Identity hygiene is the practice of maintaining clean, accurate, and minimal access across all identities in an organization—removing what's stale, right-sizing what's excessive, and ensuring the identity landscape reflects current reality.
‍
Identity hygiene is the organizational practice of keeping the identity environment tidy: accounts are active only for users who currently need them, permissions reflect what's actually required for current job functions, credentials are strong and protected, and stale or orphaned access is regularly cleaned up.
‍
The analogy to personal hygiene is useful because it captures the continuous nature of the discipline. Hygiene isn't something you achieve and then maintain automatically. It requires regular attention. An identity environment that was clean three months ago can be significantly messier today—because employees joined and left, roles changed, new applications were adopted, and nobody went back to review the access decisions made along the way.
‍
In security terms, poor identity hygiene is among the highest-consequence forms of technical debt. It accumulates silently and creates real, exploitable exposure: former employee accounts that attackers can use to access organizational systems; over-permissioned accounts that amplify the blast radius of any compromise; stale OAuth grants that expose data long after the integration served its purpose.
‍
Identity hygiene encompasses several ongoing practices:
‍
Prompt deprovisioning. When an employee leaves or changes roles, their access should be adjusted or removed quickly across every system—not just the primary directory. This requires knowing what systems they had access to, including SaaS tools that were never formally provisioned.
‍
Least-privilege access. Permissions should reflect what a user needs for their current role, not everything they've needed at any point in their tenure. Access reviews should identify and right-size permissions that have grown beyond their intended scope.
‍
Credential hygiene. Strong, unique credentials; enforced MFA; no shared passwords or accounts; regular review of credentials that haven't been rotated. For non-human identities, this extends to API keys, service account passwords, and OAuth client secrets.
‍
OAuth and integration review. Authorized OAuth connections should be periodically reviewed to confirm they're still needed and that their scopes are appropriate. Unused or excessive integrations should be revoked.
‍
Stale account identification. Accounts that haven't been used in a defined period should be flagged for review. Long periods of inactivity often indicate an account that's no longer needed—and a potential entry point if left open.
‍
The discipline of identity hygiene is straightforward in principle and difficult in practice at SaaS scale.
‍
The challenge is that hygiene requires visibility. You can't deprovision accounts you don't know exist. You can't right-size permissions you've never audited. You can't revoke OAuth grants that were never inventoried.
‍
In a SaaS environment, a significant share of accounts exist outside the centrally managed identity stack. Employees sign up for tools using work email without going through IT. OAuth integrations are created by individual users, not tracked in any system. AI tools are connected to productivity apps without security review. None of these appear in a standard identity hygiene process built around the directory.
‍
Comprehensive identity hygiene in a modern environment requires discovering the full account and integration landscape—not just managing what's already in scope—and then applying consistent hygiene practices across the entire picture.
‍
