP was deployed by a dedicated implementation team, maintained by a SAP Basis function, and governed by a separate access control process owned by the SAP team rather than the IAM team. The central IAM platform manages every application in the SSO catalogue. SAP is not in the SSO catalogue. It is a separate system with separate credentials, separate role management, and separate access review processes.

The result is a fundamental governance architecture gap. The identity governance layer that is supposed to cover all access to sensitive systems does not cover the system that holds the most sensitive data. The access review that runs quarterly for every application in the IAM platform runs separately for SAP, on a different cadence, producing evidence in a different format, reviewed by a different team.

For auditors evaluating ISO 27001 A.8.4 access review coverage or SOC 2 CC6.3 access authorisation, the question of whether SAP was included in the access review scope is a material one. The answer in most organisations is that it was not, or that it was covered by a separate process whose evidence is not connected to the central access governance record.

What the Gap Creates Operationally 

The Offboarding Gap 

ISO 27001:2022 Annex A Control A.11.5 requires that responsibilities after termination include access revocation across all information systems. The evidence requirement is a User Lifecycle Management offboarding report showing immediate access revocation upon termination. The report must show all systems, not the systems managed by the central IAM platform.

For a manufacturing organisation where SAP governs procurement, production planning, and financial operations, a former employee with active SAP credentials after departure has access to supplier contracts, pricing negotiations in progress, production schedules that constitute competitive intelligence, and the ability to execute financial transactions. The ISO 27001 A.11.5 evidence gap is also an active security exposure.

DPDPA Section 8(7)(a) requires data fiduciaries to restrict processing of personal data when the lawful basis for processing ends. For employees, the lawful basis is the employment relationship. A SAP account active after departure is an active processing capability on data for which the lawful basis has ended. The DPDPA obligation is not satisfied by the central IAM offboarding record if that record does not cover SAP.

The Access Review Gap

SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles and responsibilities. For a SOC 2 Type II audit, the auditor evaluates whether access modifications occurred when role changes occurred. If an employee changed departments and their SAP roles were not updated to reflect the new role’s access requirements, the CC6.3 control has a gap for the full period during which the misaligned access existed. 

For financial services organisations where SAP governs general ledger operations, RBI Cybersecurity Framework clause 19(a) requires access to information assets to be allowed only where a valid business need exists and mandates documented standards for need-based access to information systems. SAP access that was granted for a role that no longer exists, or retained after a role change, fails this standard. The access review that would catch it runs on a different cadence and produces evidence that is not connected to the central access governance record.

The Segregation of Duties Gap

SAP role assignments accumulate over time. A user who was given a procurement role when they joined the organisation may have accumulated finance and reporting roles through ad-hoc requests over the years. In most organisations, the SAP access review that would catch this runs less frequently than the central IAM access review and uses a different reviewer and a different evidence format.

The consequence is that segregation of duties violations, where a single user has incompatible roles that they should not hold simultaneously, accumulate invisibly in SAP while the central access governance layer shows clean reviews. The compliance posture looks clean because the governance layer is not covering the system where the violations exist.

What Connecting SAP to the Central IAM Workflow Produces

Akku’s User Lifecycle Management supports SAP as a provisioning and deprovisioning target through SCIM-based and API-based connectors. When an offboarding event is triggered in Akku, the deprovisioning action executes across all connected systems simultaneously, including SAP. The SAP account is disabled as part of the same workflow that handles Active Directory, email, and SSO access removal.

The ULM offboarding record captures the timestamp of deprovisioning across every connected system in a single audit trail entry. For an ISO 27001 A.8.2, A.11.5, or SOC 2 CC6.3 audit, the evidence is a single record showing that access was removed from all systems, including SAP, at the time of the offboarding event. The gap between the central IAM offboarding completion and the SAP account deactivation is zero because both actions happen within the same workflow execution.

Akku IGA‘s access recertification capability extends to SAP role assignments when SAP is connected to the IAM governance layer. SAP roles are included in the quarterly access review alongside every other application. The reviewer sees the user’s current SAP roles, the business justification for each, and the date of last review. The access recertification report covers SAP as part of the standard evidence set. The gap between the central access governance record and the SAP access state closes.

The Verification Test

For the last three employees who left your organisation, answer these two questions. First: Does the central IAM offboarding record show SAP account deactivation with a timestamp? If the answer is no, SAP is not in the offboarding workflow. Second: What is the timestamp difference between the central IAM offboarding completion and the SAP account deactivation?

If SAP deactivation is not in the central record, the access may still be active. If the timestamp difference is more than a few hours, the manual communication chain between the IT and SAP Basis teams introduces a gap that is not visible in the offboarding record. For manufacturing organisations and financial services organisations where SAP access is access to the most sensitive operational data in the environment, that gap is not a paperwork problem. It is an active access exposure.

 Explore Akku IGA Capabilities  |  Talk to the Akku Team

Questions IT and Compliance Teams Ask About SAP Offboarding and Access Governance 

Q: Why does SAP sit outside most central IAM platforms architecturally?

A: SAP has its own user administration layer, separate from the directory services and SSO-based authentication that most central IAM platforms manage. In most organisations, SAP was deployed before the central IAM platform and by a different team, establishing SAP user management as a separate process owned by the SAP Basis function. Integrating SAP into the central IAM provisioning and deprovisioning workflow requires a SCIM connector or API-based integration that most organisations have deferred. The result is that SAP access operates under separate governance from the rest of the identity estate, with a different access review cadence, different evidence format, and different ownership.

Q: What evidence does ISO 27001 A.11.5 require for SAP account deactivation on employee departure? 

A: ISO 27001:2022 Annex A Control A.11.5 requires that responsibilities after termination include access revocation across all information systems. The evidence required is a User Lifecycle Management offboarding report filtered for deprovisioning events showing immediate access revocation upon termination. For SAP specifically, the evidence requires that SAP account deactivation is captured in the same offboarding record as all other system access removals, with a timestamp showing deactivation occurred at the time of termination. A SAP deactivation that occurs days after the central IAM offboarding, or is not documented in the central record at all, is a gap in the A.11.5 evidence. 

Q: How does DPDPA apply to SAP access retained by departed employees?

A: DPDPA Section 8(7)(a) requires data fiduciaries to restrict processing of personal data when the specified purpose is no longer served. For employee data processed in SAP, the employment relationship is the lawful basis for processing. When the employment relationship ends, the lawful basis ends and the obligation to restrict further processing applies. A SAP account active after an employee’s departure is an active processing capability on data for which the lawful basis has ended. Section 8(7)(b) extends this requirement to downstream processors. An organisation that has not connected SAP to its central deprovisioning workflow cannot demonstrate that the DPDPA data erasure and processing restriction obligations were met at the time of departure. 

Q: What SOC 2 controls are most directly affected by SAP role accumulation and access review gaps? 

