| Field | Value |
|---|---|
| Control ID | AC-02 |
| Control Name | Account Management |
| Framework | NIST SP 800-53, Revision 5 |
| Control Family | Access Control |
| Baselines | LOW MODERATE HIGH |
| Relevance | First Party and Third Party |
| Risk Severity | CRITICAL |
What this control requires
AC-02 requires organizations to define, assign, and actively manage every user account that touches a system. That obligation means documenting which account types are allowed, assigning account managers, and establishing approval workflows before anyone gains access. It also means monitoring those accounts continuously and removing or disabling them the moment they’re no longer needed.
In practice, this control demands a full lifecycle approach to identity and access management. You don’t just provision accounts at onboarding and deprovision them at termination. You review group and role memberships at a defined cadence, verify that access authorizations still match each person’s job function, and ensure that shared or group account authenticators change whenever someone leaves the group. The control also requires you to align account management directly with HR processes for terminations and transfers, closing the gap where orphaned accounts tend to appear.
Where most organizations fall short isn’t in creating accounts. It’s in maintaining an authoritative inventory of all accounts, including service accounts, emergency accounts, and accounts created outside the standard provisioning workflow. AC-02 sits within the Access Control family and treats account management as a continuous discipline, not a one-time setup task.
Why it matters
Unmanaged accounts are the most common initial access vector in insider threat cases and post-compromise lateral movement. When your account inventory drifts from reality, you lose the ability to answer a foundational question: who has access to what, right now? That gap turns every termination, every role change, and every merger into a potential exposure.
The consequences compound quickly. Orphaned accounts sit unmonitored, accumulating privileges over time. Service accounts with static credentials become permanent backdoors.
Specifically, shared accounts eliminate individual accountability, making forensic analysis nearly impossible after an incident. Every one of these gaps traces directly back to AC-02 requirements that weren’t enforced.
Stradis Healthcare ghost account
Christopher Dobbins served as Vice President of Finance at Stradis Healthcare, a Peachtree Corners, Georgia manufacturer of personal protective equipment. On August 13, 2019, while still employed, Dobbins created a fictitious user account under the name “Jagdish Kavitha” inside the company’s NetSuite ERP system. He disclosed its existence to no one.
When Dobbins was terminated in March 2020, the IT team deprovisioned his named account through standard offboarding procedures. The ghost account went undetected. Three days later, Dobbins used that account to log back in, create a second unauthorized account, edit approximately 115,581 shipping records, and delete 2,371 records. The sabotage deliberately disrupted PPE shipments to healthcare providers during the opening weeks of the COVID-19 pandemic.
The consequence was federal prosecution. Dobbins pleaded guilty in July 2020 and was sentenced to one year and one day in federal prison plus $221,200 in restitution. The AC-02 failure was twofold. The rogue account was created during employment and never caught by a periodic account review. Offboarding addressed only the named account while the unauthorized one persisted, and in a medical supply context during a pandemic, the operational consequences were immediate.
The result is a set of predictable footholds that attackers exploit repeatedly, as incident reports confirm:
- Orphaned accounts after termination: offboarding workflows that only deprovision the primary named account, missing service accounts, shared credentials, or accounts created outside the provisioning process
- Privilege accumulation over role changes: users transferring between departments without a corresponding review of their access authorizations, resulting in excessive privileges that violate least privilege
- Unmonitored shared and service accounts: accounts with static credentials and no individual accountability, providing persistent access to systems that bypasses normal authentication monitoring
- Delayed notification of status changes: gaps between HR recording a termination or transfer and IT acting on it, leaving a window where former employees retain system access
How to implement
The most common failure mode isn’t a missing account management policy. It’s a policy that exists on paper but isn’t connected to the operational workflows that create, modify, and remove accounts in real time.
For your organization
Start by building an authoritative account inventory. Enumerate every account type across your systems, including individual, shared, group, service, emergency, temporary, and guest accounts. Document which types are allowed and which are explicitly prohibited.
Without clear ownership, that inventory becomes a static document no one maintains. Assign account managers by system or business unit.
These account managers are responsible for approving access requests, reviewing account compliance, and responding to notifications about terminated or transferred personnel. Make this role explicit, not assumed.
Where most workflows collapse is at the approval layer, so establish approval workflows that require documented authorization before any account is created or modified. Your workflow should capture the requestor, the approver, the account type, the access authorizations granted, and the business justification. This workflow produces the access authorization records auditors examine.
The consequence of skipping periodic reviews is invisible drift, so implement account reviews at a defined cadence. Compare your active account inventory against HR records, role-based access control policies, and system logs. Flag accounts that don’t map to a current, authorized user, and flag accounts with privileges that exceed the user’s current role.
Where this process most often breaks down is at the seam between account management and HR. Align account management directly with your personnel termination and transfer processes. When HR processes a termination, the account manager should receive notification within a defined time period.
The consequence of incomplete deprovisioning is persistent access. Deprovisioning must cover all accounts associated with that individual, not just the primary named account. Privileged access management processes require particular attention, since privileged accounts create the largest blast radius when left active.
In practice, three mistakes derail AC-02 implementations more than any others: relying on manual spreadsheets as the account inventory, treating offboarding as a single-step disable of the primary account, and skipping reviews for service accounts on the assumption that no human uses them. Each of these shortcuts creates blind spots that auditors will flag and attackers will find.
For your vendors
When assessing a vendor’s AC-02 compliance, you need to verify that they maintain the same lifecycle discipline over accounts that touch your data or integrate with your systems. Self-attestation alone is not sufficient.
