An account lockout policy is put in place to lock an account after a predetermined number of failed login attempts. This mitigates the risk of password spraying attacks, which rely on trying a few common passwords against many accounts. By limiting the number of attempts, it becomes less feasible for an attacker to guess passwords across multiple accounts without triggering the account lockout policy.