A: SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles and responsibilities. SAP role accumulation over time, where users hold roles beyond their current business function, is a direct CC6.3 finding. SOC 2 CC5.1 requires controls to mitigate risks, which includes segregation of duties controls. Incompatible SAP role combinations that exist because access review has not covered SAP role assignments are a CC5.1 finding. For a SOC 2 Type II audit, the question is whether these controls operated throughout the audit period. A SAP access review that runs less frequently than the central IAM access review creates a gap in the Type II evidence record.

Q: How does Akku connect SAP to the central IAM access review process?

A: When SAP is connected to the Akku IAM platform through a SCIM or API-based connector, SAP users and role assignments become visible in the Akku IGA governance layer. Akku IGA’s access recertification capability extends to SAP roles, including them in the quarterly access review alongside every other application. Reviewers evaluate SAP role assignments against the current business justification, and the access recertification report covers SAP as part of the standard evidence set. Role accumulation and segregation of duties violations in SAP become visible in the same review process that governs all other application access.

Q: What does the ULM offboarding record look like when SAP is connected to Akku?

A: When SAP is connected to Akku’s User Lifecycle Management, the offboarding workflow executes deprovisioning actions across all connected systems simultaneously. The ULM offboarding record captures a single timestamped entry showing the user identity, every system from which access was removed, and the timestamp of removal for each system. SAP account deactivation appears in the same record as Active Directory, email, and SSO access removal. The timestamp for SAP deactivation matches the offboarding event timestamp rather than reflecting a delay introduced by a manual notification chain.

Audit-Ready Organisations Don’t Prepare for Audits. They’re Already Ready.

Here is a question worth asking your compliance team: how long would it take to produce the evidence package for your next ISO 27001 or SOC 2 audit if the auditor announced it today?

If the answer is measured in weeks, your organisation is not compliant. It is compliant-looking, periodically, when someone assembles the evidence. The compliance posture that exists between audit cycles, the one where access reviews are delayed, deprovisioning records are incomplete, and monitoring logs are available but unreviewed, is the actual posture. The packaged evidence is a retrospective reconstruction of something that may or may not reflect how controls operated during the period.

ISO 27001:2022 Clause 9.1 requires monitoring and measurement to evaluate ISMS effectiveness, with retained evidence. It does not say evidence assembled before the audit. SOC 2 CC7.2 requires continuous monitoring of system components for anomalies. DPDPA Section 10(2)(c)(ii) requires periodic audit measures for significant data fiduciaries. RBI Cybersecurity Framework clause 30(f) specifically describes a continuous auditing approach for critical systems.

None of these frameworks describes a quarterly scramble. They are describing a state. This blog covers what that state looks like architecturally, why most organisations are not in it, and what changes when the evidence is generated continuously rather than assembled on demand.

The Difference Between Compliance and Compliance-Looking

Compliance, in the sense that ISO 27001, SOC 2, and DPDPA mean it, is an operational state. The controls are configured correctly. Access reviews run at the required cadence. Deprovisioning happens when it is supposed to happen. Monitoring is active. The evidence of each of these exists in the system as a byproduct of the controls operating.

Compliance-looking is a documentation state. The evidence package submitted to an auditor accurately represents what the controls looked like during the evidence collection period. Whether the controls operated that way for the other ten months of the year is not visible in the package.

The practical distinction is who bears the risk. In a genuine compliance posture, gaps are discovered when they occur, because monitoring is active. In a compliance-looking posture, gaps are discovered during audit preparation, when the window for remediation has closed. A deprovisioning that was missed three months ago cannot be remediated retroactively. An access review that did not run in Q2 cannot be backdated to show that it did.

The evidence quality standard that ISO 27001 Type II and SOC 2 Type II audits are moving toward reflects this distinction. Auditors are increasingly looking not just at the evidence submitted but at whether the controls that produced the evidence were operating throughout the audit period. A quarterly access review completed once in the last week of the period is weaker evidence than four access reviews completed at regular intervals.

What Each Framework Actually Requires

ISO 27001:2022 Annex A and Clause 9 

Annex A Control A.8.4 requires periodic review of user access rights, with documentation of the review. Periodic implies a cadence that runs regardless of audit timing. The Akku IGA access recertification report satisfies this requirement when it is generated at the defined cadence and stored in the audit log. The report captures the reviewer identity, the access scope reviewed, the timestamp, and the decision made for each entitlement.

Annex A Control A.8.2 requires access rights to be removed when employment terminates. The evidence is a User Lifecycle Management offboarding record with a timestamp showing that access was removed at the time of the termination event, across all connected systems. A record produced at the time of the event is different from a record assembled in response to an auditor’s request.

Clause 9.1 requires the organisation to retain evidence of monitoring and measurement results. This is the catch-all: the audit log exports, the access monitoring reports, the authentication event records. They need to exist as a continuous output of the controls operating, not as exports triggered by audit preparation.

SOC 2 Trust Services Criteria

SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles and responsibilities. The Type II audit evaluates whether this control operated throughout the audit period. The evidence is the access change log showing that modifications and removals occurred when the corresponding role changes and departures occurred, not at a point in time near the audit window. 

SOC 2 CC7.2 requires monitoring of system components for anomalies indicative of malicious acts. The Akku PAM session recordings and security monitoring alerts contribute to this evidence base when they are generated continuously as an operational output. An anomaly detected in real time and logged in the audit trail is different evidence from an anomaly that would have been detectable if someone had reviewed the logs.

DPDPA Rules 2025

DPDPA Section 8(4) requires data fiduciaries to implement appropriate technical and organisational measures to ensure effective observance of the Act. At the access governance level, the evidence is the IGA access review records and the ULM deprovisioning records demonstrating that access to personal data systems was reviewed periodically and revoked when the basis for access ended.

For organisations classified as significant data fiduciaries, Section 10(2)(c)(ii) requires periodic audit measures. The evidence base for that audit is the access governance records generated during the audit period. An IGA access recertification report generated three weeks before the audit is weaker evidence than four quarterly reports generated throughout the year.

RBI Cybersecurity Framework 

RBI clause 15(a) requires IT applications with access to critical or sensitive information to have audit and system logging capability, providing audit trails. Clause 15(c) requires a system for regularly monitoring audit trails and system logs to detect unauthorised activity. Clause 30(f) describes continuous auditing for critical systems as a recommended approach for regulated entities.

These requirements together describe an architecture where critical system access is logged, the logs are monitored continuously, and the monitoring produces evidence that can be queried at any time. Akku’s centralised audit log and identity and access security monitoring satisfy clauses 15(a) and 15(c). The Compliance Reporting API consolidates compliance data across authentication events, GPO configuration state, and threat detection activity into a structured JSON output that GRC platforms and SIEM tools can consume programmatically.

