- Abandoned accounts—including human and non-human identities—persist across applications and cloud consoles, creating hidden access risks.
- Attackers have exploited dormant accounts in real incidents, including the Colonial Pipeline breach and a 2025 manufacturing Ransomware case noted by Barracuda.
- Causes include integration gaps in IAM, partial visibility, unclear ownership, and the rise of agent-AI and non-human identities.
- Continuous identity audit using application telemetry, unified logs, and automated enforcement can reveal and remediate these accounts.
On Jan. 20, 2026, a security analysis described how organizations accumulate dormant accounts—human and non-human—that remain active across systems due to fragmented identity management. These accounts, often called “orphan” accounts, exist because traditional IAM and IGA systems require manual integration for each application and typically focus on staffed users.
The report lists several root causes: per-application integration bottlenecks, IAM tools having only partial visibility, unclear ownership after reorganizations or mergers, and new semi-autonomous agent identities created by automation and AI. It notes that non-human identities (service accounts, bots, APIs, agent-AI processes) frequently operate outside standard governance.
Real incidents illustrate the threat. The 2021 pipeline incident involved an older VPN account described as “inactive/legacy” in reporting by DarkReading (https://www.darkreading.com/cyberattacks-data-breaches/colonial-pipeline-ceo-ransomware-attack-started-via-pilfered-legacy-vpn-account). A 2025 manufacturing breach was traced to a “ghost” third-party vendor account, detailed by Barracuda (https://blog.barracuda.com/2025/02/05/soc-case-files-akira-ransomware-ghost-account). Post-merger consolidations also frequently surface thousands of stale tokens and accounts.
The piece recommends full identity observability: collecting application-level telemetry, correlating joiner/mover/leaver events and authentication logs into a unified audit trail, mapping real usage to roles, and automatically flagging or disabling unused accounts. It points readers to additional materials on IAM shortcuts (https://eu1.hubs.ly/H0qZhR60) and to an audit playbook for continuous application inventory reporting (https://eu1.hubs.ly/H0qZhXs0).
The contribution was authored by Roy Katmor, and notes his role with Orchid Security (https://eu1.hubs.ly/H0qBxh00; https://www.linkedin.com/in/roykatmor/).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Europe’s $8T US Holdings Threaten Sell-Off Over Greenland Now…
- NYSE Moves to 24/7 Tokenized Stock and ETF Trading Pilot Now
- Anthropic’s Git MCP server flaws enable prompt RCE risk ASAP
- Zambia’s Mines Begin Paying Taxes in Chinese Yuan; RMB Gains
- NYSE Launches Tokenized Stocks/ETFs, Chainlink Not Excluded.
