Inventory of all service accounts
Demonstrate that the organization maintains a complete, accurate, and current inventory of all service accounts with sufficient metadata to support access reviews, privilege management, and accountability.
Description
What this control does
This control requires organizations to maintain a comprehensive, current inventory of all service accounts—non-human identities used by applications, scripts, scheduled tasks, and services to authenticate and execute operations. The inventory must include attributes such as account name, purpose, associated systems/applications, owner/custodian, privilege level, authentication method, and last review date. Maintaining this inventory prevents orphaned accounts from persisting after application decommissioning, enables privilege review and least-privilege enforcement, and provides visibility into non-human access pathways that are frequently exploited due to weak credential management or excessive permissions.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate, and current inventory of all service accounts with sufficient metadata to support access reviews, privilege management, and accountability.
Associated risks
Risks this control addresses
- Orphaned service accounts remain active after application retirement, providing persistent backdoor access with no monitoring or ownership
- Service accounts with excessive privileges enable lateral movement and privilege escalation following initial compromise of a low-value system
- Hard-coded or embedded credentials in service accounts allow attackers to extract and reuse credentials across multiple systems
- Lack of ownership attribution prevents timely response when service account credentials are compromised or misused
- Service accounts exempted from password rotation policies become high-value targets with static, discoverable credentials
- Undocumented service accounts bypass change control, logging, and monitoring processes designed for user accounts
- Shared service accounts across multiple applications obscure audit trails and prevent accurate attribution of privileged actions
Testing procedure
How an auditor verifies this control
- Obtain the organization's current service account inventory spreadsheet, database export, or identity governance system report showing all service accounts across all platforms (Active Directory, cloud IAM, databases, applications).
- Request documentation of the methodology used to identify service accounts, including query scripts, filters, or automated discovery tools employed.
- Select a representative sample of 15-25 service accounts spanning different platforms, privilege levels, and business functions from the inventory.
- For each sampled account, verify its existence and attributes by inspecting the source system directly (e.g., querying Active Directory, examining cloud IAM console, reviewing database user tables).
- Cross-reference the sampled accounts against system documentation, application architecture diagrams, and CMDB records to validate the documented purpose and associated systems are accurate.
- Identify at least three recently decommissioned applications or systems from change management records and verify that associated service accounts were documented in the inventory and properly disabled or removed.
- Review the inventory completeness by executing independent queries or scans on a subset of platforms to identify service accounts not present in the provided inventory, documenting any discrepancies.
- Verify that mandatory inventory attributes (minimally: account name, purpose, owner, privilege level, last review date) are populated for all accounts and that ownership can be traced to accountable individuals or teams.
Where this control is tested