What Continuous Audit Evidence Looks Like in Practice

Access Reviews That Run on a Schedule, Not on Request

Akku IGA generates access recertification campaigns at configured intervals. Each campaign produces a report documenting the review timestamp, reviewer identity, scope, and decisions. The reports are stored in the audit log and are queryable by date range and application. A compliance manager preparing for an audit queries the IGA access recertification history and retrieves four quarterly reports. The question of whether the access reviews ran during the period is answered by the data, not by the compliance manager’s recollection.

Deprovisioning That Happens When the Event Happens

Akku’s User Lifecycle Management generates a timestamped deprovisioning record for every offboarding event, capturing the user identity, the systems from which access was removed, and the timestamp of removal. The record is written at the time of the event. When an auditor asks for evidence that a specific departed employee’s access was revoked, the query returns a record with a timestamp that either matches the departure date or does not. There is no room for reconstruction.

Current compliance Visibility, Not Assembled

Akku’s Compliance Control Checkpoints View shows the real-time pass/fail status of every compliance control with the timestamp of the most recent supporting evidence. The Compliance Score generates an organisation-wide score with per-framework breakdowns across ISO 27001, SOC 2, HIPAA, GDPR, and DPDPA, updated as controls are remediated. A compliance manager reviewing the dashboard on any given day sees the current state of every control, not the state as of the last evidence collection exercise.

The Diagnostic Question

For each framework your organisation is subject to, ask this: if the auditor requested the evidence package today, how much of it already exists in a timestamped, queryable format in your systems? For financial services organisations under RBI’s audit trail requirements and for ITeS and BPO organisations under client compliance obligations, the gap between what exists continuously and what would need to be assembled is the gap between a compliance posture and a compliance-looking posture.

If the answer requires assembling anything, the architecture is reactive. The evidence is available somewhere. It is not maintained as a continuous operational output.

Explore Akku IGA Capabilities  |  See Akku Compliance Reporting API  |  Talk to the Akku Team

Questions Compliance and IT Teams Ask About Continuous Audit Readiness

Q: What is the practical difference between ISO 27001 Type I and Type II audit evidence standards?

A: A Type I assessment evaluates whether controls are designed appropriately at a point in time. A Type II assessment evaluates whether those controls operated effectively throughout a defined period, typically six to twelve months. The evidence standard for Type II is significantly higher: the auditor is looking for a pattern of operation over time, not a snapshot. A quarterly access review completed once in the final week of the audit period satisfies neither the spirit nor the letter of a Type II assessment. Four quarterly reviews conducted at regular intervals throughout the period do. This distinction is why the architecture that generates evidence continuously is not optional for organisations pursuing SOC 2 Type II.

Q: How does Akku’s Compliance Reporting API differ from a standard audit log export? 

A: A standard audit log export is a raw output from a single system, typically requiring manual filtering, formatting, and cross-referencing with other systems before it is useful as compliance evidence. Akku’s Compliance Reporting API consolidates compliance-relevant data across authentication events, GPO configuration state, threat detection activity, and access change records into a single structured JSON endpoint. The output is timestamped, audit-traceable, and formatted for direct ingestion by GRC platforms and SIEM tools. It does not require a human to assemble it. It is generated programmatically and is current as of the moment it is queried.

Q: What evidence does Akku IGA produce for ISO 27001 A.8.4 access review requirements?

A: Akku IGA generates access recertification reports documenting each periodic review of user access rights. Each report captures the review timestamp, the reviewer identity, the access scope reviewed, and the decision made for each entitlement under review. The reports are stored in the Akku audit log and are queryable by date range, application, and reviewer. For a twelve-month audit period with quarterly access reviews, the auditor receives four timestamped reports from the audit log. The evidence demonstrates both that the reviews occurred and that they occurred at the required cadence.

Q: How does DPDPA Section 10(2)(c)(ii) apply to organisations that are not classified as significant data fiduciaries?

A: Section 10(2)(c)(ii) requires periodic audit measures specifically for significant data fiduciaries, which are organisations designated by the government as processing large volumes of personal data or data that poses a significant risk to data principals. Organisations not classified as significant data fiduciaries are not subject to this specific requirement. However, Section 8(4) applies to all data fiduciaries and requires technical and organisational measures to ensure effective observance of the Act. At the access governance level, this requires access reviews and deprovisioning records for personal data systems regardless of significant data fiduciary status. The distinction is in the audit mechanism, not in the underlying access governance requirements.

Q: How does the Compliance Control Checkpoints View connect to the underlying evidence in the audit log?

A: The Compliance Control Checkpoints View displays the real-time pass/fail status of each compliance control derived from the evidence records in the Akku audit log. When a control shows a pass status, it is because the underlying evidence, such as a recent access recertification report, an active MFA configuration, or a completed deprovisioning record, exists in the audit log and meets the evidence standard for that control. When a control shows a fail or gap status, it is because the evidence does not exist, is outdated, or does not meet the standard. The dashboard is not a separate assessment layer. It is a view into the same evidence that would be submitted to an auditor.

Q: What RBI Cybersecurity Framework requirements does Akku’s continuous monitoring architecture satisfy? 

A: Akku’s centralised audit log satisfies RBI clause 15(a), which requires IT applications with access to critical information to have audit trail capability, and clause 15(b), which requires audit trails to be detailed enough to serve as forensic evidence. Akku’s identity and access security monitoring satisfies clause 15(c), which requires a system for regularly monitoring audit trails to detect unauthorised activity. For the continuous auditing approach described in clause 30(f), Akku’s Compliance Reporting API provides the programmatic, real-time access to compliance data that continuous auditing requires. The API output covers authentication events, GPO configuration state, and threat detection activity in a structured format suitable for automated analysis.

Access Layer Authentication Does Not Extend to Data Exfiltration Controls.

Your BYOD policy permits employees to access corporate applications from personal devices. The security team agreed to this because blocking personal device access was creating friction that hurt productivity. The IT team agreed because enforcing full MDM enrollment on personal devices was operationally impractical and legally contested in some jurisdictions.

What neither team thought through carefully enough: the moment an employee accesses a corporate application from a personal laptop and downloads a file, that file is on the personal device. Outside your data governance controls. Outside the MDM perimeter. Outside the DLP agent that was never installed on the personal laptop because the legal team objected to agent installation on personal devices.

The authentication was controlled. The identity was verified. The access was permitted. The data transfer was completely uncontrolled.

This is the BYOD exfiltration gap. It is not a niche scenario. It is the direct consequence of enabling access from unmanaged devices without implementing the controls that govern what those devices can do with the data they access.

This blog covers the three specific exfiltration vectors that BYOD access creates, why endpoint-layer DLP is not a practical solution for personal devices, and how device-based restrictions at the access layer close the gap without requiring anything to be installed on the personal device.

