Hardening based on access capability exercise sufficiency

Cybersecurity is improved by automatically finding underutilized access capabilities. Some embodiments obtain an access capability specification, gather access attempt data, and computationally determine that the access capability has not been exercised sufficiently, based on an access capability exercise sufficiency criterion. Security is then enhanced by automatically producing a recommendation to harden a guarded computing system by reducing, disabling, or deleting the insufficiently exercised access capability. In some cases, security enhancement is performed by automatically hardening the guarded computing system. Access capability exercise sufficiency determination may be based on fixed, statistical, or learned time period thresholds or activity level thresholds, or on a combination thereof using confidence levels. Thresholds are compared to a detected time period value or a detected activity level value that is derived from the access attempt data, to determine exercise sufficiency. Vulnerability mitigation may include requesting different authentication, blocking access, logging, alerting, or notifying.