Very good principles to go by. But the hardest part is to make it a recurring process.

It's very common to lose track of accounts and services that aren't used anymore, especially on servers used by multiple teams and/or projects.

That's when the trouble starts: nobody has the balls to disable those unknown accounts/services because it might break things.