Notifications
Clear all
Topic starter
11/06/2026 11:22 pm
TL;DR: Stale user accounts with lingering admin-level permissions expand breach impact and create avoidable exposure, especially when employees change roles or leave, according to JumpCloud. Least privilege only works when access is continuously tied to current role and lifecycle state, not when permissions are left to drift.
NHIMG editorial — based on content published by JumpCloud: Stale accounts and least privilege access
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams prevent stale accounts from creating excess privilege?
A: Security teams should connect joiner-mover-leaver events to entitlement changes so access follows the current role, not the historical one.
Q: Why do stale accounts make least privilege ineffective?
A: Stale accounts break least privilege because permissions continue to reflect an old job, old project, or old relationship after the business need has changed.
Q: What do security teams get wrong about access reviews?
A: They often review historical entitlements instead of current business context.
Practitioner guidance
- Automate role-to-access mapping Tie group membership and application entitlements to HR and identity provider signals so role changes and departures remove access without waiting for manual cleanup.
- Target stale admin accounts first Review dormant users, former employees, and contractor accounts that still carry elevated permissions, then remove admin-level entitlements before doing broad access cleanup.
- Recertify by current business state Base access reviews on current role, current project need, and current employment status rather than historical permissions that may no longer be justified.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- A role-based access automation model that ties permissions to HR and identity provider data.
- A practical explanation of how deprovisioning reduces exposure when employees change roles or leave.
- A discussion of how centralised identity and access management supports consistent lifecycle enforcement.
- An efficiency argument for replacing manual cleanup with systematic access governance.
👉 Read JumpCloud's analysis of stale accounts and least privilege access →
Stale admin accounts: what IAM teams need to fix now?
Explore further
12/06/2026 7:59 am
Stale access is not a hygiene issue, it is a lifecycle control failure. The article is right to frame lingering permissions as dangerous, but the deeper problem is that access outlives the identity state that justified it. When role changes or departures do not trigger timely entitlement change, least privilege becomes a paper policy. Practitioners should read this as a warning that lifecycle governance is the control plane, not an administrative afterthought.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- A further 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
A question worth separating out:
Q: Who is accountable when former employees still have admin access?
A: Accountability sits with the identity and access governance process that failed to remove or certify the entitlement when the role changed or the person left. In practice, that spans HR data quality, IAM automation, and privileged access ownership. If any of those controls are disconnected, excess access will persist.
👉 Read our full editorial: Stale admin accounts expose the real least privilege gap