The Three Exfiltration Vectors BYOD Access Creates

File Download

When a user on a personal device downloads a file from a corporate application, the file leaves the corporate data environment. The application’s access controls governed who could view the file. They do not extend to what happens to the file once it is on the personal device. The file can be copied to a personal cloud storage service, forwarded from a personal email account, or transferred to any other system the personal device has access to.

Print

Printing from a corporate application on a personal device sends the document through the personal device’s print spooler and, in most cases, through a cloud print service the organisation does not control. For documents containing personal data under DPDPA, financial records under RBI requirements, or health information under HIPAA, a printout produced on a personal device through an uncontrolled print pathway is a data governance gap regardless of how the access was authenticated.

USB Transfer 

An employee with external storage connected to a personal laptop can copy data from a browser session directly to the USB device. USB transfer leaves no network trace. The data movement is entirely local. There is no network log entry, no application access log entry for the transfer itself.

For ITeS and BPO organisations handling client data under contractual data handling obligations, USB-accessible data on personal devices is a direct contractual exposure. 

Why Endpoint-Layer DLP Does Not Solve This for BYOD 

On corporate managed devices, DLP agents work. The organisation owns the device, manages it through MDM, and can install a DLP agent as part of the standard configuration.

On personal devices, endpoint DLP has three problems. Privacy objection: installing a DLP agent on a personal device gives the organisation monitoring capability over activity outside the work context. Most employees and most legal teams object to this. Operational complexity: maintaining DLP agents across a diverse estate of personally-owned devices with varying operating systems and configurations is disproportionately complex. User resistance: employees who experience monitoring software on personal devices resist it, reducing BYOD adoption and eliminating the productivity benefit that justified the policy.

The consequence is that most organisations with BYOD access policies have either no DLP coverage on personal devices or coverage so limited it does not address the primary exfiltration vectors.

How Device-Based Restrictions Work at the Access Layer

Akku’s device-based data exfiltration restrictions operate at the access layer rather than the endpoint layer. Rather than installing software on the personal device and monitoring what the device does, Akku enforces restrictions at the point where the user accesses the corporate application.

When a user authenticates from a device that is not on the organisation’s whitelisted device list, Akku applies the configured restrictions to that session: file downloads are blocked, print actions are blocked, and USB transfer pathways accessible from the session are restricted. The user can still view and work with content within the session. The restriction applies specifically to the actions that would move data out of the controlled session environment onto the personal device or to external media.

Nothing needs to be installed on the personal device. The restriction is enforced by the access platform at the session layer and is transparent to the personal device. 

Device Whitelisting and How It Determines Which Restrictions Apply

Akku uses certificate-based device authentication as the whitelisting mechanism. When a device is enrolled as an authorised device for a user, a certificate is installed on the device. When a user authenticates, Akku evaluates whether the device presents a valid certificate. Enrolled devices with valid certificates receive full data access. Devices without a certificate receive restricted session access.

The certificate approach is platform and browser agnostic, working across Windows, macOS, Linux, iOS, and Android without requiring a device-specific agent. The same user can have different data control policies depending on which device they authenticate from: full access from their enrolled corporate laptop, restricted session access from a personal device.

This is directly relevant for financial services organisations where field staff need access to client data from personal devices while the organisation needs to ensure sensitive financial data cannot leave through uncontrolled download or print pathways. It is equally relevant for healthcare organisations where clinical staff access patient records from personal devices and HIPAA requires that electronic protected health information is subject to access controls including controls over how it can be extracted.

The Compliance Case

GDPR Article 32 requires that personal data is processed with appropriate technical measures including protection against unauthorised disclosure. A download of personal data to a personal device with no data governance controls is an unauthorised disclosure pathway that Article 32 was designed to prevent. 

DPDPA Rules 2025 requires data fiduciaries to implement technical measures to protect personal data from unauthorised processing. An employee downloading personal data to a personal device and storing it in a personal cloud service is unauthorised processing under DPDPA.

PCI-DSS Requirement 12.3.3 requires that all hardware and software in scope for cardholder data is inventoried. A personal device from which cardholder data was downloaded is in scope for the cardholder data environment. Blocking download from personal devices is the technically cleaner path to compliance than attempting to bring personal devices into CDE scope. 

What to Check in Your Current BYOD Configuration

Pick any employee who accesses a corporate application containing sensitive data from a personal device. Without asking them, can your IT team confirm whether that employee has downloaded any files from that application to their personal device in the last 30 days? If the answer is no, the download activity is unmonitored and uncontrolled.

Can your organisation demonstrate to a DPDPA supervisory review or a client compliance audit that personal devices used to access corporate applications cannot transfer data to external storage or personal cloud services? If the answer requires relying on policy documentation rather than technical controls, the BYOD security posture is based on trust rather than enforcement.

Explore Akku BYOD Security  |  See Akku MDM Capabilities  |  Talk to the Akku Team

Questions Security and Compliance Teams Ask About Device-Based Exfiltration Restrictions

Q: Does enforcing exfiltration restrictions on personal devices require installing anything on those devices?

A: No. Akku’s device-based restrictions operate at the access layer. When a user authenticates from a device that does not present a valid device certificate, the session applies the configured restrictions without requiring any software on the personal device. The restriction is enforced by the access platform at the session layer and is transparent to the personal device.

Q: How does certificate-based device whitelisting work in practice? 

A: When a device is enrolled as an authorised device, Akku generates and installs a device certificate on the device. On subsequent authentication attempts, Akku evaluates whether the authenticating device presents a valid certificate. Enrolled devices with valid certificates receive the full configured data access. Devices without a certificate receive the restricted session access. The certificate is platform and browser agnostic, working across Windows, macOS, iOS, and Android without a device-specific agent.

Q: What specific actions can be restricted for unenrolled device sessions? 

A: The restrictions configurable for unenrolled device sessions include file download from corporate applications accessed through the session, print actions initiated from the session, and USB storage device transfer of data accessible in the session. Restrictions can be applied uniformly to all unenrolled device sessions or configured differently based on user group or application sensitivity.

Q: How does this address DPDPA Rules 2025 requirements specifically?

A: DPDPA requires data fiduciaries to implement technical measures to protect personal data from unauthorised processing. Downloading personal data to a personal device and storing it outside the organisation’s data governance controls constitutes unauthorised processing under DPDPA. Device-based download and transfer restrictions implement the technical measure at the data movement layer, preventing the unauthorised processing pathway rather than relying on policy documentation.

Q: How does this work for web-based corporate applications accessed through a browser?

A: The restrictions apply to web-based applications accessed through a browser on an unenrolled device. Akku manages the application access layer and applies session restrictions at that layer. File downloads through standard browser download mechanisms are blocked at the application delivery layer. Print actions initiated from the browser are restricted before the print dialog completes. 

Q: What is the user experience difference between an enrolled and an unenrolled device session?

