Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when a disabled account still…
Governance, Ownership & Risk

Who is accountable when a disabled account still has admin access?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

IAM, PIM, and endpoint owners share accountability because the failure spans identity lifecycle, privilege governance, and device trust. The correct framework is to measure whether the closure state was validated across all three control planes. If those controls are split, the residual access gap becomes easy to miss.

Why This Matters for Security Teams

When a disabled account still has admin access, the problem is not just a missed ticket. It is a control failure across identity lifecycle, privileged access governance, and endpoint trust, which means accountability is usually shared rather than singular. In NHI Management Group’s Ultimate Guide to NHIs, the scale of this risk is clear: 97% of NHIs carry excessive privileges, and that turns weak offboarding into an active exposure path.

Security teams often assume a disabled directory account is inert, but admin access can persist through cached tokens, PIM elevation, local device trust, delegated app permissions, or overlooked service pathways. That is why the right question is not only who disabled the account, but who verified that every attached privilege source was removed. The OWASP Non-Human Identity Top 10 frames this as a lifecycle and authorization problem, not a simple account-status check. In practice, many security teams encounter residual admin access only after an incident review, rather than through intentional closure validation.

How It Works in Practice

Accountability should be mapped to the control plane that failed, then assigned to the owner who can actually remediate it. IAM owns the identity record and disablement workflow. Privileged access management owns the grant, elevation, and revocation path. Endpoint or device owners own the trust state that may continue to honor a session even after the directory account is disabled.

A practical closure process usually needs all three checks:

  • Confirm the directory account is disabled and no alternate sign-in path remains.
  • Revoke active sessions, refresh tokens, and any standing privileged grants.
  • Validate endpoint compliance, device certificates, and local cached credentials.
  • Review app-to-app or delegated access that can outlive user account status.

This is where policy and evidence matter. NIST guidance on identity assurance and zero trust expects access to be re-evaluated in context, not assumed safe because a single record changed. The NIST Zero Trust Architecture model supports continuous verification, while the NIST AI Risk Management Framework is useful when automated remediation or agentic workflows are involved. For NHI-heavy environments, the operational lesson from the 52 NHI Breaches Analysis is that dormant privilege often survives because offboarding is treated as a ticket closure, not a control validation step.

Where this guidance breaks down is in hybrid estates with offline endpoints, legacy directory sync, and unmanaged privileged tools, because revocation may be delayed or partially enforced across different trust planes.

Common Variations and Edge Cases

Tighter offboarding often increases operational friction, requiring organisations to balance rapid account closure against the risk of breaking legitimate automation or emergency access. That tradeoff is real, especially where the disabled account belongs to a shared admin process, a break-glass pattern, or a service identity masquerading as a user.

Current guidance suggests treating these cases as exceptions with explicit expiry and documented revalidation, not as informal overrides. A disabled human account that still reaches admin functions may indicate one of several edge conditions: a long-lived token not tied to directory status, a privileged role assigned through a separate system, or endpoint credentials that remain valid after central disablement. In those cases, accountability should extend to the owner of the specific privilege source, not just the IAM team.

There is no universal standard for this yet, but the best practice is evolving toward closure-state attestation: one owner confirms disablement, another confirms privileged revocation, and a third confirms the device or runtime can no longer authorize the session. That model is especially important when service accounts, scripts, or delegated admin tools are involved, because a single disabled identity can still leave an attached control path alive.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Disabled accounts with lingering admin access are a lifecycle and revocation failure.
NIST CSF 2.0PR.AC-4Shared accountability maps to access control validation across identity and privilege systems.
NIST Zero Trust (SP 800-207)RA-3Continuous verification is needed when account status and effective access diverge.

Verify disablement, revoke all attached secrets, sessions, and grants, then evidence closure.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org