What is a service account and what special controls apply?

A service account is a non-human identity used by applications or services to authenticate to other systems, not meant for people to log in interactively. Because it represents automated workloads, you apply tight controls: give only the minimum permissions the app needs (least privilege) and avoid broad admin roles, so compromise doesn’t grant wide access. Use non-human credentials that the application can rotate automatically, and avoid embedding long-lived human credentials; implement regular rotation and prefer short-lived tokens or signed keys managed by a secret store. Enable thorough auditing so every action performed by the service account is traceable, and monitor for unusual activity. Keep the account separate from human user accounts, restrict it to the exact resources it needs, and disable any interactive login capability to ensure it’s used only by the intended application.