A: On an enrolled device with a valid certificate, the user experience is identical to unrestricted application access. No additional friction. On an unenrolled personal device, the user can view and work with content within the session. Attempts to download files, initiate print actions, or transfer session data to external storage are blocked with an appropriate notification. The restriction applies specifically to the actions that would move data out of the controlled session environment.

Device Enrollment State and Device Application Inventory Are Two Different Datasets.

When did your MDM platform last produce a complete list of every application installed on every enrolled device?

Not the applications you deployed through the MDM. Every application currently installed on each managed device, including what was installed after enrollment, outside the managed profile, or through channels your deployment policy did not account for.

For most organisations the honest answer is: it has not. MDM enrollment applies policies and configurations at the point of registration. It does not run a continuous inventory of what is installed on each device and surface that data in a queryable form. The policy says no unauthorised applications. Whether any unauthorised applications are actually present on enrolled devices is a question the platform is not answering. 

This gap has three specific consequences. An unauthorised application installed after enrollment is invisible until someone manually checks. A CVE-affected package version that was not updated when the disclosure was published sits on managed devices without the security team knowing which devices are affected. A shadow IT tool installed to handle a workflow that approved applications do not support creates a data handling exposure that nobody detected because nobody was looking.

This blog covers why MDM enrollment and MDM inventory are two different capabilities, what per-device application inventory changes at the operational level, and how package-level visibility connects to vulnerability management and compliance. 

Why MDM Enrollment Is Not the Same as MDM Inventory 

MDM enrollment is a point-in-time configuration event. When a device enrolls, the MDM platform pushes the defined policy set: password requirements, screen lock settings, work profile configuration, approved application list, network access rules. The device is now managed. The configuration baseline is applied.

What happens after enrollment is outside the scope of most MDM policy enforcement mechanisms unless the platform is specifically configured to continuously monitor device state. Applications installed from the personal profile on a work profile device, applications sideloaded outside the managed play store channel, and applications present on the device before enrollment on a BYOD deployment are not automatically surfaced in the MDM admin console as policy violations.

The result is a managed device estate where compliance is declared at enrollment and assumed continuously, rather than verified continuously. The policy exists. The enforcement evidence does not.

What the Gap Costs Operationally

Unauthorised Application Detection 

An employee installs a personal file-sharing application on their enrolled work profile device. The MDM policy prohibits unauthorised applications. The application is present. The MDM admin console shows the device as compliant because it has not run an inventory check against the approved application list since enrollment.

For ITeS and BPO organisations where employees access client systems from managed devices, an unauthorised application capable of handling clipboard data or capturing screen content creates a direct client data exposure risk. The contractual obligation to maintain secure managed devices is not satisfied by a policy that is never verified.

CVE-Affected Version Detection

A vulnerability disclosure identifies a specific version of a widely-used Android application as affected. The CVE is published with the affected package identifier and version range. Without per-device application inventory, the answer requires manually checking representative devices or waiting for the next managed application update cycle. With inventory data that includes package identifiers and version numbers for every installed application on every enrolled device, the query is immediate: return all devices where package identifier X is installed at version Y or below. 

Shadow IT Discovery

Shadow IT on managed devices is a data governance problem that most organisations discover reactively. An employee uses an unapproved note-taking application to capture meeting minutes containing client information. A developer uses a personal SSH client on their managed device. All of these create data handling exposures the organisation did not authorise and cannot manage without knowing the applications exist. Per-device inventory makes them visible.

What Per-Device Application Inventory Captures

Akku MDM’s per-device application inventory collects the installed application list from each enrolled Android device on a regular automated schedule. For each installed application, the inventory captures the application name, the package identifier in reverse domain notation, the installed version number, and the install date where available from the device.

The package identifier is the technically precise field that matters for security and compliance workflows. CVE databases reference affected software by package identifier. Vulnerability management tools query by package identifier. The inventory output uses the same identifier format, making cross-referencing against CVE feeds a direct comparison rather than a fuzzy name-matching exercise.

The inventory covers applications installed in the managed work profile and, where the device configuration and Android version permit, applications visible in the personal profile. The visibility scope in the personal profile is governed by Android’s enterprise privacy framework. Akku MDM operates within these framework boundaries.

How This Connects to App Whitelisting and Policy Enforcement

Akku MDM‘s app whitelisting and blacklisting capability is the enforcement layer. Per-device inventory is the visibility layer. Used together, the inventory identifies what is present and the policy defines what is permitted. The gap between the two is the enforcement finding.

For organisations managing compliance under DPDPA Rules 2025, the ability to demonstrate that enrolled devices carry only approved applications is part of the technical evidence that the device security standard is being maintained. A policy document is not sufficient. Inventory evidence that the policy is being met is what the compliance record requires.

The Three Questions Worth Asking About Your Current MDM Deployment

Navigate to your MDM admin console right now and open the record for any enrolled device that has been active for more than six months. Can you see a complete list of every application currently installed on that device? If the answer is no or partial, the inventory visibility gap is confirmed.

If a CVE disclosure was published today for a specific Android application package, how long would it take your security team to produce a list of every affected enrolled device? If the answer requires anything beyond a query against an inventory database, the data is not available in the form that vulnerability management requires.

For any enrolled device in your estate, can you confirm that the applications present today match the approved application list without physically inspecting the device or asking the user? If not, the compliance posture that Akku MDM is designed to maintain is being declared rather than demonstrated.

Explore Akku MDM Capabilities |  Talk to the Akku Team 

Questions IT Security and MDM Administrators Ask About Per-Device Application Inventory

Q: Does per-device inventory cover applications installed in the personal profile on a BYOD work profile device?

A: The scope depends on enrollment type, work profile configuration, and Android version. For fully managed corporate-owned devices, inventory covers all installed applications. For work profile deployments on personally-owned devices, managed work profile applications are always visible. Personal profile visibility depends on what Android’s enterprise privacy framework permits under the organisation’s MDM policy configuration. Akku MDM operates within these framework-defined boundaries.

Q: How does the package identifier field support vulnerability management workflows?

A: CVE databases reference affected software by package identifier, the reverse domain notation string that uniquely identifies an Android application. When a CVE disclosure identifies an affected package, the query against the Akku MDM inventory uses the package identifier directly: return all devices where this identifier is present at a version within the affected range. This produces a targeted list of affected devices without name-matching ambiguity. 

Q: How frequently does the inventory update?

A: The inventory updates on a regular automated schedule. The specific interval depends on MDM policy configuration and device connectivity state. Devices in active use with network connectivity update more frequently. The admin console displays the timestamp of the most recent inventory collection for each device.

Q: How does per-device inventory connect to DPDPA Rules 2025 device security requirements?

A: DPDPA requires data fiduciaries to implement technical measures to protect personal data, including ensuring access to personal data systems comes from devices meeting a defined security standard. Per-device application inventory provides the continuous verification evidence that policy enforcement alone cannot produce. The inventory record shows what was present on each device at a given point in time, which is the evidentiary basis for demonstrating that device security standards were being maintained continuously rather than declared at enrollment.

