Dormant Permissions

Expanded Definition

Dormant permissions are entitlements that remain assigned but are not routinely exercised. In NHI governance, the risk is not inactivity itself, but the fact that an automated workload, agent, or integration can use those rights immediately if compromised or misrouted.

Usage in the industry is still evolving, and no single standard governs this term yet, but it is usually treated as an access-review problem under least privilege, role design, and privileged access management. The distinction matters because dormant permissions are not the same as disabled accounts or expired credentials: the identity may still be valid, the permissions still effective, and the control gap still exploitable. That is why frameworks such as the OWASP Non-Human Identity Top 10 emphasize privilege minimisation across the full lifecycle.

The most common misapplication is assuming a permission is harmless because nobody has used it recently, which occurs when entitlement reviews focus on login frequency instead of what an NHI can execute at the moment of compromise.

Examples and Use Cases

Implementing dormant-permission controls rigorously often introduces review overhead and temporary friction, requiring organisations to weigh faster operations against tighter entitlement governance.

• An API key for a deployment service still has write access to production, even though the service has not deployed in weeks.
• A cloud automation role retains snapshot and export privileges after a migration project ends, creating avoidable data exposure.
• An AI Agent with tool access keeps administrative permissions that were useful during testing but are no longer needed in production.
• A service account used for batch processing still has access to secrets it no longer reads, which expands blast radius if the account is abused.
• A third-party integration remains authorised for broad RBAC scope after a vendor workflow changes, a pattern often highlighted in the Ultimate Guide to NHIs — Key Challenges and Risks.

In practice, dormant permissions are uncovered during entitlement recertification, incident response, or cloud posture reviews. They are also closely related to the access sprawl issues discussed in the OWASP Non-Human Identity Top 10, where excessive permissions often persist long after the original business need has passed.

Why It Matters in NHI Security

Dormant permissions matter because NHI compromise is usually about what an attacker can do after gaining a foothold, not just how they entered. If a workload identity, token, or secret is exposed, any unused but still-active entitlement can become an immediate path to privilege escalation, data exfiltration, or environment manipulation. That is why NHI governance must pair inventory with continuous access validation.

The scale of the problem is measurable: Ultimate Guide to NHIs — Key Challenges and Risks reports that 97% of NHIs carry excessive privileges, showing how often unused access remains in place long enough to matter operationally. The same issue appears in identity frameworks that prioritise least privilege, including the OWASP Non-Human Identity Top 10, because permission excess is rarely visible until an incident forces a full review.

Organisations typically encounter dormant permissions only after a secret leak, anomalous automation, or post-incident access review, at which point the term becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How should security teams manage permissions for AI agents?
• Why is defining permissions important for AI agents?
• What is the difference between visible permissions and effective access in AD?
• When does dormant access become a material security problem?