Dormant access is an entitlement that remains technically valid even though the subject no longer uses it for its intended purpose. In identity governance, dormant access is dangerous because it preserves privilege, complicates review, and often survives well past the business need that created it.
Expanded Definition
Dormant access describes an entitlement that remains active even though the identity no longer uses it in day-to-day operations. In NHI and IAM programs, the term usually applies to service accounts, API keys, certificates, tokens, and delegated access paths that are still valid but no longer operationally justified. That matters because dormant access is not the same as disabled access, expired access, or a credential that has been formally offboarded.
Industry usage is still evolving because some teams define dormancy by time since last use, while others define it by business inactivity, workload decommissioning, or a missing ownership record. NHI Management Group treats dormant access as a governance problem, not just a technical one: access can appear legitimate in review reports while becoming effectively invisible in operations. The strongest control point is lifecycle evidence, not assumption. OWASP’s OWASP Non-Human Identity Top 10 places this risk in the same class as weak entitlement hygiene and poor secret governance. The most common misapplication is treating “unused” as “safe,” which occurs when teams rely on stale ownership records or incomplete telemetry.
Examples and Use Cases
Implementing dormant-access detection rigorously often introduces review overhead, because organisations must weigh faster change velocity against the cost of continuous entitlement validation.
- A CI/CD service account keeps deployment permissions after the pipeline is retired, so the access remains valid even though no job should still use it.
- An API key stored in a legacy application is never rotated or revoked after the application is replaced, leaving a live credential behind in production systems.
- A certificate-based integration between two internal platforms continues to authenticate successfully after one platform’s owning team has disbanded.
- A delegated cloud role is retained after a temporary migration project ends, creating residual access that still appears in entitlement reports.
- An NHI review flags a dormant token because telemetry shows no use for months, while ownership metadata has already been lost during a team reorganisation.
These patterns are especially visible when teams compare access inventories with actual usage. The Ultimate Guide to NHIs explains why visibility and offboarding are central to reducing residual identity risk, while CISA Zero Trust Maturity Model reinforces the need to verify access continuously rather than trusting historical assignment.
Why It Matters in NHI Security
Dormant access is dangerous because it expands the reachable attack surface without delivering current business value. In practice, it creates a hidden path for privilege reuse, lateral movement, and control-plane abuse when an attacker discovers a still-valid credential or token. It also weakens governance by making access reviews look complete while leaving operationally irrelevant entitlements in place. That is why dormant access often overlaps with poor offboarding, weak rotation discipline, and incomplete NHI inventory.
NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 71% of NHIs are not rotated within recommended time frames, which helps explain how stale access persists long enough to become exploitable. The Ultimate Guide to NHIs — Key Challenges and Risks is a useful reference for understanding why unused access still matters in real environments. NIST’s Zero Trust Architecture guidance supports the operational response: verify, limit, and revalidate access rather than assuming historical legitimacy. Organisations typically encounter dormant access only after an incident review, at which point the entitlement becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses stale, over-retained NHI access and poor secret lifecycle control. |
| NIST Zero Trust (SP 800-207) | 5.2 | Zero Trust requires continuous revalidation instead of trusting old access assignments. |
| NIST CSF 2.0 | PR.AA-04 | Access permissions should be managed and reviewed to prevent stale entitlements. |
Track dormant access as an entitlement hygiene issue and remediate it during periodic reviews.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
