Workers who have been laid off or fired from their jobs often complain mightily that companies treat them like common criminals, with security escorting them out of the building in some sort of corporate perp walk. And then solicit one of their work buddies to pack up their personal stuff and ship it to them, as if they might walk out with the good silver.   

You would think that level of caution would apply to deprovisioning access, especially in manufacturing, where organizations onboard temporary workers, contractors and third-party system integrators at breakneck speed during Spring production ramp-ups. It seems at the very least incongruous that 48% of manufacturing organizations don’t revoke employee access within 24 hours after they depart or change roles, according to new research by Pathmark.  

“If those privileges are not revoked immediately when projects conclude, or permissions are granted too broadly, they create long-lived entry points and widespread access that adversaries can exploit,” says Darren Guccione, CEO and co-founder at Keeper Security. 

Perhaps the problems has intensified because a full 74% “lack fully automated user provisioning and de-provisioning,” the Pathmark report notes. 

What makes these dormant accounts particularly dangerous is that they don’t typically trigger behavioral alerts, which means they become an easy entry point for nefarious acts like credential stuffing, password spraying and phishing. Nearly half (46%) of security incidents that were reported were linked or thought to be linked to a yawning governance gap that has it genesis in, you guessed it, digital transformation.  

Stale credentials, Guccione says, “remain one of the most predictable and dangerous weaknesses in enterprise security.” Attackers understand that organizations are effectively leaving trusted identities active, he says, “and routinely look for dormant accounts that will allow them to blend in as legitimate users to avoid triggering traditional security alerts.” 

The findings “highlight a structural identity problem in manufacturing: Attackers increasingly log in rather than break in, and dormant or overprivileged accounts give them a frictionless path,” says James Maude, field CTO at BeyondTrust.  

“During seasonal rampups, access is created quickly but rarely removed with the same urgency, leaving behind a shadow layer of identities that don’t trigger behavioral alerts,” which Maude says, “expands the blast radius for everything from credential stuffing to insider misuse.” 

While just over half (53%) have some automation and rules in place to regularly conduct user access reviews, around one third (36%) are just getting started on identifying and remediating access risk and mostly depending on manual processes, as do 30%, who are at the same point when it comes to user account provisioning, modifying and de-provisioning. 

And it gets worse. About half (51%) do not use automated elevated access management with 14% admitting they have minimal or no governance when it comes to privileged access. They also note that those workers with the broadest permissions—third-party consultants and internal IT admins—are the most difficult to manage. 

Does make you wonder why three in five skipped comprehensive SoD risk simulations altogether before they deployed new roles as they migrated their organizations to the cloud. 

“With 74% of manufacturers lacking fully automated provisioning, 61% skipping SoD simulations before cloud migrations, and dormant accounts evading behavioral alerts entirely, the attack surface isn’t a gap—it’s a design flaw,” says Surya Kollimarla, director, identity security products at ColorTokens. 

Guccione says that “identity governance must be treated as a security priority, not just a compliance process” with access being “automated, time-bound and continuously verified, privileged access must follow the principle of least privilege and standing administrative rights should be eliminated wherever possible.” 

Security teams, Maude says, “should focus on shrinking standing privilege, ideally taking a just-in-time approach for privilege and access, especially for contractors and integrators.” 

By reducing privilege in a system, “you reduce the impact of inevitable mistakes,” he explains. 

Kollimarla urged security teams “to seriously evaluate two foundational shifts.” They must “go passwordless by design, not by patch.” Just layering passwordless capabilities on top of password-based infrastructure “don’t eliminate the attack surface—they obscure it,” he says.  

But “true passwordless architecture, integrated with automated SoD enforcement across your existing ERP and IAM systems, removes the credential risk at the source.” 

Security teams should also “authenticate based on context, not just identity,” Kollimarla says. 
Risk-based authentication that continuously evaluates the user, device, and application at the moment of access is the only model that raises the security bar without adding friction — because friction doesn’t get tolerated, it gets bypassed.” 

Perhaps then and only then will dormant accounts be perp walked out the door.