Your organisation has forty-three applications. Each one manages its own users. Each one has its own provisioning process, its own access review cycle, its own offboarding checklist item, and its own audit log in its own format.
In normal operations, this is manageable. Imperfectly, slowly, with more manual effort than any IT team would choose, but manageable. The fragmentation becomes visible under two conditions: when something goes wrong and you need to understand what happened across multiple systems simultaneously, or when an auditor asks for a complete picture of who has access to what across the entire application estate.
Both conditions reveal the same structural gap. Identity fragmentation does not just create operational overhead. It creates security exposures, compliance evidence gaps, and incident response delays that are proportional to the number of applications operating as independent identity silos. Each additional application that manages identity separately adds another point at which an offboarding can be missed, an access review can be incomplete, an audit trail can end.
This blog covers what identity fragmentation looks like architecturally, the three categories of cost it creates, and what the evidence and security posture change when identity is consolidated on a unified platform rather than managed separately per application.
An organisation with forty-three applications and no centralised IAM platform has forty-three separate identity stores. Each application maintains its own user database with usernames and passwords specific to that application. Provisioning a new employee means creating accounts in each of the forty-three applications they need access to. Deprovisioning a departing employee means removing accounts from each of the forty-three applications they had access to. Changing a user’s access as they move between roles means updating their entitlements in each application where the role change affects their permissions.
An organisation that has deployed a centralised IAM platform with SSO but has not connected all applications to it has a partial fragmentation problem. The applications in the SSO catalogue are governed centrally. The applications outside the catalogue are still operating as independent identity silos. The provisioning and deprovisioning processes for the SSO applications are automated. The processes for the out-of-catalogue applications are manual.
The fragmentation problem intensifies as the application estate grows. Each new application added to the estate either goes through the integration effort to join the centralised identity framework or defaults to operating as an independent silo. Under time pressure and competing priorities, the default is the silo. The estate grows, the number of silos grows, and the gap between the centralised identity picture and the actual access state widens.
When a user leaves the organisation, access revocation must occur across every application they had access to. In a centralised IAM architecture with SSO and automated deprovisioning, the offboarding event triggers a single workflow that removes access across all connected applications. In a fragmented architecture, offboarding is a checklist: someone must manually identify every application the departing user had access to, initiate the revocation in each one, and verify that each revocation completed.
Checklists miss items. The application the departing employee used only occasionally but still had active credentials for is the one that gets missed. The niche internal tool that was provisioned informally two years ago and never added to the offboarding process is the one that retains the active account. The former employee who no longer has corporate email or directory access but still has credentials to a customer portal or a financial reporting tool is the security exposure that the offboarding checklist did not close.
The orphaned accounts that accumulate from missed offboardings are not monitored. The former employee’s account generates no alerts when it sits dormant. If the credentials are compromised, the compromise produces activity in an account that IT operations is not watching because it does not appear in the active user inventory. The blast radius of a compromised orphaned account in a customer portal or a financial system is significant.
ISO 27001 A.8.4 requires periodic review of user access rights across all information systems. SOC 2 CC6.3 requires that access is authorised, modified, or removed based on roles. DPDPA requires that access to personal data is governed by need-to-know and reviewed periodically. All of these requirements apply to the full application estate, not to the subset of applications connected to the centralised IAM platform.
In a fragmented architecture, the access review that runs through the IAM platform covers the applications in the platform. The applications outside the platform are either excluded from the review scope, covered by a separate manual process, or reviewed by a different team on a different cadence. The audit evidence for the full application estate is assembled from multiple sources with different formats, different timestamps, and different levels of completeness.
When an auditor asks for the access review evidence covering all applications containing sensitive data, the compliance team assembles a package from the IAM platform’s access review reports, separate exports from each out-of-catalogue application, and manual confirmation from application owners for systems that do not produce structured access reports. The package is incomplete, inconsistent, and assembled reactively rather than maintained continuously. The compliance posture is not the one the package represents.
Identity fragmentation creates operational overhead that is persistent rather than one-time. Every application that manages identity independently requires separate provisioning and deprovisioning processes, separate password reset support, separate access request workflows, and separate monitoring. The IT team’s time spent on identity administration scales with the number of silos rather than with the number of users.
