What should be done when third-party accounts are not in use?

Disabling third-party accounts that are not in use is an essential security practice aimed at reducing risk. When accounts are left active without oversight, they can become points of vulnerability that malicious actors may exploit to gain unauthorized access to sensitive information or systems. By disabling these accounts, an organization minimizes the potential attack surface and limits the scope of any possible security breach.

Additionally, disabling unused accounts is an important aspect of good access management and identity governance. It helps ensure that only necessary accounts are active and that permissions are properly managed. This practice aligns with the principle of least privilege, which states that users should have only the minimum level of access necessary to perform their roles.

Maintaining an active account that is not in use is generally unwise, as it can inadvertently provide an opportunity for unauthorized access. Transferring management of these accounts or implementing global restrictions may not be sufficient in addressing the risks, as they do not eliminate the potential for exploitation of dormant accounts. Therefore, disabling these accounts is the most effective approach to enhance security.