Forgotten accounts: the quiet debt in access management
Why access audits are not a one-off check but a continuous process, and how former employees and contractors stay as entry points into systems.
As a company grows, the number of systems grows with it - corporate email, CRM, ERP, cloud services, contractor tools, test environments. Every time a new person joins the work, they are given access. That is normal.
The problem is that when someone leaves - a contractor, an employee, a temporary specialist - access is not always revoked. Or it gets closed in one system but remains in three others that HR and the IT department simply did not know about.
I have seen companies where former employees retained active access to corporate systems for six months after they left. Not through malicious intent - just because nobody was watching.
Why this happens
Revoking access is an operation that needs to be repeated in multiple places. Each system separately. In a small company that is five or seven systems. In a company that has been actively using SaaS for several years it can be twenty or more.
Neither HR nor the IT department typically has a complete, current list of which systems a specific employee has access to. The list grew organically: someone asked for access themselves, a manager sent a message in a chat, a contractor got rights "temporarily" and nobody removed them.
This is shadow IT in the access management dimension - not an intentional act, just accumulated disorder.
What follows from this
An active account is a potential entry point. Not necessarily for an external attacker. A former employee with a working CRM password is already a risk, even if they are not thinking about it.
Most incidents investigated as "breaches", on closer inspection, turn out to be something else: credentials that were never revoked; a password that was easy to guess because the policy did not restrict it; administrator rights granted "for five minutes" that were never taken back.
Three practices that work
Inventory of systems and access. Before auditing - make a list. What systems does the company have? Who has access to them? This sounds obvious, but most companies do not have such a list. It needs to be created once and kept current.
Offboarding procedure with a checklist. When someone leaves the company, there must be a concrete list of systems where access needs to be deactivated. This list must be maintained, not exist only in one sysadmin's head.
Regular audit of dormant accounts. Once per quarter - go through all systems and deactivate accounts that have not been used beyond a certain threshold. This does not replace the offboarding procedure, but it adds a layer of protection.
A simple check
Try to answer this question: if an employee left three months ago, can you get a list of all the systems they had access to and confirm all of them are deactivated - within one hour?
If the answer is uncertain, access management runs on trust rather than process. That works until it stops working.