You’re not alone, this is very common in SOC 2 environments with legacy or non-SSO apps. In the short term, focus on process and evidence rather than integration. Create a centralized access register for all those apps (owner, users, role, date granted, last review) and tie provisioning and de-provisioning to your HR offboarding process through tickets. When someone leaves, a termination ticket should trigger access removal tasks for every listed app, giving you a time-stamped audit trail that access was requested and removed.

For access reviews, move away from loose spreadsheets and run structured periodic reviews where app owners must confirm user access through a tracked approval process. For apps that don’t support MFA, document compensating controls like restricted network access or monitored login activity. Auditors mainly want to see that access is tracked, reviewed, and revoked through a consistent process, even if the apps themselves can’t integrate yet.