Because the application grant can remain active after the user leaves or the password changes. Unless the consent is explicitly revoked, the token-based access path can continue to reach data and APIs. That is why off-boarding must include application grant review, not just account disablement.
Why Persistent OAuth Risk Survives Off-Boarding
OAuth apps are different from a human login because the grant, not the password, is often the real access path. If a user leaves, gets disabled, or changes a password, the application consent can still remain valid and continue to call APIs or reach data. That is why off-boarding based only on account status leaves a persistent, token-backed path in place. NHI governance teams see the same pattern in incidents like the Salesloft OAuth token breach and the Dropbox Sign breach, where delegated access outlived the original trust decision.
This matters because application grants are often invisible to the same controls used for human off-boarding. NIST’s NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce the need to identify, protect, and review non-human access paths as assets in their own right. In practice, many security teams discover persistent OAuth exposure only after data access has already continued long past off-boarding, rather than through intentional revocation checks.
How OAuth Grants Become Long-Lived Access
OAuth separates authentication from authorisation. The user may authenticate once, then the application receives a token or refresh token that can keep working until it expires or is revoked. In many environments, the app is also tied to a vendor, service account, or integration workflow, so the access path becomes operationally embedded. This is why current guidance suggests treating OAuth consents as governed NHI assets, not as a side effect of human identity lifecycle management.
At a practical level, off-boarding needs to include more than disabling the user record. A complete process should:
- Inventory which applications were granted access by that user or by a delegated admin.
- Revoke application consent and refresh tokens, not just the password session.
- Review whether the app has broader tenant-wide scopes or shared service credentials.
- Validate whether API access persists through separate workload identities or partner trust.
- Log and monitor post-off-boarding calls for evidence of continuing access.
This is especially important because many organisations still lack visibility into third-party connections via OAuth apps. The Ultimate Guide to NHIs and the 52 NHI Breaches Analysis both show how delegated access and weak lifecycle control turn into durable attack paths. Those controls tend to break down when organisations centralise identity off-boarding but leave app-consent revocation to individual SaaS owners because the shadow inventory is incomplete.
Edge Cases That Make Off-Boarding Harder
Tighter consent revocation often increases operational overhead, requiring organisations to balance cleaner security outcomes against business continuity and integration breakage. There is no universal standard for every SaaS and API platform yet, so best practice is evolving toward risk-based review rather than a one-size-fits-all rule.
One common edge case is shared or admin-consented OAuth access. If an application was authorised at the tenant level, removing a single user will not remove the app’s entitlement. Another is refresh-token persistence inside mobile clients, automation tools, or partner integrations, where the original user is no longer the real operator. A third is overbroad scopes, where the app keeps access to data that the off-boarded person never directly used.
This is why practitioners should pair identity lifecycle with grant lifecycle. NHI programs increasingly combine RBAC, PAM, and ZSP thinking with periodic consent reviews, but OAuth still requires direct revocation workflows and audit evidence. The Top 10 NHI Issues and the OWASP NHI Top 10 both point to the same operational lesson: if access is token-based, lifecycle controls must be token-aware. The NIST Cybersecurity Framework 2.0 supports that approach through continuous monitoring and access governance, but the implementation details vary by platform. In practice, the highest-risk failures appear when off-boarding is automated for humans but not for the grants that humans created.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | OAuth grants are persistent NHI credentials that must be inventoried and revoked. |
| NIST CSF 2.0 | PR.AC-4 | Off-boarding must remove access paths, not only disable user accounts. |
| NIST AI RMF | Autonomous or delegated access needs ongoing governance and accountability. |
Assign ownership for token lifecycle, monitoring, and revocation decisions.
Related resources from NHI Mgmt Group
- Why do AI agents create a different access-risk profile than traditional applications?
- When does ephemeral authorization create less risk than persistent access?
- Why do SaaS integrations create NHI risk even when access is short lived?
- Why do non-human identities create compliance risk even when policies exist?