Q: What is the difference between app whitelisting and per-device inventory and why are both needed?

A: App whitelisting is a policy control defining which applications are permitted. Per-device inventory is a visibility control showing which applications are actually present. Policy without inventory means you have declared what should be present but have no mechanism to verify it. Inventory without policy means you can see what is present but have no standard to compare it against. The combination produces enforcement evidence rather than policy documentation.

Q: Can the inventory data be accessed programmatically for integration with vulnerability management or SIEM tools?

A: Yes. Inventory data is accessible through the Akku admin console and the Akku API. The API allows programmatic retrieval per device or across the full enrolled device estate. The package identifier field enables direct comparison between enrolled device inventory and CVE feed data without requiring custom field mapping or name-matching logic.

SSH Session Logging and Authentication Logging Are Not the Same Control.

A security incident investigation is three days in. A privileged user accessed a production database server on a Tuesday afternoon. Something changed on that server that caused a downstream service failure two days later.

The authentication log shows the login event. Username, timestamp, source IP, session duration. 23 minutes. The session ended cleanly. Nothing else is in the record.

The investigation needs to know what SQL queries were run. Which tables were accessed. Whether any schema changes were made. Whether any data was exported. None of that is in the log. The record proves the user was there. It cannot prove what they did while they were there.

The scope of the incident cannot be determined. The remediation cannot be confirmed as complete. The finding goes into the report as inconclusive.

This is not an unusual outcome. It is the default outcome in environments where privileged session governance means authentication logging without SMART Audit Trails. And it is increasingly a compliance gap as well as an operational one. 

What Authentication Logs Capture and What They Do Not

Authentication logs record the events at the boundary of a session: the login event with actor identity, timestamp, source IP, MFA method used, and authentication outcome. The session termination event with timestamp and duration. In some implementations, the target system and protocol.

What authentication logs do not capture: commands executed during an SSH session, SQL queries run during a database session, files accessed or modified, configuration changes made, RDP screen activity, Kubernetes kubectl commands. All of this happens inside the session, after the authentication event.

The distinction matters because authentication logs and SMART Audit Trails are used for different purposes. Authentication logs are useful for access certification, anomalous authentication pattern detection, and confirming that access occurred. They feed directly into the MFA failure and login metrics APIs discussed in previous blogs in this series.

SMART Audit Trails are useful for post-incident investigation, compliance evidence production, and insider threat detection. They answer a different question: not whether access occurred, but what happened during the access.

What ISO 27001:2022 and SOC 2 Actually Require

ISO 27001:2022 Annex A Control A.8.15

Control A.8.15 requires that event logs recording user activities, exceptions, faults, and information security events are produced, stored, protected, and analysed. The specific language is user activities. A login event is not a user activity. The commands the user ran during the session, the queries they executed, the files they accessed: those are user activities. A.8.15 requires the latter. An authentication log satisfies the access record requirement at the session boundary. It does not satisfy the activity record requirement for what occurred inside the session. SMART Audit Trails satisfy this second requirement. 

The 2022 revision of the standard also strengthened the protection requirement for event logs. Control A.8.15 specifies that log facilities and log information shall be protected against tampering and unauthorised access. For SMART Audit Trail recordings, this means they must be stored in a location the privileged user who ran the session cannot access or modify, regardless of their privilege level on the target system.

SOC 2 Trust Services Criteria CC7.2

SOC 2 CC7.2 requires that the organisation monitors system components and the operation of those controls for anomalous behaviour. Monitoring for anomalous behaviour in a privileged session requires SMART Audit Trail recordings. A login timestamp does not tell you whether the session contained anomalous commands.

The evidence standard for CC7.2 in a SOC 2 audit increasingly includes demonstrating that session-level monitoring is in place for privileged access, not just that authentication events are logged.

PCI-DSS Requirement 10

PCI-DSS Requirement 10.2 requires implementing audit logs to reconstruct activities for all individual user access to cardholder data and all actions taken by any individual with root or administrative privileges. For database sessions on systems containing cardholder data, this explicitly requires query-level logging, not authentication-level logging.

How AkkuReka Implements SMART Audit Trail Recording

AkkuReka is the session proxy component within Akku PAM. All privileged sessions are routed through AkkuReka rather than connecting directly to the target system. This proxy position means AkkuReka operates at the protocol layer between the authenticated user and the target, which is where the SMART Audit Trail data is generated.

SSH Sessions

For SSH sessions, AkkuReka captures a complete keystroke log per command, timestamped at the protocol level. Every command typed, every output returned, every file path referenced. The recording is structured per command as a discrete event with its own timestamp, making it searchable by command string rather than requiring review of a continuous recording.

Database Sessions

For MySQL and PostgreSQL sessions, AkkuReka captures both a screen recording and a structured SQL query log as part of the SMART Audit Trail. Each query is stored as a discrete record with execution timestamp, query text, and result metadata.

For financial services organisations where PCI-DSS, RBI, and SEBI compliance requires evidence of database access at the query level, this is the specific evidence type those frameworks are asking for. The authentication log confirms who logged in. The SQL query log confirms what they did once connected.

RDP and Kubernetes Sessions

For RDP sessions, AkkuReka captures full screen recordings at a configurable frame rate. For Kubernetes cluster access via kubectl, AkkuReka captures both a session event recording and a command log for kubectl operations. Kubernetes access is one of the most commonly excluded infrastructure categories from PAM deployments. The kubectl command log closes the same governance gap for container orchestration that SSH keystroke logging closes for Linux servers.

The Outbound Worker Architecture

AkkuReka uses an outbound worker model. A lightweight worker process is deployed in the same network segment as the target systems. The worker initiates an outbound TLS 1.3 connection to the Akku cloud platform. No inbound ports are required on target systems or firewalls. No agent installation. No SSH configuration changes. Target systems require no modification.

For ITeS and BPO organisations where target systems include client-managed infrastructure that cannot be modified, and for manufacturing organisations with OT-adjacent infrastructure where agent installation is operationally constrained, the agentless outbound worker model means session recording coverage can extend to systems that would be excluded from an agent-based architecture. 

Tamper Evidence and Storage 

SMART Audit Trail recordings are stored encrypted using AES-256-GCM in Akku’s audit storage layer. The storage is append-only. Recordings cannot be modified or deleted after they are written. The privileged user who ran the session has no access to the recording layer regardless of their privilege level on the target system. Even a user with root access on a Linux server cannot modify their recording because it is written to Akku’s audit storage at the proxy layer, outside the scope of any privilege the user holds on the target.

What to Check in Your Current Privileged Access Environment

For each category of privileged session in your environment, answer this question: if a privileged user ran a command during a session last Tuesday that caused a problem, how many minutes would it take your security team to identify the specific command, the specific session, and confirm attribution to a specific individual?

