Organizations should adopt a risk-based lifecycle for dormant accounts rather than a one-size-fits-all rule. Paul A. Grassi National Institute of Standards and Technology and Ronald L. Ross National Institute of Standards and Technology emphasize identity and access lifecycle controls that prioritize sensitivity, privilege level, and regulatory obligations. Dormancy handling combines security hygiene with legal and operational considerations.
Recommended review cadence
For practical governance, many enterprises map reviews to account risk. Privileged accounts and service credentials merit the highest frequency, commonly reviewed monthly or more often where automation supports continuous monitoring. Regular user accounts typically receive quarterly reviews to catch prolonged inactivity and stale entitlements. Low-risk or archival accounts may be reviewed annually, with clear retention and justification policies. Where regulations or contracts impose specific retention/closure timelines, those take precedence and must be documented.
Causes, consequences, and contextual nuances
Dormant accounts arise from employee turnover, role changes, orphaned service credentials, mergers, and shadow IT. Left unmanaged, they increase attack surface, enable lateral movement, and complicate incident response; regulators frequently cite inadequate access controls in breach investigations. Data protection frameworks such as the European Union’s data minimization principle create territorial compliance pressures to remove unnecessary accounts and associated personal data. Cultural factors matter: organizations with long-tenured staff or decentralized HR processes often accumulate dormant accounts faster, so governance must adapt to local onboarding and offboarding practices.
Operationally, a defensible approach pairs scheduled reviews with automated detection and temporary disabling. Disablement after a short inactivity window — for example, 30 to 90 days for interactive accounts in higher-risk contexts — reduces immediate exposure while preserving records for investigations or compliance. Formal closure should follow documented retention rules; closing too early can impede audits, closing too late sustains risk. Effective programs record reviewers, decisions, and retention rationale to demonstrate due diligence to auditors and regulators.
In short, review frequency should reflect risk, supported by automation, documented policy, and adherence to applicable laws and standards. Regular, evidence-backed reviews and timely formal closure of truly dormant accounts materially reduce organizational exposure while respecting legal and cultural constraints.