In Pac-Man, ghosts seem pretty easy to dodge. You’re clearing the maze, racking up points, three more pellets away from leveling up. Then, out of nowhere, they close in and cut off all hope of escape. Womp womp. Game over.
In today’s enterprise environments, “ghost” or orphaned accounts represent a similar hidden risk. They appear low-impact, lingering in forgotten corners of the IT maze. But ignore them—or grow overconfident—and attackers can quietly exploit them as tunnels and backdoors, overwhelming you when you least expect it.
Understanding orphaned accounts in identity governance
Orphaned accounts are user or service accounts that remain active even after the person or process they were tied to has left or no longer needs access. In other words, they have no valid owner or purpose, yet still exist across your applications, infrastructure, or cloud environments.
Today, these “ghosts” are no longer the exception. They’ve become inevitable artifacts of modern IT, appearing after employee departures, M&A activity, automation sprawl, or incomplete cleanup of legacy systems. In sprawling hybrid ecosystems, they multiply quickly as each new SaaS app, automation tool, or integration creates credentials that can slip through the cracks during offboarding.
This creates fertile ground for attackers. Consider how easily real‑world scenarios unfold: a contractor’s login remains active after their project ends, or a retired legacy application still has an untouched user list. These overlooked accounts offer attackers a place to blend in, and in environments where new services and automated workflows constantly generate credentials, a handful of digital ghosts can quickly grow into hundreds.
The risks associated with orphaned accounts
Last year alone, according to the CyberArk “2025 State of IGA Report,” 84% of surveyed organizations experienced an identity-related breach, with orphaned accounts among the top contributors. Sometimes, they make headlines. In 2024, a U.S. state government suffered a breach when an orphaned administrator account tied to a former employee was never disabled. The attacker found the leaked password online, logged in via VPN, and blended in as a “normal” user—escalating access and exfiltrating data across on-premises and cloud environments, eventually obtaining sensitive data from both on-prem servers and the cloud.
These digital ghosts don’t just haunt security; they also haunt compliance. During user access reviews, auditors routinely discover dormant accounts. The State of IGA Report also found that 42% of privileged accounts go undetected for days or weeks. That’s more than enough time for attackers to strike.
Where manual identity management breaks down
If orphaned accounts are such a clear danger, why do they persist?
The unfortunate reality is that finding and removing all these ghosts manually is still the norm:
- 73% of security teams still rely on manual deprovisioning: filing tickets, updating Active Directory, and removing SaaS access one by one.
- 84% of organizations still conduct manual provisioning and access reviews, which can take weeks or longer.
- Only 6% of companies have fully automated identity governance and administration (IGA).
Meanwhile, legacy IGA solutions depend on humans to spot unused accounts—and humans miss things.
Scale is what gets in the way. Too many users and applications paired with too little visibility. IT teams are often buried in onboarding or support and can rarely chase every ghost. Manual reviews may flag some dormant accounts, but often only after attackers have already found them.
Five priorities that make modern IGA work at scale
Joiners, movers, leavers, contractors, bots, and integrations don’t stay neatly in one place—they spread across apps, APIs, infrastructure, and automation pipelines. Meanwhile, regulators and auditors increasingly expect provable, timely remediation.
In this environment, access changes too fast, identities sprawl too widely, and attackers move too quickly for manual efforts to keep up.
Leading identity teams are converging on a small set of priorities that can help to flip orphaned account management from chasing ghosts to outmaneuvering them:
1. Unified identity visibility
Identity data lives in many places. Effective governance brings it into a single, coherent view across HR systems and the broader technology stack—spanning both modern platforms and older systems (including those that don’t integrate cleanly).
2. Continuous orphaned account detection
Waiting for quarterly or annual reviews leaves attackers too much time. Modern IGA continuously evaluates which accounts remain active and flags lingering access as soon as identities change.
3. Policy-driven remediation
Not all orphaned accounts pose the same risk. Mature programs apply contextual policies based on role, privilege level, system criticality, and exposure. Higher-risk access is removed faster, while lower-risk cases follow proportionate controls.
4. Closed-loop verification
Detection isn’t enough. Modern governance verifies that remediation actually occurred and re-escalates when it didn’t, making governance self-correcting rather than aspirational.
5. Built-in auditability
Audit readiness should be routine, not a fire drill. Mature IGA programs produce clear, defensible evidence of what was detected, when action occurred, and how quickly risk was resolved.
Ultimately, the real advantage comes from a governance model designed for modern identity scale rather than a single feature.
The power pellet for identity governance
In Pac-Man, the power pellet does more than keep you alive; it shifts the balance of power. The ghosts don’t disappear, but the rules of the game change. Pac-Man stops reacting and starts taking control. Modern identity governance needs the same shift.
Orphaned accounts are emerging as a systemic byproduct of how modern IT operates. Periodic cleanups, better reviews, and faster tickets aren’t enough to solve the problem. What’s required is a different operating model built for constant change, not occasional correction.
Modern identity governance gains strength when organizations adopt operating models built for ongoing change rather than occasional cleanup cycles. With a clear and unified view of identities, access patterns, and account ownership, teams can surface digital ghosts early and resolve them before they gang up on you.
For a deeper look at the trends shaping orphaned account growth and the operational approaches that keep identity risk under control, check out our webinar “Digital Ghosts: How to Find and Fix Orphaned Accounts Before Attackers Do.” It highlights the patterns behind digital ghosts and outlines practical steps that leading teams are using today.
Bruce Spooner is a solutions strategy architect for the Workforce Solutions Group at CyberArk.
