Zombie account

What a zombie account is, how it differs from an orphaned account, why dormant accounts are a security and cost problem, and how to find them.

3 min read · Last updated July 2026

A zombie account is an active account that nobody uses: dormant, forgotten, but still enabled and still consuming a license. It may belong to a departed employee, a finished project, or a tool nobody adopted. Zombie accounts are a security risk because they go unwatched, and a cost because they keep billing.

Also known as: Zombie account, Dormant account, Stale account, Inactive account

A zombie account is an account that is still switched on but that nobody actually uses. It belongs to someone who left, or a project that ended, or a tool the team tried once and abandoned. It sits there, enabled, quietly costing money and quietly widening the attack surface.

The name is doing work. The account is not alive in any useful sense, but it is not dead either. It can still log in. It can still be used.

Zombie versus orphaned

The two terms get used interchangeably, and most real accounts are both, but they describe different properties.

A zombie account is about use. Nobody is logging in. The defining trait is dormancy.

An orphaned account is about ownership. Nobody valid is behind it. The defining trait is a missing owner.

A departed employee's forgotten login is usually a zombie and an orphan at once. But a shared service account that runs a nightly job is orphaned if its creator left, yet not a zombie, because it is active every night. And a current employee's account in a tool they stopped using is a zombie without being orphaned. The distinction matters because you find them differently: zombies through activity data, orphans through reconciliation against the directory.

Why they matter

Security first. A dormant account is an unwatched entrance. There is no baseline of normal activity, so when something does happen on it, nothing flags as unusual. Dormant, forgotten accounts are a preferred target for exactly this reason: use is unlikely to be noticed.

Then cost. On per-seat software, every zombie account is a license you are paying for and nobody is using. Across a stack of per-user tools, the idle seats add up to a real line item. This is the part finance understands immediately, and it is often what gets an identity cleanup funded.

Finding them

The signal is activity. Pull last-login or usage data from each app and flag anything idle past a threshold. Sixty or ninety days is a common line. An account that has not been touched in a quarter is either a zombie or close to becoming one.

The constraint is that activity data is uneven. Some apps report last login cleanly. Others expose nothing useful, and those tend to be the older or lower-tier tools where stale accounts collect. Where the data exists, idle time is the clearest cleanup signal there is. Where it does not, zombies have to be caught by reconciliation and review instead.

Preventing them

Zombie accounts are what accumulates when access is never tied back to need. The prevention is the lifecycle working: access removed when people leave, adjusted when they move, and reviewed on a schedule that flags idle accounts before they are forgotten. Time-bound access closes another path, since access that expires on its own never gets the chance to go dormant.

Related terms

  • Orphaned account. An account with no valid owner, often also a zombie.
  • User access review. The recurring check that flags dormant accounts.
  • Deprovisioning. Removing access on departure, before an account can go stale.
  • License reclamation. Recovering the paid seats zombie accounts hold.

Frequently asked questions

Zombie account or orphaned account: what's the difference?

A zombie account is defined by dormancy: nobody is using it. An orphaned account is defined by ownership: nobody valid owns it. The two overlap constantly. A departed employee's account is usually both. The distinction matters mainly for how you find them: zombies show up in last-login and activity data, orphans show up in reconciliation against the directory.

Why are zombie accounts a problem if nobody uses them?

Two reasons. Security: a dormant account is an unwatched door, and unusual activity on it does not stand out because there is no normal activity to compare against. Cost: many zombie accounts still hold a paid license, so you keep paying for seats nobody touches.

How do you find zombie accounts?

Pull last-login or activity data from each app and flag accounts that have been idle past a threshold, say 60 or 90 days. The limit is that not every app exposes reliable activity data, and the apps that do not are often the ones with the most stale accounts. Where activity data exists, idle accounts are the clearest signal for cleanup.

How are zombie accounts related to license waste?

Directly. A zombie account on a per-seat app is a seat you pay for and nobody uses. Reclaiming those seats during reviews and offboarding is one of the fastest ways identity cleanup pays for itself, separate from the security benefit.

How do you prevent zombie accounts?

Tie access to active need through the lifecycle: remove it at the leaver stage, adjust it at the mover stage, and run recurring reviews that flag idle accounts. Time-bound access helps too: access that expires on its own cannot go dormant and linger.