BIPI
BIPI

The Zero Trust Audit Nobody Talks About: Your Service Accounts

Cybersecurity

Everyone talks about user identity. Almost nobody audits the other identity type in your directory, the service accounts. This is a six-point audit we run on every fresh engagement.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 28, 2026 · 7 min read

#zero-trust#identity#active-directory#audit

Zero Trust, as a concept, is saturated. Everyone talks about user identity, device posture, and conditional access. Almost nobody talks about the other identity type that lives in your directory. The service account. And service accounts are, in practice, where the quiet compromises happen.

Why service accounts are the quiet risk

Service accounts are created for machines. The nightly batch job, the backup connector, the CI runner, the SMTP relay. They are not tied to a human, so they escape HR off-boarding. They get wide privileges because 'it just needed to work.' They rarely get audited because they do not generate interactive logins. They are, for an attacker, the ideal pivot.

In the recent breaches we have read IR reports on, service account misuse appears in roughly two out of three kill chains. The pattern is predictable. An attacker compromises a low-privilege user, enumerates directory objects, finds a service account with Domain Admin equivalence and a password that hasn't rotated in four years, and pivots.

The six-point audit

This is the audit we run on a fresh engagement. It is opinionated. It works.

  1. Enumerate every service account. Not the ones on the wiki. All of them. Pull from AD or Entra ID, cloud IAM, and secrets stores. Reconcile the three lists. The delta is where the orphans hide.
  2. Classify by privilege. Tier 0 (domain or cloud admin), Tier 1 (server admin), Tier 2 (application). Most organisations discover at least 10 to 15 percent of their service accounts are over-tiered, accounts that need Tier 2 sitting in Tier 1.
  3. Check password hygiene. Age, length, last rotation. Any service account password older than 365 days is a finding. Any that uses an interactive-equivalent policy (expires, user-changeable) is a finding.
  4. Check the usage surface. Is this account logging in from every workstation (bad), three specific servers (acceptable), or zero servers in the last 60 days (orphaned)?
  5. Check for interactive logons. LogonType=2 for a service account is never correct. It is either a human using the credential (policy violation) or an attacker.
  6. Check the ownership record. Who owns this account? When did they last acknowledge it? Anything over 12 months without an owner check-in goes into quarantine.

This audit typically finds, in a 500-person organisation, between 200 and 400 findings. Most are benign. Roughly 5 to 8 percent are serious enough to remediate the same week.

Case study (anonymised)

A recent engagement. 312 service accounts in AD. Of those, 47 had not rotated passwords in over three years. Four had Domain Admin-equivalent privileges. Two of those four had no identified owner. One was being used from a workstation belonging to an intern who had left eight months prior. That credential was still valid, still privileged, still logging in. Nobody had noticed because the account was 'owned' by a team lead who had moved departments.

No breach had occurred. But the blast radius of that one account was the entire directory.

Migration path

The remediation is rarely glamorous. It is a three-quarter program.

  • Quarter 1: baseline and ownership assignment. Every account gets a human owner.
  • Quarter 2: right-sizing. Migrate over-tiered accounts to scoped privileges. Kill orphans.
  • Quarter 3: rotation and vaulting. Every credential in a secrets manager with automatic rotation. No passwords in scripts, no passwords in CI config, no passwords in wikis.

By the end of that cycle the organisation has an accurate inventory, tiered privileges, and a rotation cadence. Zero Trust for service accounts is not a product. It is a posture with these three properties.

Closing

If you are architecting Zero Trust and have not audited your service accounts, you have not done Zero Trust. User identity is the front door. Service accounts are the loading dock. An attacker who knows what they are doing is going for the loading dock every time.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.