IAM users and roles within AWS accounts represent potential attack vectors, and their existence should be limited to when they are actively in use to minimize the risk of unauthorized access. Retaining inactive IAM entities increases the likelihood of exploitation by threat actors, potentially granting unauthorized access to critical AWS resources.

Inactive AWS administrator entities are considered a high-risk finding if they meet any of the following conditions:

1. Attachment of the AWS managed policy arn:aws:iam::aws:policy/AdministratorAccess
2. A custom policy that grants the action * on all resources
3. A custom policy that grants the action iam:* on all resources

To mitigate the risk of unauthorized privilege escalation, it is strongly recommended to remove any IAM users, groups, or roles that have been inactive for 90 days or more. This practice helps prevent unauthorized users from inheriting admin-level privileges by associating such entities with their accounts.