Orphaned service accounts risk

The 2026 SANS "State of Identity Threats & Defenses" survey found 68% of organizations detect identity attacks within 24 hours but only 55% can contain them in that same window. (sans.org) SANS also reports 55% of organizations experienced an identity‑related compromise in the past 12 months and 26% cited MFA fatigue as a factor in identity attacks. (redmondmag.com) Industry analyses identify orphaned human and non‑human identities—service accounts, API tokens, and emerging agentic automation—as the fastest‑growing, least‑governed identity category that attackers exploit for long‑dwell access. (authmind.com) Investigations and reporting note orphan accounts materially slow forensic work and remediation during incidents because ownership and provenance are often unclear. (thehackernews.com) Playbooks from identity governance vendors recommend three operational controls: assign explicit owners for every service/non‑human account, enforce regular credential/API‑key rotation, and run automated continuous identity audits to retire stale identities. (securends.com) Microsoft Defender for Identity includes posture assessments that flag stale Active Directory and Entra accounts for remediation, while community AD guides publish ready‑to‑run scripts to discover and safely retire orphaned service accounts. (learn.microsoft.com) Security commentary underscores the core problem SANS flags: improved detection without rapid containment still leaves forgotten service accounts as persistent footholds for attackers. (enzoic.com)