dormant.  If  active  directory  domain  is  integrated  to  an  IGA  system  for  provisioning  and
                   aggregation, the detection and remediation of these accounts can be continuous.
               •  Linux: Check the last-login logs on Unix and Linux systems. Any accounts that show “never logged
                   in” or have very old last-login timestamps should raise immediate flags.
               •  Cloud Identities: In AWS, Azure or GCP, regularly review identity and access reports to find roles
                   or users with no recorded activity. Most cloud providers offer simple reports showing “last used”
                   timestamps which is perfect for quickly spotting dormant identities.

            There  is  another  category  of  dormant  accounts  in  applications.  Detecting  dormancy  for  application
            accounts is a must but little tricky. Application accounts often have non-interactive usage as they may
            authenticate through APIs or backend services, not following the traditional login methods. Usage data
            may be buried in generic application logs or system events. Also, a single application account might
            support  several  backend  services  or  scheduled  jobs.  Using  targeted  log  aggregation,  parsing  and
            periodic re-validation of access with the application owners will help in this process.



            Tracking Dormancy Cleanup


            Cleaning  dormant  access  isn't  just  good  security  hygiene,  it  is  a  concrete,  measurable  step  toward
            regulatory compliance. Standards like PCI DSS, SOX, and NIST explicitly call out stale and inactive
            access as risks that must be managed:

               •  PCI DSS 4.0 (Req. 7.2.5) explicitly states that user accounts and their access levels must be
                   reviewed  regularly.  Actively  purging  dormant  accounts  not  only  addresses  this  requirement
                   directly but also gives you clear evidence to show auditors you are on top of your controls.
               •  SOX 404 targets unused privileged accounts as a prime example of material weaknesses. When
                   you automate dormancy cleanups, auditors see fewer exceptions. The smaller the sample of
                   problematic accounts, the smoother and faster is your audit.
               •  NIST  Cybersecurity  Framework  v2.0  (PR.AC-1)  clearly  instructs  organizations  to  manage
                   identities  by  disabling  credentials  that  fall  out  of  active  use.  Dormancy  programs  practically
                   implement this guidance, making compliance a reality.

            The  real  advantage  is  once  you  start  measuring  these  efforts,  proving  your  success  becomes
            straightforward. Focus on metrics like:

               •  Dormant Account Closure Rate: How many dormant accounts are cleared each month compared
                   to the overall backlog.
               •  Mean Time to Remediate (MTTR): How quickly are you cleaning up dormant entitlements once
                   identified.
               •  Reduction  in  UAR  Scope:  What's  the  percentage  drop  in  user-access  review  efforts  after
                   eliminating dormant access.
               •  False Positive Rate: How often are you incorrectly flagging active service accounts as dormant.










            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          143
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.