Shane O’Neill walks through how disabled unused sysadmin accounts can still compromise your system:
Notice that “Enabler” as part of securityadmin can see the disabled “AllThePower” login?
Great, we can see it, so let’s promote our CopyCat login!
Part of what makes security so hard is that it’s not enough to think of what a single principal can do; it’s what a chain of principals can do.