Dormant accounts are easier to forget when staffing is reduced, which means they are less likely to be reviewed or disabled on time. If an attacker finds one of these accounts, it may still carry valid authentication paths or stale privileges. That is why dormant-account cleanup is a high-value holiday control.
Why This Matters for Security Teams
Dormant and orphaned account become more dangerous during holiday periods because the normal signals that trigger cleanup are weaker: fewer reviewers, slower approvals, and less reliable ownership chains. Attackers look for exactly that gap. An account that has not been used recently may still retain valid tokens, old API keys, or inherited privileges, which makes it an easier foothold than a fresh target. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is why unused accounts often remain dangerous even when they appear inactive. That risk is not abstract: NIST Cybersecurity Framework 2.0 treats identity governance and continuous monitoring as operational priorities, not periodic hygiene tasks. In practice, many security teams discover stale access only after a holiday incident exposes that no one owned the account anymore.
How It Works in Practice
The holiday period changes both attacker behaviour and internal control effectiveness. On the offensive side, adversaries often start with a low-noise account that appears forgotten, then use it to test access paths, enumerate systems, or pivot into higher-value services. On the defensive side, ticket queues slow down, approvers are unavailable, and ownership records become harder to validate. That combination turns dormant access into an operational blind spot.
Practitioner controls should focus on ownership, authentication validity, and privilege reality rather than account age alone. A dormant account is risky when any of the following remain true:
- It still has active credentials, API keys, or refresh tokens.
- It is mapped to a service, system, or vendor that is no longer actively managed.
- Its role grants broad access that has never been revalidated.
- It bypasses modern controls such as MFA, conditional access, or short-lived secrets.
This is why the Ultimate Guide to NHIs is relevant beyond NHI-only environments: the same lifecycle weakness applies to service accounts, script identities, shared admin accounts, and abandoned integrations. Operationally, teams should pair pre-holiday review with immediate disablement of accounts that lack a verified owner, then validate that secrets rotation and revocation actually completed. The governance pattern aligns with NIST Cybersecurity Framework 2.0 because the control objective is not just inventory accuracy, but timely removal of access that is no longer justified. These controls tend to break down in organisations with poor identity inventory, where no one can confidently distinguish an inactive account from one that is still tied to a critical batch job or third-party integration.
Common Variations and Edge Cases
Tighter dormant-account controls often increase operational overhead, requiring organisations to balance security gains against the risk of disabling something that still supports a holiday-critical process. That tradeoff is real, especially in environments with shared service accounts, unmanaged vendor access, or systems that do not expose dependable usage telemetry.
Best practice is evolving, but current guidance suggests treating high-risk dormant accounts differently from low-risk ones. For example, accounts with privileged access, external exposure, or secret material should be disabled or rotated first, while lower-risk accounts can move through a confirmation workflow. Where there is no universal standard for this yet, a practical approach is to combine inactivity thresholds with owner attestation, last-authentication data, and secret age. The real edge case is orphaned access embedded in automation: an account may look dormant to human reviewers while still being used by jobs, scripts, or integrations that were never documented. That is why holiday cleanup should include both human and machine identities, not just user mailboxes. NHI Mgmt Group’s research on Ultimate Guide to NHIs is useful here because it frames lifecycle control as a continuous discipline, not a once-a-year purge.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Dormant accounts often hide stale credentials and weak rotation hygiene. |
| NIST CSF 2.0 | PR.AC-4 | Holiday risk rises when access reviews and ownership checks lag. |
| NIST AI RMF | Governance must account for continuous monitoring and accountability gaps. |
Inventory dormant identities, revoke unused credentials, and enforce short-lived secrets with automated rotation.
Related resources from NHI Mgmt Group
- Why do non-human identities create more risk than many human accounts?
- Why do non-human identities create more remediation risk than many human accounts?
- What are common vulnerabilities associated with service accounts in AI deployments?
- Why do secrets stay dangerous even when they are no longer actively used?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org