Dormant machine identities are risky because they remain valid even after the business need has passed. If those credentials are not revoked, they can be reused by attackers, abused by insiders, or forgotten during audits. The issue is not just storage, but persistence of access without current accountability.
Why This Matters for Security Teams
Dormant machine identities are not harmless leftovers. They are valid credentials, certificates, API keys, service accounts, or tokens that remain able to authenticate after the workload, integration, or vendor relationship has changed. That persistence turns an administrative oversite into an active attack path. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity lifecycle control is part of operational resilience, not just IAM hygiene.
The security problem is that dormant identities are often invisible until something goes wrong. They may be excluded from routine access reviews, undocumented in asset inventories, or inherited through old automation, CI/CD pipelines, and third-party integrations. NHIMG research on Top 10 NHI Issues and the Ultimate Guide to NHIs — Why NHI Security Matters Now shows that unmanaged non-human identities are a recurring source of exposure because they outlive the business need that created them.
In practice, many security teams encounter dormant identities only after an audit gap, a vendor offboarding failure, or a compromise has already turned forgotten access into a live foothold.
How It Works in Practice
A dormant identity becomes dangerous because authentication systems usually care whether a secret is valid, not whether the underlying business purpose is still current. If a service account, OAuth grant, certificate, or API token is never rotated or revoked, an attacker who finds it can often reuse it exactly as the original system did. This is why lack of credential rotation remains one of the top cited causes of NHI-related attacks in The State of Non-Human Identity Security.
Operationally, the lifecycle problem shows up in a few common ways:
- Legacy automation keeps running after the application owner has moved on.
- DevOps pipelines retain tokens long after a deployment path has changed.
- Third-party SaaS integrations keep OAuth grants active after the vendor is no longer needed.
- Certificates and API keys remain valid because no one owns revocation during offboarding.
Best practice is to treat machine identities as assets with an explicit owner, purpose, expiry, and revocation path. That means mapping each identity to a business function, enforcing short TTLs where possible, and revoking access when the workload is retired. For higher-risk integrations, teams should combine inventorying with continuous validation, because static records drift quickly in modern environments. The 2024 ESG Report: Managing Non-Human Identities reports that 72% of organisations have experienced or suspect a breach of non-human identities, which is a strong signal that dormant access is not a theoretical issue.
These controls tend to break down when identities are embedded in distributed SaaS, shadow automation, or nested service-to-service chains because ownership and revocation responsibility become unclear.
Common Variations and Edge Cases
Tighter lifecycle control often increases operational overhead, requiring organisations to balance faster revocation against the risk of breaking production workflows. That tradeoff is especially sharp where machine identities support always-on services, partner APIs, or regulated systems that cannot tolerate frequent manual intervention.
There is no universal standard for this yet, but current guidance suggests a few practical exceptions. Some identities should not be treated as truly dormant if they are intentionally idle but still required for disaster recovery, blue-green cutover, or regulated continuity testing. In those cases, the real control is not “delete fast,” but “prove necessity, constrain scope, and monitor use.”
Another edge case is shared credentials. If multiple workloads reuse the same secret, dormancy becomes harder to detect because one active consumer can mask several abandoned ones. That is why NHIMG’s OWASP NHI Top 10 is useful for practitioners: the issue is not only secret sprawl, but the inability to distinguish live, needed access from stale, forgotten access. In mature environments, the answer is usually better identity ownership, tighter expiry, and continuous review rather than blanket trust in long-lived credentials.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Dormant secrets are often a rotation and revocation failure. |
| NIST CSF 2.0 | PR.AC-1 | Dormant identities are an access lifecycle weakness. |
| NIST AI RMF | GOVERN | Identity accountability is part of AI and automation governance. |
Track every non-human identity to an owner and rotate or revoke credentials when business need ends.
