PAM Basics May 2026

Service Accounts: The Forgotten Privileged Identities

They outnumber human accounts, rarely rotate, almost nobody owns them, and they are everywhere. Service accounts are one of the most overlooked attack surfaces in enterprise environments.

Ask a security team how many user accounts are in their environment and they can usually tell you. Ask them how many service accounts they have and the room gets quiet.

Service accounts are the identities nobody talks about until something breaks or something gets breached. They run your backup jobs, execute your scheduled tasks, connect your applications to your databases, authenticate your monitoring tools, and keep dozens of automated processes running around the clock. They are everywhere. They are privileged. And in most organizations they are almost completely unmanaged.

Why It Matters

Everything attackers want, none of the oversight

Service accounts sit at the intersection of everything attackers want. They are typically over-privileged — given broad access at deployment because it was easier than scoping permissions carefully. They rarely rotate passwords — because rotating a service account password means tracking down every place that credential is used and updating it without breaking something. They have no human owner — because the person who created the account left two years ago or the system it was built for changed hands three times. And they are often excluded from the same governance processes that apply to human accounts — because they don't need to be in the identity review because they're "just" service accounts.

That logic has appeared in the post-breach documentation of more incidents than anyone wants to count.

A compromised service account is a particularly effective tool for an attacker. It doesn't trigger the same alerts as an unusual user login. It operates on a schedule that looks normal because it is normal. It often has access to multiple systems simultaneously. And because nobody actively monitors it, the attacker can use it quietly for days, weeks, or longer before anyone notices.

The PAM Lesson

Four problems most organizations haven't finished solving

Getting service accounts under control requires solving four problems, and most organizations have not finished solving any of them.

Discovery. You cannot manage what you cannot see. Most organizations do not have an accurate, complete inventory of their service accounts. They have a list of the ones they know about, which is not the same thing. A genuine service account discovery exercise — pulling from Active Directory, from application configurations, from scheduled task logs, from service control managers — typically turns up accounts that surprise everyone in the room.
Ownership. Every service account needs a human owner. Not a team. Not a department. A named individual who is accountable for what that account does, what access it has, and what happens to it when the system it serves is decommissioned. Without ownership, accounts accumulate unchecked and persist long past their useful life.
Least privilege. Most service accounts have more access than they need because scoping permissions correctly takes time and nobody prioritized it at deployment. Remediating this is painstaking work, but it is directly proportional to how much damage a compromised service account can do. A service account that can only read from one database cannot be used to drop it.
Credential management. Service account passwords should be vaulted, rotated, and monitored the same way privileged human credentials are. The argument that rotation is too hard because you don't know everywhere the credential is used is an argument that you have an undocumented infrastructure problem — and that problem needs to be solved regardless. Modern PAM platforms handle service account vaulting and rotation, including the dependency mapping that makes rotation feasible. This is not a manual process problem. It is an automation and tooling problem, and it is solvable.

The Decommissioning Gap

The account that outlived the system

There is a specific service account failure mode that deserves its own mention: the account that outlives the system it was built for.

A service account is created for an application. The application is replaced. The migration team focuses on making the new system work and does not loop in the identity team. The old service account is never disabled. It sits in Active Directory with valid credentials and whatever access it was granted for the old system — which may include access to production databases, file shares, or other sensitive resources that the new system also needs and therefore were never removed.

Nobody is using this account intentionally. Nobody is watching it. The credentials may be documented somewhere, or they may not be.

This is not a theoretical attack surface. It is a documented pattern in real breaches. The attacker finds the orphaned service account, identifies that it has useful access, and uses it as a persistence mechanism or a lateral movement path.

Access reviews that explicitly include service accounts — asking not just "does this account still exist" but "is the system this account serves still running, and does this account still need this access" — catch this before attackers do.

What to Check This Week

Four places to start

Run a discovery query against your Active Directory for accounts that match common service account naming conventions — svc_, service_, app_, and similar prefixes. Compare that list against your known service account inventory. The gap between those two lists is your undocumented exposure.
Pull the last authentication date for every service account in your environment. Any service account that has not authenticated in 90 days is a candidate for immediate review. Any service account that has not authenticated in a year is almost certainly orphaned.
Identify which of your service accounts have passwords that have never rotated. In many environments this list is longer and more alarming than expected.
Pick one critical application and map every service account that touches it. Find the owner of each one. Ask whether the access is still appropriate and whether the password is under management. Do this exercise once and you will understand why service account governance needs a program, not a one-time project.

Service accounts are not a niche PAM problem. They are often the largest unmanaged privileged identity population in an enterprise environment. The organizations that have gotten this right did not do it all at once. They started with discovery, established ownership, and built from there. That is the only way it works.