Dormant  Access  and  the  Hidden  Risk  inside  your  IAM

            Program



            By  Durgaprasad  Balakrishnan,  Independent  Cybersecurity  Researcher  and  Director  of
            Cybersecurity – Identity and Access Management at a Leading Global Fintech Company



            Dormant access refers to any account or entitlement that keeps its privileges but shows no sign of use
            for an extended period. This can be a domain admin that has not logged on in 90 days, a Linux service
            account which was never used after it was created or a SaaS admin role that never calls the API it was
            created to manage. They are still authorized, valid and still sitting there unused.

            Dormancy can be classified into the following buckets:

               1.  Human accounts - No interactive logon, MFA push or token refresh for X days (often 60–90
                   days).
               2.  Service and machine identities - No process start, keytab request or secret rotation in Y days
                   (commonly  120–180  days).  This  can  also  include  the  container  image  or  VM  which  was
                   decommissioned, but it’s service principal still lives in the vault.
               3.  Entitlements and roles - The account logs in, but the specific entitlement (admin role, S3 bucket
                   policy, sudo rule) has not been exercised within the threshold.







            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          141
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.