Who Still Has Access? Zombie Accounts Are the Security Risk You’re Probably Ignoring

Reading Time: 2 minutes

Okay, quick gut check:
If someone left your company six months ago… do they still have access to GitHub?

If you hesitated—even for a second—let’s talk.

Because here’s the thing: in most scaleups, access management is kind of like flossing. Everyone knows it’s important. Nobody does it as often as they should.

The Quiet Security Threat That Grows While You Sleep

Zombie accounts are real.
And no, I’m not talking about phishing emails or zero-days.
I mean the engineer who left in January.
The intern from last summer.
The contractor who helped with a migration… in 2022.

They’re gone.
But their access?
Still alive and kicking.

That means stale GitHub accounts tied to Gmail addresses.
Slack API tokens that haven’t been rotated since the last funding round.
Old AWS IAM users with full admin access and no MFA.

Some of these accounts:

  • Aren’t behind SSO
  • Don’t show up in your dashboards
  • Still work just fine

And that’s terrifying.

This Isn’t Just IT Hygiene. It’s a Door Left Wide Open.

If you’re a CTO, you don’t need me to tell you what happens next.
An old credential leaks.
An unused API token gets scraped.
Suddenly, a long-dormant user becomes the pivot point in an actual breach.

Zombie access is the worst kind of risk—because it’s both high-privilege and invisible.

Why Most Teams Miss This (Even the Smart Ones)

Look, no one wakes up and says “Let’s make our IAM sloppy.”
But this stuff falls through the cracks because:

  • Onboarding is fast. Offboarding isn’t.
  • Security owns tooling. But offboarding lives with HR.
  • Everyone’s focused on shipping. Until they’re focused on incident response.

And if you’ve got a distributed team or contractors? It gets worse.

What You Can Do (And Yes, You Can Do It in a Sprint)

You don’t need a six-month IAM overhaul.
You just need to be deliberate about closing the loop.

Here’s a punch list that works:

  • ✅ Hook HR and Slack into offboarding
    When someone leaves, trigger a cleanup checklist automatically.
  • ✅ Audit by identity, not just email
    Look for anything tied to personal domains—especially Gmail, Outlook, or vendor domains.
  • ✅ Kill dormant accounts
    Anything idle for 30+ days? Flag it. 60+? Kill it.
  • ✅ Rotate shared credentials
    If you’re still sharing VPN creds or SSH keys (and yes, many are), rotate on contractor exit—every time.
  • ✅ Enforce SSO + MFA
    Everywhere. No more “legacy tool” exceptions for dev environments.

You can knock out most of this in a week. And the payoff?
Long-term resilience that scales with your team.

IAM Doesn’t Scale in Your Head

At 10 people, you can track access mentally.
At 50, you can’t.
At 150+, it’s a security incident waiting to happen.

If you’re leading infrastructure or product security, this isn’t optional hygiene—it’s foundational. And if no one owns it? It owns you.