The Hacker InformationJan 20, 2026Enterprise Safety / AI Safety
The Downside: The Identities Left Behind
As organizations develop and evolve, staff, contractors, providers, and methods come and go – however their accounts usually stay. These deserted or “orphan” accounts sit dormant throughout functions, platforms, belongings, and cloud consoles.
The explanation they persist is not negligence – it is fragmentation.
Conventional IAM and IGA methods are designed primarily for human customers and depend upon handbook onboarding and integration for every utility – connectors, schema mapping, entitlement catalogs, and position modeling. Many functions by no means make it that far. In the meantime, non-human identities (NHIs): service accounts, bots, APIs, and agent-AI processes are natively ungoverned, working outdoors commonplace IAM frameworks and infrequently with out possession, visibility, or lifecycle controls.
The end result? A shadow layer of untracked identities forming a part of the broader id darkish matter – accounts invisible to governance however nonetheless energetic in infrastructure.
Why They’re Not Tracked
Integration Bottlenecks: Each app requires a novel configuration earlier than IAM can handle it. Unmanaged and native methods are not often prioritized.
Partial Visibility: IAM instruments see solely the “managed” slice of id – forsaking native admin accounts, service identities, and legacy methods.
Advanced Possession: Turnover, mergers, and distributed groups make it unclear who owns which utility or account.
AI-Brokers and Automation: Agent-AI introduces a brand new class of semi-autonomous identities that act independently from their human operators, additional breaking the IAM mannequin.
Be taught extra about IAM shortcuts and the impacts that accompany them go to.
The Actual-World Danger
Orphan accounts are the unlocked again doorways of the enterprise.
They maintain legitimate credentials, usually with elevated privileges, however no energetic proprietor. Attackers know this and use them.
Colonial Pipeline (2021) – attackers entered by way of an outdated/inactive VPN account with no MFA. A number of sources corroborate the “inactive/legacy” account element.
Manufacturing firm hit by Akira ransomware (2025) – breach got here by means of a “ghost” third-party vendor account that wasn’t deactivated (i.e., an orphaned/vendor account). SOC write-up from Barracuda Managed XDR.
M&A context – throughout post-acquisition consolidation, it is common to find hundreds of stale accounts/tokens; Enterprises be aware orphaned (usually NHI) identities as a persistent post-M&A risk, citing very excessive charges of still-active former worker tokens.
Orphan accounts gas a number of dangers:
Compliance publicity: Violates least-privilege and deprovisioning necessities (ISO 27001, NIS2, PCI DSS, FedRAMP).
Operational inefficiency: Inflated license counts and pointless audit overhead.
Incident response drag: Forensics and remediation decelerate when unseen accounts are concerned.
The Approach Ahead: Steady Identification Audit
Enterprises want proof, not assumptions. Eliminating orphan accounts requires full id observability – the power to see and confirm each account, permission, and exercise, whether or not managed or not.
Trendy mitigation contains:
Identification Telemetry Assortment: Extract exercise alerts instantly from functions, managed and unmanaged.
Unified Audit Path: Correlate joiner/mover/leaver occasions, authentication logs, and utilization information to substantiate possession and legitimacy.
Position Context Mapping: File actual utilization insights and privilege context into id profiles – exhibiting who used what, when, and why.
Steady Enforcement: Routinely flag or decommission accounts with no exercise or possession, lowering threat with out ready for handbook opinions.
When this telemetry feeds right into a central id audit layer, it closes the visibility hole, turning orphan accounts from hidden liabilities into measurable, managed entities.
To study extra, go to Audit Playbook: Steady Software Stock Reporting.
The Orchid Perspective
Orchid’s Identification Audit functionality delivers this basis. By combining application-level telemetry with automated audit assortment, it supplies verifiable, steady perception into how identities – human, non-human, and agent-AI – are literally used.
It isn’t one other IAM system; it is the connective tissue that ensures IAM choices are primarily based on proof, not estimation.
Observe: This text was written and contributed by Roy Katmor, CEO of Orchid Safety.
Discovered this text fascinating? This text is a contributed piece from considered one of our valued companions. Comply with us on Google Information, Twitter and LinkedIn to learn extra unique content material we publish.