The incident response cost is less visible but higher. When a security incident occurs that involves compromised credentials or unauthorised access, the investigation must reconstruct the access picture across every application that may have been affected. In a fragmented architecture, this means querying the authentication logs of each application separately, correlating events across systems with different log formats and different timestamp conventions, and identifying every application where the compromised identity had an active account.
The time between an incident being detected and the organisation having a complete picture of its scope is directly proportional to the degree of identity fragmentation. In a centralised architecture, the identity platform’s audit trail shows every authentication event across all connected applications from a single query. In a fragmented architecture, each application’s log must be reviewed separately. For a significant incident involving a compromised privileged account, the difference between a two-hour investigation and a two-day investigation may be the difference between containing the incident and losing control of it.
Akku’s full-stack IAM platform consolidates identity management across Workforce IAM, IGA, PAM, CIAM, MDM, and GPO onto a single platform with a shared identity foundation and a centralised audit trail. The 500+ pre-built application connectors covering cloud SaaS, on-premise, legacy, and custom-built applications reduce the integration effort required to bring applications into the central governance framework.
When identity is consolidated, offboarding becomes a single event rather than a checklist. The user lifecycle management engine triggers a deprovisioning workflow that propagates access revocation to every connected application simultaneously. The offboarding record captures the revocation timestamp for every application in a single audit trail entry. The compliance evidence for ISO 27001 A.8.2 is complete and accurate without manual assembly.
Access reviews cover the full connected application estate from a single interface. The IGA access review generates a recertification campaign that includes every application in the platform, presenting reviewers with a unified view of each user’s entitlements across all systems. The access review evidence is produced as a structured report from the platform rather than assembled from multiple sources. The completeness of the review is determined by the completeness of the application integration, creating a clear operational objective: bring every application into the platform.
Incident response benefits from the unified audit trail. A query for all authentication and access events involving a specific user identity returns results from every connected application in a single structured output. The investigation starts with a complete picture rather than building one from separate application logs. Command-level session recordings from PAM-proxied sessions answer questions about what happened inside privileged sessions, not just whether they occurred.
Bringing a fragmented application estate onto a unified IAM platform is a phased process. Akku’s 500+ pre-built connectors cover the most common SaaS applications with plug-and-play SSO integration. Legacy applications without modern protocol support are handled through credential replay SSO, which extends single sign-on to applications that cannot implement SAML or OIDC. Custom internal applications integrate through REST APIs and Akku’s SCIM provisioning interface.
Each application brought into the platform reduces the fragmentation surface by one silo. The offboarding checklist shrinks. The access review scope expands. The audit trail becomes more complete. The investment in each integration pays off in reduced manual process, improved compliance evidence quality, and faster incident response across the full lifetime of the application.
For financial services organisations where fragmented identity creates regulatory compliance gaps across RBI, SEBI, and DPDPA requirements, and for ITeS and BPO organisations where client data handling obligations require demonstrable access governance across all data-touching systems, the consolidation investment is not discretionary. It is the architectural prerequisite for the compliance posture the regulatory and contractual obligations require.
Count the applications in your environment that contain sensitive data, personal data, financial data, or privileged system access. Count how many of those are connected to your centralised IAM platform. The gap between the two numbers is the fragmentation surface. For each application in the gap, the offboarding process is manual, the access review is separate, and the audit trail ends at the perimeter of the application.
The question worth asking is not whether the fragmentation is manageable in normal operations. It is whether the fragmentation is acceptable at the moment of an incident, an audit, or a regulatory review. Those are the conditions under which the gaps become findings.
Explore Akku Workforce IAM | See Akku IGA Capabilities | Talk to the Akku Team
Q: How does Akku handle applications that do not support modern authentication protocols like SAML or OIDC?
A: Akku supports legacy applications without modern protocol support through credential replay SSO. Rather than federating identity using SAML or OIDC, the credential replay mechanism automates the submission of application-specific credentials on behalf of the authenticated user. The user authenticates to Akku with their corporate credentials and MFA, and Akku handles the legacy application’s login flow transparently. The user experiences single sign-on. The application receives its native credential. This extends SSO coverage to legacy applications that cannot be refactored to support modern federation protocols, allowing them to be included in the centralised identity framework without requiring application changes.
