Many charities are unknowingly paying the price for outdated IT.
Read the blog to discover the warning signs and practical steps to address them.
Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Interested in a Free Phishing Security Test?
VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
When an employee leaves on a Friday, their email account is typically disabled by Monday. Their laptop is returned, and the offboarding checklist appears complete.
What often goes unnoticed is their continued access to:
- A project management platform they adopted independently
- A shared cloud storage folder with external collaborators
- A CRM system from a previous role
In many cases, these sessions remain active weeks or even months later.
This is how zombie accounts emerge not through negligence, but because traditional offboarding processes no longer reflect how modern organisations consume software.
Today, organisations operate across a significantly expanded SaaS estate. The average company now uses over 100 SaaS applications far beyond what legacy offboarding processes were designed to manage.
What Is a “Zombie Account”?
A zombie account is an active user credential belonging to an individual who no longer works within the organisation.
While the term is informal, the risk is significant.
These accounts:
- Are legitimate and previously authorised
- Do not trigger standard security alerts
- Provide direct access to business systems and data
If credentials are reused, compromised, or deliberately retained, access remains readily available.
Industry research suggests that 50% of organisations have identified former employees still accessing SaaS platforms months after leaving—often discovered incidentally rather than through formal audits.
Where Zombie Accounts Most Commonly Persist
1. Cloud storage and collaboration platforms
Platforms such as Microsoft OneDrive, Google Drive, and Dropbox present the most immediate risk.
Common gaps include:
- Files shared with personal email accounts
- Guest access granted during projects
- “Anyone with the link” permissions left active
While user licences may be revoked, shared links and external access often remain untouched, leaving sensitive data exposed.
2. Project management and CRM systems
Tools such as Jira, Asana, Monday.com, HubSpot, and Salesforce are frequently provisioned outside of IT governance.
This creates:
- Limited visibility during offboarding
- Persistent access to strategic, operational, or customer data
Without central oversight, these accounts can remain active long after departure.
3. Unmanaged or “shadow IT” applications
The highest-risk category includes applications IT teams were never aware of.
These may include:
- Survey tools
- AI platforms
- Data visualisation or reporting tools
Research indicates that 90% of SaaS applications within organisations remain unmanaged, significantly increasing the likelihood of orphaned accounts.
Running a SaaS Offboarding Audit
A proactive audit process is essential to identify and eliminate zombie accounts.
Step 1: Build a complete SaaS inventory
Start with your identity provider (e.g. Microsoft Entra ID, Google Workspace, Okta), and supplement with:
- Finance and billing records
- Browser extensions and installed tools
- Email login notifications
Large-scale analysis highlights the scale of the challenge. Grip Security identified 23,987 distinct SaaS applications across 29 million accounts, with the majority outside formal IT control.
Step 2: Cross-reference against leavers
Review employee departures over the past 12 months and compare them against your SaaS inventory:
For each application:
- Confirm whether an admin view is available
- Identify active users and last login dates
- Flag accounts linked to former employees
Any account with recent or unexplained activity should be prioritised for immediate review and removal.
Step 3: Revoke access and establish governance
Once identified:
- Remove access promptly
- Document findings for audit and compliance purposes
- Enforce multi-factor authentication (MFA) across remaining users
Introduce a quarterly SaaS access review cycle, ensuring that access controls remain aligned with organisational changes.
Turning Offboarding into a Security Control
Zombie accounts persist because they are rarely actively sought out.
A SaaS offboarding audit provides:
- Immediate risk reduction
- Improved visibility across your SaaS estate
- A repeatable process for ongoing governance
In an environment where SaaS adoption continues to expand, offboarding must evolve from an administrative task into a structured security control.
Closing the Gaps
Identifying zombie accounts is not a one-off exercise it is a continuous process aligned with workforce change and SaaS growth.
A governance-led approach to SaaS access ensures:
- Leaver processes reflect real-world software usage
- Access is provisioned and removed consistently
- Risks are identified before they result in incidents