Zombie License

Expanded Definition

A zombie license is a paid software entitlement that remains assigned to an account, user, service account, or agent that is no longer actively using it. In NHI and IAM governance, it is not just a cost leak. It is evidence that lifecycle controls, ownership, or offboarding are failing.

Definitions vary across vendors because license management, identity governance, and software asset management often measure “unused” differently. For NHI Management Group, the useful test is operational: if an entitlement is still payable but no current business process depends on it, the license is zombie-like and should be reviewed. This matters even more in environments shaped by NIST Cybersecurity Framework 2.0, where asset visibility and access governance are expected to be continuous rather than periodic. The concept overlaps with dormant accounts and orphaned access, but a zombie license is specifically about wasteful retention of paid access.

The most common misapplication is treating zombie licenses as a procurement-only issue, which occurs when teams renew subscriptions without reconciling entitlement usage against identity ownership and offboarding records.

Examples and Use Cases

Implementing zombie-license cleanup rigorously often introduces reconciliation overhead, requiring organisations to weigh savings and risk reduction against the time needed to validate usage, ownership, and business justification.

• A software seat remains assigned to an employee who left months ago, but the HR offboarding event never triggered license reclaim.
• A paid API platform account stays active for a decommissioned integration, even though the associated service has been retired.
• A contractor’s collaboration suite subscription is renewed automatically after the engagement ends, creating a billable entitlement with no business owner.
• An internal agentic workflow retains premium tool access after the workflow is replaced, leaving unused access tied to a still-paid plan.
• License inventory reviews reveal that a dormant service account still maps to a costly vendor tier, even though no automation calls it anymore.

These situations are easier to identify when entitlement data is tied to identity lifecycle events and inventory records, as described in the Ultimate Guide to NHIs. They also align with lifecycle and access-review expectations reflected in NIST Cybersecurity Framework 2.0, especially where ownership and access decisions must be traceable.

Why It Matters in NHI Security

Zombie licenses matter because they often point to broader control failures: stale ownership, weak offboarding, and poor visibility into non-human access. In NHI environments, those failures rarely stay financial. They create residue that attackers, auditors, and incident responders can all exploit or question later. NHI Mgmt Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why unused entitlements so often persist beyond their intended lifecycle. The same governance gap appears in broader visibility findings in the Ultimate Guide to NHIs.

For security teams, the important point is that a zombie license can mask a deeper control gap: an account that still exists, a secret that still works, or an agent that still has tool access. That is why license review belongs alongside access review, not after it. Organisations typically encounter the operational impact only after renewal costs spike, an audit asks for entitlement justification, or a stale account is discovered during an incident, at which point zombie licenses become operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How should organisations measure identity security ROI beyond license savings?
• Why are zombie AI agents riskier than ordinary service accounts?
• What is the difference between a rogue agent and a zombie agent?
• How can teams reduce risk from zombie accounts and stale credentials?