Unused SaaS accounts are risky because they often remain tied to valid entitlements even after the business has stopped using them. If offboarding, role change, and access review processes are weak, those accounts can persist as dormant access paths that are still reachable if credentials or session tokens are abused.
Why This Matters for Security Teams
Unused SaaS accounts are not harmless leftovers. They often keep live entitlements, linked OAuth grants, cached sessions, and API access paths long after the business has stopped paying attention to them. That creates a standing identity surface that bypasses normal change control, especially when access reviews only focus on active employees and not dormant accounts. Current guidance from the NIST Cybersecurity Framework 2.0 treats identity governance as a continuous function, not a one-time cleanup task.
In NHI research, dormant access is repeatedly implicated in compromise paths because security teams often discover the problem after token abuse, credential stuffing, or vendor access misuse has already occurred. NHIMG’s Top 10 NHI Issues highlights how neglected identities and weak rotation practices create durable attack paths, and that pattern extends directly to SaaS accounts left behind by offboarding gaps. In practice, many security teams encounter this only after an attacker has already reused an account that everyone assumed was inactive.
How It Works in Practice
The risk comes from identity persistence, not just account existence. A SaaS account can remain enabled because the user was moved to another team, a contractor assignment ended without clean deprovisioning, or a service workflow was never documented as business-critical. The account may still have group memberships, delegated admin rights, connected app permissions, or stale session tokens that remain valid until explicit revocation. That is why identity lifecycle controls must be tied to the actual SaaS control plane, not just the HR system.
Practitioners usually reduce this risk through a combination of access governance, session revocation, and entitlement reconciliation. The most effective programs treat deprovisioning as an event-driven process: when a role changes, when a vendor contract ends, or when an application is retired, the account and all associated access paths are reviewed together. The Ultimate Guide to NHIs — Why NHI Security Matters Now is useful here because the same governance failure that leaves machine identities exposed also leaves SaaS identities overentitled.
- Inventory all SaaS accounts, including inactive, shared, delegated, and vendor-managed identities.
- Revoke sessions, OAuth grants, and API tokens when an account is retired or reassigned.
- Require periodic entitlement review for dormant accounts, not just active ones.
- Use SCIM, SSO, and centralized identity governance to reduce manual cleanup drift.
- Flag accounts with privileged groups, mailbox access, or third-party app connections for immediate review.
NHIMG’s 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which is a strong reminder that access sprawl is not theoretical. These controls tend to break down when SaaS administration is decentralised across business units because no single team owns full visibility into account state, sessions, and connected app permissions.
Common Variations and Edge Cases
Tighter account governance often increases administrative overhead, requiring organisations to balance security assurance against business continuity. That tradeoff becomes especially visible in environments with shared departmental mailboxes, long-lived vendor portals, or customer support platforms where an “unused” account may still be needed for audit trails, billing, or legal retention.
Current guidance suggests treating those exceptions as controlled accounts with explicit owners, expiry dates, and documented review cadence rather than allowing them to drift into permanent exceptions. Another common edge case is single sign-on masking the real risk: an account may look dormant in the SaaS console while the upstream identity provider still allows reactivation, which means deprovisioning must be verified end to end. This is also where the Ultimate Guide to NHIs — Key Challenges and Risks is relevant, because hidden entitlements are often harder to eliminate than the visible account itself.
The main exception is a formally managed break-glass or archival account. Those accounts should not be “unused”; they should be explicitly classified, tightly monitored, and periodically tested. Anything less becomes a dormant access path with no clear owner, and that is exactly the kind of condition attackers exploit through token theft, password reuse, or forgotten delegated access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unused SaaS accounts are dormant identities that still carry access risk. |
| NIST CSF 2.0 | PR.AA-1 | Identity lifecycle governance is central to preventing stale SaaS access. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege reviews should catch over-entitled dormant accounts. |
Review dormant entitlements regularly and strip privileges not needed for business use.
Related resources from NHI Mgmt Group
- Why do non-human identities create more audit risk than human accounts?
- Why do non-human identities create more SaaS security risk than human accounts?
- Why do shadow vaults create more risk for service accounts and bots?
- How should security teams govern non-human identities alongside human accounts?
