Observation
Service decommissioning rarely removes embedded tokens in automation or vendor integrations.
Approach
We diff project IAM policy snapshots against a list of active services and flag credentials with no owning workload.
SELECT token_id, last_used
FROM token_audit
WHERE owning_service IS NULL
ORDER BY last_used DESC;Outcome
The audit surfaced 12% of tokens with no active service, including two with write permissions.