Q: What is the minimum viable integration scope for bringing an application into Akku’s centralised IAM framework?
A: The minimum viable integration is SSO connection, which brings the application’s authentication under the centralised identity layer. With SSO, every login to the application is authenticated through Akku, MFA is enforced, contextual access policies apply, and the authentication event is captured in the Akku audit trail. The provisioning integration, which automates account creation and removal through SCIM, is the next layer and covers the full lifecycle governance requirement. For applications where SSO is the only feasible integration, SSO alone closes the authentication visibility gap and enables the contextual access controls that the centralised platform provides.
Q: How does Akku’s unified audit trail differ from aggregating logs from individual applications into a SIEM?
A: Aggregating application logs into a SIEM produces a centralised log store, but the logs from each application retain their native format, field naming conventions, and event taxonomy. Correlating events across applications requires parsing each format separately and normalising fields before cross-application queries can run. Akku’s unified audit trail captures authentication and access events from all connected applications in a consistent, structured format at the identity platform layer, before the event reaches the application’s own logging infrastructure. The event schema is consistent across all connected applications: the same field names, the same event taxonomy, the same timestamp format. Cross-application queries run without normalisation because the data is already in a consistent format.
Q: How does IAM consolidation affect the time to provision a new joiner across a large application estate?
A: In a fragmented architecture, provisioning a new joiner across forty applications requires forty separate provisioning actions, either manual or through separate per-application automation. Total provisioning time scales with the number of applications and the speed of each individual process. In Akku’s consolidated architecture with SCIM-based provisioning, a single joiners event triggers simultaneous provisioning across all connected applications. The provisioning engine sends SCIM requests to each application’s endpoint in parallel. For an application estate of forty connected applications, the provisioning completes in the time required for the slowest application to respond to its SCIM request, typically seconds to minutes, rather than the cumulative time of sequential manual provisioning across all applications.
Q: What compliance frameworks most directly require identity consolidation?
A: No compliance framework explicitly requires a single IAM platform. However, multiple frameworks impose requirements that are structurally easier to satisfy with a consolidated platform than with a fragmented one. ISO 27001 A.8.2 requires access rights to be removed when employment terminates across all information systems: this requires a complete inventory of every application a user had access to, which is only reliable from a centralised platform. SOC 2 CC6.3 requires access to be modified based on role changes across all systems: manual processes across fragmented applications create the risk of missed updates. DPDPA requires that access to personal data is governed by need-to-know and reviewed periodically: a consolidated platform produces the access review evidence across all personal data systems from a single process. In each case, consolidation reduces the compliance risk by making the required control technically reliable rather than dependent on manual completeness.
Q: How does Akku’s platform consolidation approach handle custom-built internal applications?
A: Custom-built internal applications can be integrated into Akku’s centralised IAM framework through several mechanisms depending on the application’s architecture. Applications that can implement SAML 2.0 or OIDC for authentication can be federated directly. Applications that expose a user management API can be connected through Akku’s SCIM provisioning interface for automated provisioning and deprovisioning. Applications without API access can be included through credential replay SSO for authentication governance. The choice of integration mechanism is determined by the application’s technical capabilities rather than by Akku’s platform limitations. For custom applications, Akku’s REST API provides programmatic access to identity, authentication, and access management functions that can be embedded into the application’s own access management logic.
Your PAM platform covers privileged access. Ask your infrastructure team how much of it, and the answer will involve a…
Your SCIM provisioning connector ran its last sync six hours ago. It failed. Nobody received an alert. Nobody knows. The…
Your MDM platform reports device location. What it does not tell you is how much of the shift that location…
What is the most sensitive system in your organisation? Not the most technically complex. The one with the highest concentration…
Here is a question worth asking your compliance team: how long would it take to produce the evidence package for…
Your BYOD policy permits employees to access corporate applications from personal devices. The security team agreed to this because blocking…