Explanation of terms:

An orphaned account is a user account in a system that can no longer be assigned to an active person, for example because an employee has left the company and access has never been deactivated. Such "orphaned" accounts are often active for years without being noticed, sometimes with far-reaching access rights.

Why are orphaned accounts a risk?

  • Security gap for attacks: Orphaned accounts often remain with active rights - and are an easy entry point for attackers.
  • No control, no transparency: nobody notices when data or systems are accessed via such an account.
  • Violation of principles such as "least privilege" and compliance guidelines
  • Cost factor: Orphaned accounts may consume licenses, resources or cause administrative effort without providing any benefit.

How do orphaned accounts arise?

  • Lack of offboarding when employees leave the company
  • Manual processes without automatic deactivation
  • M&A phases (e.g. when merging directories)
  • Historically grown systems without a central account overview
  • Technical service or API accounts that have never been dismantled

What can be done about it?

Automation is the key.

Orphaned accounts can be quickly identified and eliminated using modern IGA or PAM systems. The important thing here is

  • Regular access reviews: Who still has which rights - and do they really need them?
  • Automated provisioning & deprovisioning: The entire lifecycle of an account should be traceable and controlled - from entry to deactivation.
  • Role-based assignment of rights: Defining the right roles and accesses prevents unnecessary accounts from the outset.

Best practices for avoidance

  • Only as many accounts as necessary, but as automated as possible
  • Check access rights regularly (Access Review)
  • Consistently close or delete old accounts
  • Make cloud and on-prem directories (e.g. Active Directory, Entra ID) visible in one system
  • Use PAM systems to also manage privileged, orphaned accounts

Conclusion

Orphaned accounts are a potential risk and attack vector. Companies should therefore regularly check their account structures and set up automated processes to maintain permanent control over their identities.

Back to overview