Accounts unused for a set period are disabled automatically.
What it actually means
Stale accounts are easy targets and nobody's watching them. After a defined period of inactivity, identifiers should be disabled — ideally automatically through your identity provider's lifecycle policy, backed by periodic access reviews.
Pass or fail — an assessor needs a "yes" to each
- A defined inactivity period triggers disablement.
- Disablement is automated or caught by regular review.
What to have ready
- Lifecycle/inactivity policy
- Identity-provider configuration or review records
Where teams trip up
- Dormant accounts left enabled for months
- Disablement that depends on someone remembering
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →