Access Insights
    Back to Blog
    Apr 14, 20268 min read
    Privileged AccessAttack SurfaceEntra IDSecurity

    Standing Privilege and Orphaned Accounts: Your Quietest Attack Surface

    The accounts nobody is watching are the ones attackers love most. Dormant admins, leftover access after a role change, service accounts no one owns. Here is how that surface grows and how to keep it visible.

    Standing Privilege and Orphaned Accounts: Your Quietest Attack Surface

    Most breaches do not begin with an exotic zero day. They begin with an account that should not still work, but does. A former employee whose access was never fully removed. An admin right that was granted for a one time task three years ago and never taken back. A service account that nobody remembers creating and nobody owns.

    This is the quietest part of your attack surface, precisely because it is made of things nobody is looking at.

    How the surface grows

    Excess access accumulates through completely normal operations. A few patterns show up everywhere:

    • Orphaned accounts. Someone leaves or changes role, and an account stays active because offboarding touched one system but not the others.
    • Standing privilege. Administrative rights that are always on, even though they are only needed a few hours a month, sit waiting to be abused the rest of the time.
    • Access creep. Every role change tends to add permissions. It almost never removes the old ones, so people slowly collect rights they no longer use.
    • Unowned service accounts. Non human identities often have broad access, weak or no MFA, and no clear owner to question whether they are still needed.

    None of these come from negligence. They come from the fact that removing access is nobody's specific job, while granting it is everybody's.

    Why attackers love it

    A dormant, privileged account with no MFA is close to an ideal foothold. It is unlikely to be monitored, it already has rights, and its normal owner is not around to notice strange behavior. Once inside, that access becomes the launch pad for lateral movement across the environment.

    You cannot defend an account you have forgotten exists. Visibility is the whole game.

    Keeping the surface visible

    The strategic answer is to drive toward least standing privilege and just in time access wherever you can. The operational answer, the one that actually holds the line day to day, is continuous detection of these exact conditions across every identity system you run.

    That means being able to ask, at any moment and without a manual project, which accounts are dormant but still privileged, which privileged accounts are missing MFA, which permissions have not been used in months, and which identities have no owner. When those findings are prioritized and routed straight to the person who can act, with a ticket in the system they already use, the surface stops growing in the dark.

    Forgotten access is only dangerous while it stays forgotten. The work is making sure it never does.

    Share this article
    Back to all articles