A zombie account is an account that is still switched on but that nobody actually uses. It belongs to someone who left, or a project that ended, or a tool the team tried once and abandoned. It sits there, enabled, quietly costing money and quietly widening the attack surface.
The name is doing work. The account is not alive in any useful sense, but it is not dead either. It can still log in. It can still be used.
Zombie versus orphaned
The two terms get used interchangeably, and most real accounts are both, but they describe different properties.
A zombie account is about use. Nobody is logging in. The defining trait is dormancy.
An orphaned account is about ownership. Nobody valid is behind it. The defining trait is a missing owner.
A departed employee's forgotten login is usually a zombie and an orphan at once. But a shared service account that runs a nightly job is orphaned if its creator left, yet not a zombie, because it is active every night. And a current employee's account in a tool they stopped using is a zombie without being orphaned. The distinction matters because you find them differently: zombies through activity data, orphans through reconciliation against the directory.
Why they matter
Security first. A dormant account is an unwatched entrance. There is no baseline of normal activity, so when something does happen on it, nothing flags as unusual. Dormant, forgotten accounts are a preferred target for exactly this reason: use is unlikely to be noticed.
Then cost. On per-seat software, every zombie account is a license you are paying for and nobody is using. Across a stack of per-user tools, the idle seats add up to a real line item. This is the part finance understands immediately, and it is often what gets an identity cleanup funded.
Finding them
The signal is activity. Pull last-login or usage data from each app and flag anything idle past a threshold. Sixty or ninety days is a common line. An account that has not been touched in a quarter is either a zombie or close to becoming one.
The constraint is that activity data is uneven. Some apps report last login cleanly. Others expose nothing useful, and those tend to be the older or lower-tier tools where stale accounts collect. Where the data exists, idle time is the clearest cleanup signal there is. Where it does not, zombies have to be caught by reconciliation and review instead.
Preventing them
Zombie accounts are what accumulates when access is never tied back to need. The prevention is the lifecycle working: access removed when people leave, adjusted when they move, and reviewed on a schedule that flags idle accounts before they are forgotten. Time-bound access closes another path, since access that expires on its own never gets the chance to go dormant.
Related terms
- Orphaned account. An account with no valid owner, often also a zombie.
- User access review. The recurring check that flags dormant accounts.
- Deprovisioning. Removing access on departure, before an account can go stale.
- License reclamation. Recovering the paid seats zombie accounts hold.