They increase risk because access persists after business need has faded. Dormant and partially offboarded identities often retain inherited privileges, shared memberships, or residual entitlements that create hidden reach into sensitive data, so lifecycle controls must measure residual access rather than just completed tickets.
Why This Matters for Security Teams
Dormant and partially offboarded accounts are not just housekeeping issues. They are evidence that identity lifecycle controls have drifted from actual access exposure, especially when old group memberships, inherited roles, API tokens, or shared credentials remain active after the business need has ended. That gap matters because attackers rarely need a fresh account when an old one still has reach. NHI Management Group’s Top 10 NHI Issues places lifecycle failure among the recurring drivers of hidden exposure, and NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to manage identities continuously rather than only at joiner-mover-leaver checkpoints.
The practical problem is that “offboarded” often means “removed from one system,” not “fully unable to authenticate anywhere.” In real environments, access persists across SaaS apps, shared mailboxes, VPN groups, privileged tooling, and downstream service accounts. In practice, many security teams encounter abuse of dormant access only after a vendor compromise, lateral movement event, or audit finding has already exposed the residual trust path.
How It Works in Practice
The risk compounds because dormant access ages poorly. A person or service account that is no longer actively used becomes easier to miss in reviews, harder to correlate to an owner, and more likely to retain privileges that were granted for a past project. Partially offboarded identities are especially dangerous because one control can be closed while another remains open. The result is a misleading sense of completion: the ticket is closed, but the identity is still alive.
Good lifecycle handling means validating actual reach, not merely employment status or ticket closure. Security teams should check for:
- Active sessions, refresh tokens, and API keys that survive deprovisioning.
- Inherited permissions from nested groups, roles, or shared resource assignments.
- Orphaned service accounts tied to workflows no one still owns.
- Cross-system entitlements that were never removed because offboarding was siloed.
The most effective control is continuous identity hygiene, supported by periodic access certification and automated revocation. NIST’s NIST SP 800-63 Digital Identity Guidelines are useful where credential assurance and lifecycle state must be tied to identity proofing and reauthentication expectations, while NHIMG’s NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs emphasise that lifecycle controls must cover issuance, rotation, revocation, and ownership mapping, not just onboarding. The operational test is simple: if an identity can still authenticate or inherit access after it is supposedly retired, offboarding is incomplete. These controls tend to break down when identity data is fragmented across HR, IAM, SaaS, and shadow admin consoles because no single system can prove all residual entitlements were removed.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance rapid deprovisioning against exceptions for shared services, legal retention, and business continuity. That tradeoff is real, but it should not be used to excuse lingering access.
There is no universal standard for this yet, but current guidance suggests treating dormant human accounts, contractor accounts, and service identities differently. A contractor account may be dormant because work paused, while a service account may be dormant because a pipeline failed and nobody noticed. Those are distinct risk signals. The former may warrant revalidation; the latter may warrant immediate rotation or disablement.
Edge cases also appear in accounts that are “offboarded” in name only. Examples include users removed from payroll but not from SaaS groups, accounts migrated between directories without entitlement cleanup, and shared admin credentials that survive staff turnover. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks and Ultimate Guide to NHIs — Why NHI Security Matters Now both highlight that residual access is most dangerous when ownership is unclear and revocation is not automated. The practical priority is to measure residual reach, not whether a deprovisioning task was marked complete.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers poor rotation and stale NHI credentials that often survive offboarding. |
| NIST CSF 2.0 | PR.AC-4 | Addresses access management for users, devices, and credentials across lifecycle events. |
| NIST AI RMF | Lifecycle governance needs accountability and ongoing monitoring for residual identity risk. |
Define ownership, monitor residual access, and review lifecycle controls as a governance function.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
