Blog
Identiverse 2026: Identity Governance’s Unfinished Business
Identiverse 2026 Recap: Identity Is Still Cool, and the Problems Are Still Real Well, that’s...
Ask any identity team to list the systems they worry about most, and the same names come up. The 30-year-old clinical platform that still runs the night shift. The custom-built tool a single engineer wrote in 2014 and never documented. The mainframe interface behind three layers of terminal emulation. The platform that arrived with last year’s acquisition and has never been touched since.
These are the applications that hold the most sensitive access in the enterprise. They are also the ones with the least or no API support and the longest connector development timelines. The correlation is not a coincidence. The same characteristics that make an application hard to integrate;, age, custom architecture, no modern interface, are often the same characteristics that let it accumulate privileged access without much scrutiny.
Modern governance assumes a modern application. Identity governance and administration platforms are built to connect cleanly to systems that expose well-documented APIs, support standard provisioning protocols, and present structured identity data. For the SaaS layer and the well-behaved internal systems, this works. Access gets certified, provisioning gets automated, and audits come back clean.
The problem is that the well-behaved systems are rarely where the risk lives. In most enterprises, the majority of the application estate sits outside any governance platform, and those disconnected applications are not evenly distributed across the risk spectrum. They cluster at the high end: legacy clinical systems with access to patient records, financial platforms that predate the current compliance regime, research and lab applications in regulated environments, and the inherited systems that every merger drags along.
When governance cannot reach these systems, the result is a familiar set of failure modes. Audits come back incomplete because hundreds of applications were never in scope. Offboarding leaves orphaned accounts in business systems and local applications that no automated process ever touched. Security initiatives like Zero Trust and Least Privilege stall, because you cannot enforce a policy on access you cannot see. The systems that most need governance are precisely the ones left out of it.
The standard responses to a disconnected application fall into a few categories, and each one runs out of road in the same place.
The first is to wait for an API. Many of these systems will never get one. A mainframe interface or a discontinued clinical platform is not on a roadmap. There is no vendor planning a SCIM endpoint for software that shipped before SCIM existed. What’s to say the API exposes the data you need to govern.
The second is to build a custom connector. This works, but it is expensive and slow. Custom connector development for a legacy system can run for months, and the IAM team that owns the work is usually already under-resourced. Every connector built this way also becomes a maintenance liability the moment the underlying application changes.
The third is to manage the application by hand. CSV exports, email approvals, spreadsheets tracking ownership, and quarterly certification campaigns where managers approve access to systems they do not fully understand. This is not governance. It is the appearance of governance, maintained at significant operational cost, and it tends to be the first thing an auditor finds.
Approaches that depend on an application exposing an API, or that focus on extending single sign-on and access controls at the browser, address part of the landscape. They do not solve the case where the application has no API to call and no modern interface to sit in front of. That is the gap where the highest-risk systems live, and it is the gap that has stayed open the longest.
READI’s approach to this problem starts from a different assumption. Instead of requiring an application to expose a programmable interface, the Smart Connector governs the interface the application already has: the screen.
Smart Connector is a no-code capability that combines computer vision with plain-English instructions to operate an application the way a person would, reading and acting on its actual interface. It works across web applications, Win32 desktop applications, and legacy terminal systems. This is the part of the application landscape that has historically been out of reach, but with READI it is where the connector timeline collapses from months of custom development to a simple configuration exercise.
The Smart Connector sits inside the broader READI platform alongside Connector Studio for systems that do expose interfaces worth scripting against, and Bot Studio for PowerShell-based automation of the surrounding workflow. The combination matters more than any single piece. The full breadth of web, Win32, and terminal coverage under one identity lifecycle platform is what lets a team bring its highest-risk applications into governance without standing up a custom engineering effort for each one.
READI is a certified SailPoint Technology Partner, and this capability is complementary to an existing IGA investment, not a replacement for it. The IGA platform remains the system of record for governance. READI extends its reach to the applications it was never designed to connect to, so the governance program that already works for the modern application layer can finally cover the systems that carry the most risk.
The instinct on a disconnected application is to defer it. It is hard, the API is not coming, and there are easier wins elsewhere. But the difficulty of connecting an application is correlated with the severity of its risk, which means the deferral compounds. The longer a high-access legacy system stays outside governance, the larger the gap between what your audit reports and what your environment actually contains.
The applications that matter most are the ones nobody wants to connect. They are also the ones where closing the gap delivers the most. Starting there is the harder choice, and it is the one that moves the risk number.
Insights, best practices, and real-world stories from the front lines of identity transformation.
Identiverse 2026 Recap: Identity Is Still Cool, and the Problems Are Still Real Well, that’s...
Identity workflows you can automate this quarter, with step-by-step logic, system requirements, and ROI estimates...
Governance at scale without compliance risk. A practical framework for identifying which tasks can be safely delegated,...