Identity, Attack surface management, IAM Technologies, Black Hat, Exposure management

Privileged dormant service accounts found on 70% of work environments

An analyst uses a computer and dashboard for data business analysis and Data Management System with KPI and metrics connected to the database for technology finance, operations, sales, marketing

(Adobe Stock)

Dormant service accounts with privileges were found in more than 70% of enterprise environments according to new research released by BeyondTrust on Aug. 4 at BlackHat in Las Vegas.

The researchers also reported that overly permissive Entra Service Principals create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover.

According to BeyondTrust, credentials reused across multiple service accounts by human administrators can also let a single compromised password hack numerous non-human accounts.

“Our data shows that many organizations lack the complete story when it comes to their identity attack surface,” said Marc Maiffret, chief technology officer at BeyondTrust. “For many, overlooked hygiene issues silently open the door to attackers. And with the rise of Agentic AI, the stakes have never been higher, especially as most organizations lack visibility into how compromised accounts can be leveraged to seize control of application secrets, which often carry elevated privileges.”

Nic Adams, co-founder and CEO at 0rcus, added that BeyondTrust’s findings indicate a systemic vulnerability across enterprise identity frameworks from uncovering a failure in managing non-human and dormant privileged accounts.

“Notably, this is a severe threat multiplier because overlooked accounts and secrets, which are often excessively permissive and lack proper lifecycle management, offer attackers a direct pathway to critical infrastructure,” said Adams.

Chad Cragle, chief information security officer at Deepwatch, said these findings highlight a growing concern: secrets and non-human identities have quietly become the soft underbelly of enterprise security.

With Agentic AI systems now autonomously spinning up infrastructure, making decisions, and moving laterally across environments, the old model of managing service accounts with a spreadsheet and a prayer just doesn’t cut it anymore, Cragle said.

“We’re seeing a perfect storm of dormant privileged accounts, overly permissive service principals, and cross-platform misconfigurations, creating hidden escalation paths that attackers love,” said Cragle. “It’s not just a hygiene problem: it’s a visibility crisis. Secrets are the new identity crisis. If you don’t know where they are, who has access, or how they’re used, then you’ve already lost the game.”

Roy Katmor, co-founder and CEO of Orchid Security, said the findings don’t just reflect misconfigurations or isolated missteps — they reveal a deeper flaw in how identity gets consumed. Katmor said dormant privileged accounts, reused credentials and overly permissive access are symptoms of what is referred to as "Identity Dark Matter" — hidden identity pathways that evade traditional IAM, audit and detection tools.

“These blind spots like shadow auth flows, orphaned entitlements, and role chaining often go unnoticed until after privilege has escalated,” said Katmor. “Without visibility into these hidden paths, identity is incomplete and attackers know it."

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Business Email Compromise (BEC)Dictionary AttackDigest AuthenticationDiscretionary Access Control (DAC)Distributed ScansDrive-by DownloadExtensible Authentication Protocol (EAP)FingerprintingIdentityOpenID

You can skip this ad in 5 seconds