Definition of terms:

An orphaned account is a user account in a system that can no longer be assigned to an active person, for example, because an employee has left the company and their access has never been deactivated. Such "orphaned" accounts often remain active for years without being noticed, sometimes with extensive access rights.

Why are orphaned accounts a risk?

  • Security vulnerability for attacks: Abandoned accounts often remain active with full rights—and are an easy entry point for attackers.
  • No control, no transparency: no one notices when data or systems are accessed via such an account.
  • Violation of principles such as "least privilege" and compliance guidelines
  • Cost factor: Orphaned accounts may consume licenses and resources or cause administrative overhead without providing any benefit.

How do dormant accounts arise?

  • Lack of offboarding when employees leave
  • Manual processes without automatic deactivation
  • M&A phases (e.g., when merging directories)
  • Historically developed systems without a central account overview
  • Technical service or API accounts that have never been decommissioned

What can be done about it?

Automation is the key.

Modern IGA or PAM systems can be used to quickly identify and eliminate orphaned accounts. It is important to note that:

  • Regular access reviews: Who still has certain rights—and does he or she really need them?
  • Automated provisioning and deprovisioning: The entire lifecycle of an account should be traceable and controlled—from creation to deactivation.
  • Role-based rights assignment: Defining the right roles and access rights prevents unnecessary accounts from the outset.

Best practices for prevention

  • Only as many accounts as necessary, but as automated as possible
  • Regularly review access rights (access review)
  • Consistently deactivate or delete old accounts
  • Make cloud and on-prem directories (e.g., Active Directory, Entra ID) visible in one system
  • Use PAM systems to manage privileged, orphaned accounts as well

Conclusion

Orphaned accounts are a potential risk and attack vector. Companies should therefore regularly review their account structures and establish automated processes to maintain permanent control over their identities.

Back to overview