If the answer requires accessing logs on the target system itself, and the user who ran the session had the ability to modify those logs, the evidence integrity is compromised before the investigation starts.

For Linux servers, check whether SSH sessions are being captured in SMART Audit Trails beyond the standard auth.log authentication events. For database servers, check whether query-level logging is enabled and whether those logs are stored in a tamper-evident location outside the database server itself.

See AkkuReka Session Proxy Architecture  |  Explore Akku PAM  |  Talk to the Akku Team 

Questions Security and Compliance Teams Ask About Privileged Session Logging

Q: What is the technical difference between an authentication log and a SMART Audit Trail?

A: An authentication log records events at the session boundary: the login event with actor identity, timestamp, source IP, MFA method, and authentication outcome, and the session termination event with timestamp and duration. It records that access occurred. A SMART Audit Trail records what happened during the session: every command executed, every query run, every file accessed, every configuration change made. ISO 27001 A.8.15 requires both: the authentication record for access accountability and the activity record for user activity logging. Most privileged access environments have built the first and not the second.

Q: What is the storage format for AkkuReka SMART Audit Trail recordings?

A: SSH keystroke logs are stored as structured text with per-command timestamps, searchable by command string across all sessions in a time period. RDP recordings are stored as compressed video at the configured frame rate. Database session recordings include both a screen capture and a structured SQL query log where each query is a discrete record with execution timestamp, query text, and result metadata. All recordings are encrypted at rest with AES-256-GCM and accessible through the Akku admin console or API under RBAC-controlled access.

Q: Does AkkuReka require any agent installation or configuration changes on target systems?

A: No. AkkuReka uses an outbound worker model. The worker process is deployed on a separate host in the same network segment as the target systems. Target systems require no modification, no agent installation, and no configuration changes. The only requirement is that the AkkuReka worker has network access to target systems on their native protocol ports and outbound HTTPS on port 443 to the Akku cloud.

Q: How does AkkuReka protect SMART Audit Trail recordings from tampering by the privileged user?

A: AkkuReka records sessions at the proxy layer, outside the target system and outside the user’s access scope. A user with root access on a Linux server cannot modify their recording because it is not stored on the target. The storage is append-only and tamper-evident by design.

Q: How does SMART Audit Trail recording support compliance with PCI-DSS Requirement 10?

A: PCI-DSS Requirement 10.2 requires logging of all individual user access to cardholder data and all actions by individuals with root or administrative privileges. For database sessions in the cardholder data environment, this requires SQL query-level logging. AkkuReka’s structured SQL query log for MySQL and PostgreSQL sessions captures each query as a discrete record with execution timestamp and query text, directly satisfying the Requirement 10.2 evidence standard.

Q: What is the forensic search capability for SSH session recordings?

A: AkkuReka indexes SSH session recordings by command string and timestamp. An investigator querying for a specific command across all sessions in a defined time window receives the sessions where the command appeared, the exact timestamp, and a link to the playback position. An investigation that would require reviewing hours of recordings can be completed through a command string query in minutes.

Provisioned Access and Accessed Access Are Two Different Datasets.

A provisioning record captures a point-in-time entitlement decision: this user was granted access to this application on this date. It records that the door was opened. It contains no information about whether anyone has walked through it since.

An access usage record captures an event: this user authenticated and launched this application at this timestamp from this device. It records that the access was exercised. It is a different dataset from the provisioning record and in most IAM architectures, it does not exist. 

The absence of access usage data has three distinct consequences that are usually treated as separate problems but share the same root cause. First, dormant accounts with valid access entitlements accumulate as an unmonitored attack surface. Second, access reviews that run without usage data certify entitlements rather than evaluate continued need, which is not what ISO 27001 A.5.18, SOC 2 CC6.3, or DPDPA Rules 2025 require from a periodic access review. Third, SaaS licences assigned to users who have not launched the application in months represent recoverable budget that the organisation has no mechanism to identify without usage data.

This blog covers the technical distinction between the two datasets, what each consequence looks like operationally, and what application launch monitoring at the SSO layer produces as a usage record without requiring per-application integrations.

Why Provisioning Records Are Not Usage Records

Provisioning is architecturally event-driven: it triggers on access requests and access removals. Between those two events, the provisioning platform has no visibility into what happens with the entitlement. Whether the user launches the application daily or not at all, the provisioning record is identical. The record reflects the entitlement state, not the usage state. 

Application usage data, where it exists, lives in the application itself. Applications that generate access logs produce records of who authenticated and when. Those records live in the application’s own logging infrastructure. Pulling them into a coherent cross-application usage view requires native API integrations with each application, a CASB layer that monitors application traffic, or manual extraction on a schedule. None of these is operationally straightforward at scale across 40 to 60 SaaS applications. 

The result is that most organisations have precise provisioning records and no structured usage data. The two datasets that together constitute a complete picture of access governance exist independently, and most organisations only have one of them.

What the Absence of Usage Data Costs

Dormant Accounts as an Unmonitored Attack Surface

An account that has not been used in 90 days is not actively monitored by the user who owns it. Password change notifications go unread. Anomalous MFA prompts go unreported. If the account’s credentials are compromised, the compromise may not surface for weeks because the legitimate user has no reason to notice anything unusual about an account they are not using.

NIST SP 800-53 Control AC-2 recommends disabling inactive accounts after a defined period. ISO 27001:2022 Annex A Control A.5.16 requires that identity management include a mechanism for reviewing and disabling inactive identities. Most organisations have a policy that specifies an inactivity threshold. Very few have a technical mechanism that enforces it, because they do not have the usage data needed to identify which accounts are inactive.

Access Reviews Without a Meaningful Baseline

Access reviews under ISO 27001 A.5.18 and SOC 2 CC6.3 are supposed to evaluate whether access is still appropriate. Without usage data, the reviewer can confirm that the entitlement exists and that the user’s current role appears to justify it. They cannot evaluate whether the access has been exercised in the review period, whether the usage pattern is consistent with the stated business need, or whether the access should continue to exist given that nobody has used it in six months.

Under DPDPA Rules 2025, access to personal data should be granted on a need-to-know basis and reviewed periodically. A review that certifies access without any data on whether the access has been exercised is not a meaningful review of whether the need-to-know condition is still met. For financial services organisations and healthcare organisations where access reviews are part of RBI, SEBI, and HIPAA compliance obligations, a review based on usage data is qualitatively and evidentially different from a review based on entitlement records alone.

Recoverable SaaS Licence Spend

SaaS licences are priced per seat. A seat occupied by a user who has not launched the application in six months is a seat being paid for without return. Industry data from SaaS management platforms consistently indicates that between 20 and 30 percent of provisioned SaaS seats are unused in a typical month. For a mid-market organisation with 500 users and 50 SaaS applications, that percentage represents a significant monthly spend on licences that could be reclaimed and reallocated or cancelled. Identifying and reclaiming those seats requires knowing which users have not launched which applications in a defined period. That requires usage data. 

