Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do dormant accounts create PCI DSS compliance…
Governance, Ownership & Risk

Why do dormant accounts create PCI DSS compliance failures so quickly?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 6, 2026 Domain: Governance, Ownership & Risk

Dormant accounts become a PCI issue because requirement 8.1.4 is based on a hard inactivity threshold. If an account remains active for more than 90 days without review or removal, it is already non-compliant, even if the next quarterly review eventually finds it. The control must detect inactivity before the threshold passes.

Why This Matters for Security Teams

Dormant accounts are a compliance problem because PCI DSS treats inactivity as a time-bounded control failure, not a housekeeping issue. Once an account crosses the 90-day threshold without review or removal, the environment is already out of compliance under the current standard, even if the next manual review catches it later. That makes detection timing critical. The requirement is tied to operational evidence, which is why teams often fail audits when account review happens on a schedule but not before the threshold expires.

This also matters because dormant accounts frequently overlap with broader NHI hygiene issues. NHI Management Group has repeatedly emphasized lifecycle control and audit visibility in its Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Top 10 NHI Issues, because stale identities are rarely isolated. They often indicate weak deprovisioning, poor ownership, or missing monitoring across the full identity estate. In practice, many security teams discover dormant-account violations only after evidence collection starts, rather than through intentional control design.

How It Works in Practice

PCI DSS v4.0 expects organisations to detect, review, and remove inactive accounts before they become stale. The practical control problem is not whether a quarterly review exists. It is whether the organisation can prove that inactivity was identified in time, action was taken, and the account did not remain enabled beyond the allowed period. The standard is operational, not aspirational, which is why a spreadsheet review is usually too slow for reliable compliance.

Effective teams build a lifecycle workflow around account telemetry and ownership. That usually means:

  • tracking last login, last authentication, and last privileged use separately;
  • tagging every account with a business owner and system owner;
  • automating inactivity alerts well before day 90;
  • disabling accounts automatically when review deadlines are missed;
  • preserving evidence of review, approval, and remediation for audit.

The strongest programs tie this to broader identity governance. NHI Management Group’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives frames the issue as a control evidence problem: auditors need to see that lifecycle decisions are consistent, timely, and enforced. External guidance from the PCI DSS v4.0 — PCI Security Standards Council and the NIST Cybersecurity Framework 2.0 both support continuous monitoring and timely access governance rather than periodic clean-up after the fact. These controls tend to break down in hybrid environments where shadow accounts, service accounts, and delegated admin accounts are owned by different teams and no single workflow enforces the 90-day clock.

Common Variations and Edge Cases

Tighter inactivity controls often increase operational overhead, requiring organisations to balance faster remediation against user disruption and exception handling. That tradeoff becomes harder when accounts are shared, service-linked, or tied to infrequent business processes. Current guidance suggests treating these cases as exceptions with compensating controls, but there is no universal standard for every edge case.

One common failure mode is assuming that “used occasionally” means “not dormant.” For PCI purposes, the relevant question is whether the account has an active, documented business need and whether inactivity is reviewed before the threshold is exceeded. Another edge case is accounts that authenticate through automated jobs or API calls. Those may appear active even when no human owner is validating their necessity, so teams should separate machine usage from genuine accountability.

Where organisations struggle most is large, distributed environments with inconsistent identity sources. If account data lives in multiple directories or ticketing tools, the compliance signal arrives too late. In those cases, teams should use one authoritative inventory, one review cadence, and one automated enforcement path. This is exactly the kind of lifecycle weakness highlighted in NHIMG’s research on Top 10 NHI Issues, where stale identities become a recurring governance defect rather than a one-time audit finding.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
PCI DSS v4.08.1.4Defines the 90-day inactivity threshold that makes dormant accounts non-compliant.
NIST CSF 2.0PR.AA-2Supports timely access governance and removal of unused identities.
OWASP Non-Human Identity Top 10NHI-03Covers lifecycle weaknesses in non-human identity management and stale credentials.

Track ownership, activity, and expiry for every identity so dormant access is removed on schedule.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org