Zombie Identity

Expanded Definition

A zombie identity is not just an unused account. It is an identity object that still has usable access, credentials, or trust relationships after the business purpose, owner, or operating context has ended. In NHI security, that makes it distinct from an intentionally dormant account, because the risk comes from stale authorization, not simple inactivity.

Definitions vary across vendors, but the operational meaning is consistent: the identity remains present in cloud IAM, CI/CD, SaaS, or infrastructure systems long enough to become exploitable. The NIST Cybersecurity Framework 2.0 is useful here because it emphasizes ongoing governance, access management, and asset visibility rather than one-time provisioning. Zombie identities often appear when offboarding is incomplete, ownership is unclear, or service accounts are created for short projects and then forgotten.

At NHIMG, zombie identities are treated as a lifecycle failure, not a mere housekeeping issue. They are especially dangerous when they inherit broad permissions, are tied to automation, or are exempt from normal review cycles. The most common misapplication is assuming an account is harmless because it has not been used recently, which occurs when teams equate inactivity with revocation.

Examples and Use Cases

Implementing zombie identity controls rigorously often introduces inventory and governance overhead, requiring organisations to weigh better attack-surface reduction against the cost of continuous review.

• A cloud service account created for a temporary migration remains active after the project ends, retaining API permissions that an attacker can later reuse.
• A CI/CD token embedded in an old deployment job survives several application rewrites and becomes a persistent path into production tooling. NHIMG’s Ultimate Guide to NHIs shows how stale credentials commonly outlive the workflows that created them.
• An employee leaves, but their machine account or script credential is never revoked, so scheduled jobs keep running with unnecessary access.
• A vendor integration is disabled on the application side, yet the corresponding API key is still valid and can be abused if discovered through logs or repositories.
• In breach investigations, teams often find that the original compromise began with a forgotten identity rather than a freshly created one, as reflected in NHIMG’s 52 NHI Breaches Analysis and NIST’s Cybersecurity Framework 2.0 guidance on governance and continuous monitoring.

Why It Matters in NHI Security

Zombie identities matter because they combine persistence, privilege, and obscurity. NHIMG reports that 97% of NHIs carry excessive privileges, and that single fact makes stale accounts especially hazardous when they are no longer watched by an owner or process. In practice, a zombie identity can become the easiest path for lateral movement, unauthorized deployment, or data access long after the original team believes it has been retired.

The problem is amplified in environments where secrets are stored outside dedicated managers, where service accounts are poorly cataloged, or where offboarding is manual. NHIMG’s Top 10 NHI Issues and the Ultimate Guide to NHIs both stress that visibility and revocation discipline are foundational, not optional. The governance lesson is simple: if an identity cannot be tied to a current owner, purpose, and expiry condition, it is already drifting toward zombie status.

Organisations typically encounter the consequence only after a breach review, at which point zombie identity cleanup becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Identity Blast Radius
• What is a Non-Human Identity (NHI)?
• What is the difference between NHI and machine identity?
• What is the difference between an identity, a credential, and a secret?