Zombie Processes: What to stop doing in 2026
Nobody sets out to bury themselves or their team in low-value work, but zombie processes happen anyway. They might start with good intentions, then the reason goes away but the process keeps running. A meeting gets scheduled during a project crunch, and then the project wraps up but the calendar invite lives on.
Before long, you’re spending real hours every week on tasks that stopped mattering a while ago. And with all the fires to put out, there’s never a good time to step back and question whether any of it still makes sense.
This isn’t about getting rid of technology you don’t use anymore, which is a separate issue. This is about the processes, meetings, and checkbox activities that drain your capacity without delivering proportional value.
Kill the zombie processes
Most of your manual IT processes likely started for good reasons, whether that was a compliance requirement or a workaround for a system limitation that’s since been fixed. The problem is that circumstances change while the processes keep running on autopilot, and nobody has the bandwidth to circle back and ask whether they’re still earning their keep.
You could probably rattle off a few of these right away if you had a moment. Maybe there’s a spreadsheet you still update weekly because the old ticketing system couldn’t track assets or there’s a status report you compile every Friday even though everything in it is already visible in Jira or ServiceNow. These tasks persist not because they’re valuable but because stopping them requires a decision nobody has time to make.
You can smoke out these zombie processes by asking a few pointed questions about them. Who actually uses the output, and not just who’s on the distribution list, but who reads it and acts on it? What breaks if you stop for two weeks? When did someone last ask for this unprompted? If the answers are “unclear,” “nothing,” and “can’t remember,” you’ve probably found something worth eliminating.
Sometimes the underlying task still has value but the manual execution doesn’t, and that’s where automation earns its keep. More often, though, the right move is simply to stop.
Cut the security theater
Some security activities check boxes without reducing actual risk. They generate audit trails and produce reports, but they don’t make your environment meaningfully safer. Identifying these tasks isn’t about cutting corners; it’s about directing limited resources toward controls that actually matter.
Password rotation is a classic example. NIST stopped recommending forced periodic changes years ago, recognizing that the practice often produces weaker passwords and predictable patterns. Yet plenty of organizations still enforce 90-day or 30-day resets because that’s how it’s always been done, not because it’s improving their security posture.
You might also be running vulnerability scans against systems that haven’t changed in months, generating the same clean report over and over. Or, perhaps you’re still tracking metrics nobody looks at because someone once said you should. None of these activities are inherently wrong, but if they’re not reducing risk, they’re consuming time you could spend on things that do.
The question worth asking is whether a given control actually improves your security or mostly just documents effort. Is it compensating for a weakness you’ve already addressed another way? In that case, you can probably get rid of it. In regulated industries, specific controls are non-negotiable, but activities that go beyond requirements without adding proportional protection may deserve another look.
Reclaim your calendar
Recurring meetings have a way of outliving their usefulness. There might be a weekly vendor call you’ve had on the books for two years or a monthly check-in that exists because someone scheduled it once and nobody ever questioned it. They persist because declining a recurring meeting can feel like saying you don’t care about the relationship or the collaboration, even when the meeting itself stopped adding value long ago.
The “this meeting could have been an email” frustration exists for a reason. Calendar bloat affects everyone, from line staff trying to get actual work done to managers bouncing between back-to-back calls with no time to think. Whether you manage a team or you are the team, the dynamic is the same. If your company culture is meeting-heavy in general, not just in IT, then it’s even harder to swim upstream and begin canceling unnecessary meetings.
Ask yourself what decisions actually get made in each recurring commitment, and whether the information could move asynchronously instead. If you canceled for a month, who would notice, and would they miss the meeting itself or just the information it was supposed to convey?
