Breaches rarely begin with zero-day exploits or sophisticated malware.
More often, they start with something far more ordinary and far more preventable.
An account that should have been removed, but wasn’t.
THE SILENT RISK NOBODY OWNS
Every organisation believes it has offboarding under control.
HR completes the exit.
IT disables Active Directory.
A checklist is ticked.
Yet months later, that same identity is still active in:
- A CRM
- A finance application
- A VPN
- One or more SaaS tools
These accounts don’t trigger alarms because:
- They are no longer tied to active employees
- They don’t generate frequent logins
- No human is watching them
They exist in the most dangerous state possible: inactive, but still valid.
WHY ATTACKERS LOVE DORMANT IDENTITIES
From an attacker’s point of view, inactive accounts are ideal.
There is:
- No user to notice suspicious activity
- No manager monitoring access
- Often no MFA challenge
- Frequently excessive privileges from past roles
Attackers don’t need to break in.
They simply log in.
Phishing, credential reuse, or leaked passwords become immediately effective when credentials are still valid but forgotten.
This is why breach investigations so often conclude with the same finding:
“The credentials were legitimate.”
THE ANNUAL ACCESS REVIEW FALLACY
Most organisations depend on periodic access reviews to catch this risk.
In reality:
- Reviews are annual or quarterly
- Managers approve access they don’t fully understand
- Usage data is missing
- Removing access feels riskier than keeping it
The result:
- Rubber-stamped approvals
- Dormant access preserved “just in case”
- The same audit findings repeating every year
Compliance may be achieved.
Security is not.
WHY THE PROBLEM KEEPS GROWING
Modern enterprises unintentionally make this worse.
- SaaS adoption without IAM oversight
- Contractors and temporary staff
- Mergers and acquisitions
- Shadow IT
- Remote and hybrid work
Access is granted quickly.
Access removal lags behind.
Identity debt compounds silently.
INACTIVITY IS NOT NEUTRAL
The fundamental mistake is treating inactivity as harmless.
It isn’t.
Inactivity should trigger questions:
- Why does this identity still exist?
- Why does it still have access?
- Who is accountable for it today?
This requires moving from periodic governance to continuous identity oversight.
HOW BAAR-IGA ADDRESSES THE PROBLEM
BAAR-IGA treats inactivity as a risk signal, not an audit artifact.
Instead of waiting for:
- Audit cycles
- Manual reviews
- Human memory
BAAR-IGA continuously evaluates:
- Login behaviour
- Entitlement usage
- Role relevance
- Identity ownership
Inactive but entitled identities are automatically:
- Flagged
- Routed to the correct owner
- Revoked based on policy
- Or escalated when risk thresholds are crossed
Inactivity becomes a governance event.
FROM IDENTITY MANAGEMENT TO RISK REDUCTION
When inactive identities are governed continuously:
- Attack surfaces shrink
- Audit findings reduce
- Offboarding truly completes
- Security teams regain control
The question shifts from: “Who has access?”
To: “Who still needs access today?”
FINAL TAKEAWAY
Inactive accounts are not leftovers.
They are pre-built breach paths.
The safest identity is not the most secure one.
It is the one that no longer exists.