But the questionnaire, where most vendor assessments begin, is also the easiest part to game. Ask these questions during your assessment:
- How do you document and approve the creation of user accounts on systems that process our data?
- What is your defined cadence for reviewing account compliance, and who performs those reviews?
- How are account management processes aligned with personnel termination and transfer workflows?
- Do you maintain an inventory of all account types, including service, shared, and emergency accounts?
- How do you handle shared or group account authenticators when a member leaves?
Where questionnaire responses fall short is in verifiability, so request specific evidence. Ask for their access control policy, a sample account inventory showing active and recently disabled accounts, records from their most recent account compliance review, and documentation showing how termination notifications flow to account managers.
But certain patterns should trigger deeper scrutiny:
- A vendor who can produce a policy document but no evidence of periodic reviews
- A vendor whose account inventory doesn’t include service accounts
- A vendor who can’t articulate the time window between a termination event and account deprovisioning
- Any vendor who treats account management as an annual audit exercise rather than a continuous operational process
Where vendors fall short most often is in self-attestation alone. Request screenshots or exports from their identity management system showing review timestamps, not just a statement that reviews occur.
Evidence examples
| Evidence Type | Example Artifact |
|---|---|
| Account management policy | Access control policy defining allowed and prohibited account types, approval workflows, review cadence, and termination alignment procedures |
| Account inventory | Export of active system accounts with associated user names, role memberships, and access authorization levels, plus a separate list of recently disabled accounts |
| Access authorization records | Documented approval records showing requestor, approver, account type, granted privileges, and business justification for each account creation or modification |
| Account compliance reviews | Completed review records showing date, reviewer, accounts examined, discrepancies found, and remediation actions taken |
| Personnel process alignment | Termination and transfer notification records showing the time period between HR action and account manager notification |
| Monitoring and audit records | System monitoring logs and audit records demonstrating ongoing account usage tracking and anomaly detection |
Cross-framework mapping
| Framework | Control(s) | Coverage |
|---|---|---|
| ISO 27001:2022 | 5.16 Identity management | Partial |
| ISO 27001:2022 | 5.18 Access rights | Partial |
| ISO 27001:2022 | 8.2 Privileged access rights | Partial |
| NIST SP 800-171 Rev 3 | 03.01.01 Account Management | Partial |
Related controls
- AC-03 Access Enforcement. Enforces the access authorizations that AC-02 defines and assigns to each account, ensuring the system actually restricts users to their approved privileges.
- AC-05 Separation of Duties. Prevents any single account from accumulating incompatible privileges, directly supporting the role and group membership requirements in AC-02.
- AC-06 Least Privilege. Requires that each account receive only the minimum access authorizations necessary, reinforcing the privilege specification requirements of AC-02.
- AC-17 Remote Access. Governs how remotely accessed accounts are authorized and monitored, extending AC-02 lifecycle management to remote sessions.
- AC-18 Wireless Access. Applies account authorization and monitoring requirements to wireless access points, ensuring wireless accounts follow the same lifecycle as wired accounts.
- AC-20 Use of External Systems. Addresses accounts used on external systems, requiring organizations to manage access authorizations when personnel use systems outside organizational control.
- AC-24 Access Control Decisions. Defines the decision points where account attributes and access authorizations from AC-02 are evaluated before granting or denying access.
- AU-02 Event Logging. Specifies the account-related events that must be logged, providing the audit trail AC-02 requires for monitoring account usage.
- AU-12 Audit Record Generation. Generates the audit records that support AC-02 account monitoring requirements, capturing account creation, modification, and deletion events.
- CM-05 Access Restrictions for Change. Restricts which accounts can modify system configurations, relying on AC-02 role definitions to determine who holds change-management privileges.
Frequently asked questions
What is NIST SP 800-53 AC-02
AC-02 is the NIST SP 800-53 control that requires organizations to manage the complete lifecycle of every system account, from defining allowed account types and assigning account managers through periodic compliance reviews and deprovisioning. It covers individual, shared, group, service, emergency, temporary, and guest accounts. The control mandates documented approval workflows for account creation, specified access authorizations for each account, and alignment between account management and personnel termination and transfer processes.
What happens if AC-02 is not implemented
Without AC-02, organizations lose visibility into who holds active accounts and what privileges those accounts carry, creating a direct path for unauthorized access. Orphaned accounts from terminated employees remain active, shared account authenticators persist after group members leave, and access authorizations accumulate without review. The Stradis Healthcare case showed how a single ghost account allowed a terminated employee to re-enter the system, corrupt tens of thousands of shipping records, and disrupt PPE deliveries to healthcare providers during the early weeks of the COVID-19 pandemic.
How do you audit AC-02
Auditors verify AC-02 by examining the account inventory against HR records to confirm that every active account maps to a current, authorized user with documented access authorizations. They review access authorization records for proper approval workflows, check account compliance review records for evidence of periodic reviews at the defined cadence, and verify that personnel termination notifications reached account managers within the required time period. They also examine system monitoring records to confirm that account usage is actively tracked and that shared or group authenticator changes are documented when members are removed.
What are the AC-02 control enhancements
AC-02 includes 13 control enhancements (AC-02(1) through AC-02(13)) that layer additional requirements onto the base control. These enhancements address automated account management, automated temporary and emergency account handling, disabling accounts for high-risk individuals, automated audit actions, inactivity-based logout, dynamic privilege management, privileged user accounts, dynamic account management, usage conditions, shared and group account credential changes, usage monitoring, and account reviews for atypical usage. Your applicable baseline determines which enhancements are required. Moderate and high baselines mandate several enhancements that low baselines do not.