In Part 1 of this series, 'Hot Potato - Who Should Own Application Governance in Entra ID,' we introduced the application governance challenge in Entra ID and explored the current landscape. Now, let's examine the various teams typically involved in application governance and why ownership has become such a challenge.
Application governance in Entra ID requires a diverse set of skills and perspectives. The challenge is that multiple teams have legitimate claims to ownership, yet (often) none possess the complete skill set needed to manage governance effectively on their own. This creates a scenario where teams either compete for control or, more commonly, assume someone else is handling the critical aspects of governance. As a CISO and working on behalf of organizations to help close security and governance gaps, I've often witnessed this 'hot potato' of Application Governance ownership.
Let's examine the typical teams involved in application governance and why ownership has become such a challenge:
The M365 team often finds itself pulled into application governance because many applications integrate directly with Microsoft 365 services. They're typically focused on:
Ensuring applications work correctly with Exchange, SharePoint, and Teams
Managing app permissions to Microsoft 365 data
Addressing user experience issues related to application integration
Maintaining service availability and performance
Implementing feature updates and ensuring compatibility
Why they get involved: "This app needs to access Exchange mailboxes and SharePoint sites, so it's our problem."
Their challenge: While they understand the M365 ecosystem thoroughly, they may lack broader identity expertise and security focus. They're more often concerned with functionality for users than governance controls. When security policies conflict with user experience, they tend to advocate for the latter.
Their perspective: "Our primary responsibility is keeping M365 services running smoothly. We can't let governance slow down business productivity."
The identity team becomes involved because applications need to be registered in Entra ID and configured for authentication:
They manage the identity platform that applications depend on
They implement authentication protocols and standards
They establish identity life cycle processes that applications must follow
They configure federation and external identity providers
They monitor authentication patterns and anomalies
Why they get involved: "This app uses Entra ID for authentication, so we need to set it up."
Their challenge: While they understand identity protocols and security, they may lack context about business requirements and application functionality. They can secure the front door but may not fully grasp what's happening inside the house. They're often understaffed and focused on immediate identity needs rather than long-term governance.
Their perspective: "We're responsible for securing access to resources, but we can't be expected to understand every application's business context or data handling practices."
Security teams often step in when they recognize the potential risks associated with poorly governed applications:
They conduct security reviews of new applications
They monitor for suspicious application behavior
They enforce security policies across the application landscape
They respond to security incidents involving applications
They perform penetration testing and vulnerability scanning
Why they get involved: "This app has access to sensitive data, so we need to assess and monitor it."
Their challenge: Security teams may focus primarily on risk without balancing business needs and user experience. Their involvement can sometimes be perceived as an obstacle rather than an enabler. They typically lack the resources to deeply analyze every application and may resort to blanket policies that frustrate business units.
Their perspective: "Our job is to protect the organization's data and systems. If that means saying 'no' to risky applications, so be it."
Though often overlooked in the governance discussion, IT operations teams frequently become involved with application support:
They handle application performance issues and outages
They manage the infrastructure that applications run on
They implement backup and disaster recovery for applications
They often become the default support contact for application issues
Why they get involved: "When the application stops working, users call the service desk, so we need to understand how it's configured."
Their challenge: Operations teams rarely have visibility into the initial application setup and security decisions. They're focused on keeping systems running rather than governance controls, yet they're often the first to discover governance gaps when troubleshooting issues.
Their perspective: "We're expected to support these applications 24/7, but we're rarely involved in the governance decisions that impact reliability and supportability."
Unfortunately, the most common scenario is the accidental owner. Someone who set up an application for a business unit and now finds themselves responsible for its governance:
Why they get involved: "I set this app up for the Sales team, so I ended up owning it."
Their challenge: Accidental owners often lack formal training in security best practices, application governance, or compliance requirements. They try their best but typically focus only on keeping the application running rather than implementing proper governance and security. When they leave the organization or change roles, governance knowledge is often lost.
Their perspective: "I'm just trying to help my department get their job done. I didn't sign up to be an IT expert."
This patchwork ownership approach creates serious vulnerabilities for an organization. Consider this typical scenario:
The marketing department requests a new analytics tool
IT helps configure the initial integration with Entra ID
The marketing admin is given owner rights to manage the application
Over time, the application receives increasingly sensitive data access
No one reviews the growing permissions or monitors for suspicious activity
Eventually, the marketing admin leaves the company
The application continues running with excessive permissions and no clear owner
This pattern repeats across organizations of all sizes, creating hundreds of governance gaps that represent significant risk exposure. Without clear ownership, critical governance activities fall through the cracks:
Regular permission reviews don't occur
Security configurations drift from recommended practices
Data handling practices go unmonitored
User access remains long after it's needed
Integration endpoints multiply without oversight
The application governance challenge manifests differently depending on organizational size and structure.
Smaller companies often struggle with:
Limited specialized expertise in identity and security
Single individuals wearing multiple hats
Lack of formal governance processes
Focus on functionality over security
Budget constraints limiting governance investments
In small organizations, the accidental owner phenomenon is particularly common, with IT generalists becoming responsible for applications they don't fully understand. There's often an assumption that "someone else is handling it" when, in reality, no one has a complete picture of the application ecosystem.
Larger enterprises face different challenges:
Siloed teams with limited communication
Complex approval workflows slow implementation
Difficulty maintaining consistent standards across business units and sites
Legacy applications with poor or, in some cases, no documentation
Organizational politics affecting governance decisions
Enterprises may have the expertise but often lack the coordination and clear ownership models needed for effective governance. When responsibility is distributed across multiple teams without clear accountability, critical governance gaps emerge.
Application governance requirements also vary significantly by industry:
Healthcare: Strict HIPAA and HITECH requirements around application access to patient data. Healthcare organizations must maintain detailed access logs and ensure applications handle PHI appropriately.
Financial Services: Regulatory requirements for application monitoring and audit. Financial institutions face stringent controls around data access, segregation of duties, and transaction monitoring.
Government: Compliance frameworks that mandate specific application security controls. Government agencies must adhere to standards like FedRAMP, NIST 800-53, or local equivalents.
Education: Balance between open academic environments and student data protection. Educational institutions must protect student information while maintaining academic freedom and research capabilities.
Each sector faces unique governance challenges further complicating the ownership question. Industry-specific compliance requirements often add another layer of complexity to application governance, requiring specialized knowledge that may not exist in IT or security teams.
Regardless of company size or team structure, many suffer from this hot potato ownership or the bystander effect, where it's assumed that someone else will handle the situation, leading to inaction. But the reality is, if the app governance 'hot potato' is continuously passed or dropped altogether, your organization is inviting risk.
In the next part of this series, we'll explore the very real risks that emerge when application governance ownership is unclear or fragmented. Subscribe to our blog updates to get the next part delivered directly to your inbox!
🏆Want to take ownership, catch the App Governance Hot Potato, and be a hero?
Start with our Free AppGov Score & Assessment!
ENow's AppGov Score is a free security assessment tool that quantifies your organization’s Microsoft Entra ID application governance state. It gives an organization a starting point to understand potential risks associated with enterprise applications, app registrations, permissions, and default tenant settings within your Entra environment. Strengthen your application governance and security posture - start now!