Orphaned account

A SaaS account that belonged to a former employee and was never deprovisioned during offboarding.

Also known as: zombie account, stranded account

Orphaned accounts are the security version of shelfware. The employee left, IT disabled their Okta and Google account, but the SaaS tools provisioned outside SSO kept billing — and kept letting the former employee log in.

The risk is asymmetric. Most ex-employees never touch the account again. The few who do — disgruntled, or with credentials sold on a breach forum — can exfiltrate years of customer data before anyone notices.

A proper offboarding checklist enumerates every tool the employee touched, not just the ones in the IDP. SeatMap maintains that inventory continuously, so the offboarding handoff is a list, not a hunt.

Examples

A laid-off engineer who still has access to the company GitHub 6 months later.
A contractor's Figma seat that kept billing for a year after the project ended.
A salesperson's HubSpot account that a competitor logged into after they moved companies.

Related terms

Ghost account

An active SaaS license tied to a real user that hasn't logged any meaningful activity in 30+ days.

Shadow IT

Any software, SaaS account, or cloud service an employee uses for work without IT approval or visibility.

See orphaned account in your stack

Free audit. Connect any SaaS workspace, get a full inactive-account report in under 2 seconds.

Start free audit