An unmanaged user is an account that exists in a tool or platform but is not fully governed by the primary identity source or lifecycle process. These accounts can create audit gaps, licensing waste, and revocation blind spots when ownership or employment status changes.
Expanded Definition
An unmanaged user is not simply a forgotten account. It is a user identity that exists in a SaaS app, admin console, or internal platform without being fully tied to the primary source of truth, joiner-mover-leaver workflow, or access review process. In identity governance terms, the account may be valid, active, and even productive, but it is not consistently owned, recertified, or revoked through the same lifecycle controls that govern managed identities.
Definitions vary across vendors because some tools classify unmanaged users by missing HR linkage, while others focus on absent provisioning, absent deprovisioning, or lack of policy enforcement. For NHI Management Group, the risk is operational: an unmanaged user sits outside reliable governance and becomes hard to audit, hard to scope, and hard to retire. This is closely related to service accounts and shared admin access, but the term is broader because it applies to any user-like identity that escapes lifecycle control. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need for identity governance, access review, and accountability, even when the identity is not human-owned in a conventional sense.
The most common misapplication is assuming an active login means the account is managed, which occurs when provisioning is automated but deprovisioning, ownership, or recertification is not.
Examples and Use Cases
Implementing unmanaged user controls rigorously often introduces coordination overhead, requiring organisations to balance tighter governance against the speed at which teams can access business tools.
- A contractor leaves a project, but their account in a collaboration platform remains active because the app is not connected to the core identity lifecycle. The account is usable, yet no one is clearly accountable for it.
- An employee is transferred between departments, but a legacy admin login in a procurement system is never reassigned or recertified. Ownership exists in practice, not in policy.
- A third-party integrator creates local user accounts inside a platform for support work. The accounts are not reflected in the central directory, so access reviews miss them.
- A shadow IT application authenticates users through a standalone directory with no HR sync. The account list grows faster than governance can track it, creating unmanaged user drift. See the lifecycle perspective in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
- Internal audit discovers that several privileged logins were never disabled after role changes. This pattern mirrors the access blind spots discussed in Top 10 NHI Issues.
Identity teams often compare this problem to unmanaged NHIs because the same failure mode appears: an identity remains live without reliable governance, even though the business no longer has a clear operational need for it.
Why It Matters in NHI Security
Unmanaged users create a governance gap that attackers, auditors, and internal responders all notice at the same time. When ownership is unclear, access reviews become incomplete, revocation becomes delayed, and incident response loses confidence in who can still sign in. In NHI-heavy environments, that same gap often extends to service accounts, API-linked users, and support logins that were created for speed and never folded back into lifecycle control.
This is not a niche issue. NHI Management Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That same lifecycle weakness often appears in unmanaged user populations, where the account remains live long after the business relationship has changed. The governance lessons in the Ultimate Guide to NHIs and the control lens in the Ultimate Guide to NHIs — Key Challenges and Risks both point to the same operational truth: unmanaged identities are a control failure, not just an inventory problem.
Organisations typically encounter the full cost of unmanaged users only after a termination, breach, or audit finding exposes accounts that should no longer exist, at which point lifecycle control becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged users reflect identity lifecycle gaps and weak ownership in NHI governance. |
| NIST CSF 2.0 | PR.AA | Identity management and access control require continuous accountability for active accounts. |
| NIST Zero Trust (SP 800-207) | IA- and access decision principles | Zero trust requires verified identity state and current authorization for every access request. |
Inventory all user-like identities and bind each one to an owner, lifecycle source, and removal path.
Related resources from NHI Mgmt Group
- What is the biggest long-term risk of unmanaged NHIs multiplying at exponential rates?
- When do service accounts become a higher risk than ordinary user accounts?
- What challenges do unmanaged API keys pose within MCP?
- How should security teams govern infrastructure identities alongside user identities?
