Orphaned Accounts
Orphaned Accounts are user accounts that exist in systems but are no longer actively managed or monitored. They typically belong to users who have left the organization or changed roles, but whose access was never properly deprovisioned.
# WHAT TEAMS RUN INTO
- —
Orphaned accounts become lateral movement paths. An attacker compromises one application and uses orphaned credentials from that system to access others.
- —
Dormant accounts are harder to detect than active compromises. A dormant account with valid credentials sitting in a system is a ticking bomb — the longer it sits, the more likely it is to be discovered by threat actors.
- —
Audits find orphaned accounts too late. Year-end reviews discover accounts for people who left months ago, triggering emergency cleanup instead of continuous deprovisioning.
# WHY IT MATTERS
Every orphaned account is a deferred access revocation that eventually becomes a security incident. Orphaned accounts accumulate because deprovisioning is harder than provisioning, takes longer, and touches more systems. But that accumulation is a cumulative security risk — the more orphaned accounts you have, the larger your attack surface becomes, and the fewer clues you have about which ones might be compromised.