What Application Launch Monitoring Produces

Application launch monitoring captures the event that occurs when a user authenticates through the IAM platform and is directed to a specific application. It operates at the SSO layer, not at the application layer. Any application that uses SSO-based authentication through Akku produces a launch event at the identity platform regardless of whether the application has its own session logging capability. No per-application integration is required.

Each launch event captures the user identifier, the application accessed, the timestamp, the device, and the geo-location of the authentication. This data is stored per user per application, producing a usage record that sits alongside the provisioning record in the identity platform.

Last-Used Date Per User Per Application

The immediately actionable output is a last-used date for each user-application combination. An access review showing a user has not launched an application in 120 days has a different conversation than one showing daily usage. The reviewer makes a decision based on actual usage behaviour rather than on whether the user’s role still appears to justify the access in the abstract.

For automated lifecycle management, last-used date enables a technical policy: accounts that have not accessed an application within a defined period are flagged for review or automatically suspended based on the risk profile of the application. This is the technical enforcement of what ISO 27001 A.5.16 and most inactivity policies describe but rarely implement.

Anomaly Detection From Usage Baseline 

Application launch data over time produces a usage baseline per user per application. A user who normally launches the CRM five times daily but whose launch events stop appearing for two weeks has experienced something: a missed offboarding, extended leave, or an account compromise that locked the legitimate user out. A user who normally accesses a specific application once a week but suddenly launches it dozens of times in a single session is also anomalous. Both signals are only available if launch data is being collected.

Licence Reclamation With Documented Evidence

Usage data enables licence reclamation with evidence rather than estimation. The IT team produces a report showing per application: provisioned users, users who launched at least once in the last 30 days, and users who have not launched in 90 days. That report is the basis for a licence reclamation conversation with the application vendor. Removing dormant seats from a SaaS licence is a straightforward conversation when the usage data supports it.

How This Connects to Automated User Lifecycle Management

Application launch data is most operationally powerful when connected to the automated user lifecycle management layer in Akku rather than existing as a standalone reporting view. When the last-used date for a user-application combination crosses a defined threshold, the lifecycle management layer triggers a review workflow automatically: the user’s manager is notified, confirmation of continued need is requested, and access is removed if no confirmation arrives within the defined period.

This closes the loop between usage visibility and access governance without requiring a manual process for each dormant account. The review is triggered by the data. The outcome is recorded in the provisioning system. The audit trail shows that dormant access was identified, reviewed, and either confirmed or removed, which is the evidence that a meaningful periodic access review under ISO 27001 A.5.18 and DPDPA is supposed to produce.

For ITeS and BPO organisations where employees frequently change project assignments and client system access needs corresponding adjustment, application launch data makes the access actually being used visible in a way that a provisioning record cannot. Access to a client system that has not been launched since a project ended three months ago is a deprovisioning candidate that the standard offboarding process may have missed. 

Before You Move On

Pick three applications in your environment that hold sensitive data. For each one, pull the list of provisioned users from your IAM platform. Then answer: of those users, how many have not accessed the application in the last 90 days?

If the IAM platform cannot answer that question from its own data, the usage visibility gap is confirmed. The provisioning record exists. The usage record does not. The security implication is a list of dormant accounts passing access reviews without any evidence of whether the access is still exercised. The compliance implication is that those reviews, under DPDPA and ISO 27001, are based on entitlement data rather than access behaviour. The cost implication is a straightforward calculation: dormant licensed seats multiplied by the per-seat monthly cost. 

Explore Akku IAM and Lifecycle Management  |  See Akku IGA and Access Reviews  |  Talk to the Akku Team

Questions IT and Compliance Teams Ask About Access Usage Visibility

Q: What is the technical difference between a provisioning record and an application launch record? 

A: A provisioning record captures the entitlement lifecycle: when access was granted, by whom, under what approval, and when it was removed. It records a decision about access. An application launch record captures a usage event: a specific user authenticated and was directed to a specific application at a specific timestamp. The two records describe different things. A provisioning record answers whether a user has access. An application launch record answers whether a user has used their access. Both are required for complete access governance. Most IAM platforms maintain only the provisioning record.

Q: How does application launch monitoring differ from application-level session logging? 

A: Application-level session logging is performed by the application itself and requires either native logging capability in the application or a CASB layer intercepting traffic. Application launch monitoring is performed at the SSO layer: when the user’s authenticated session is redirected from the identity platform to the application, the launch event is captured. It requires no integration with each individual application. Any application using SSO-based authentication through Akku produces a launch event at the identity platform regardless of the application’s own logging capability.

Q: How does DPDPA treat dormant access to personal data systems?

A: DPDPA requires that access to personal data is granted on a need-to-know basis and reviewed periodically. An account that has not accessed a personal data system in several months raises a question about whether the need-to-know condition is still met. A periodic access review certifying access without usage data cannot meaningfully evaluate this. The DPDPA’s access accountability requirements imply that the organisation can demonstrate not just that access exists and was approved, but that access is actively justified by current need. Application launch data provides the evidence needed to distinguish active access from dormant access. 

Q: What is a practical inactivity threshold for triggering an access review?

A: The appropriate threshold depends on the application’s risk profile. For high-sensitivity applications containing personal data, financial records, or privileged system access, 30 days is appropriate. For standard productivity applications, 60 to 90 days is common. The threshold should be defined in the access control policy rather than set arbitrarily, so the automated review trigger is aligned with the policy’s stated inactivity standard. ISO 27001 A.5.16 does not specify a number but requires that inactive identities are identified and addressed within a defined timeframe.

Q: How does usage data improve the quality of access reviews under SOC 2 CC6.3?

A: SOC 2 CC6.3 requires periodic review of whether existing access is still appropriate. With only entitlement data, the reviewer confirms the access exists, and the role appears to justify it. With usage data, the reviewer can evaluate whether the access has been exercised in the review period and whether the usage pattern is consistent with the stated business need. A reviewer who sees that a user has not launched an application in 180 days makes a substantively different decision than one who sees only that the entitlement exists. The audit evidence produced by a usage-informed review is qualitatively stronger under both SOC 2 and ISO 27001.

Q: How does Akku connect application launch data to the provisioning and deprovisioning lifecycle?

A: In Akku, application launch events are captured at the SSO layer when users access applications through Akku-managed SSO. This data feeds into the access governance layer alongside provisioning records, producing a combined view of who has access and who is using it. Inactivity thresholds can be configured as policy rules that trigger automated review workflows when a user-application combination has not produced a launch event within the defined period. The full chain from provisioning through usage monitoring through periodic review to deprovisioning is traceable in a single audit trail.