Off-boarding is the process of removing a departing user’s access, credentials, and related entitlements from the environment. In mature IAM programmes, it also includes reviewing sessions, shared secrets, delegated roles, and linked non-human identities so that exit events do not leave behind hidden access paths.
Expanded Definition
Off-boarding is the controlled removal of access, credentials, entitlements, and trust relationships when a user, service account, workload, or Non-Human Identity is no longer needed. In NHI security, it is not a single event but a lifecycle action that should also cover session invalidation, delegated permissions, API keys, certificates, and recovery of shared secrets.
Definitions vary across vendors, especially when organisations extend off-boarding to AI agents, ephemeral workloads, and third-party integrations. The practical distinction is that deprovisioning often removes the identity object, while off-boarding ensures every usable path to the environment is revoked, including hidden or inherited access. That makes it closely related to NIST Cybersecurity Framework 2.0 outcomes for access control, identity governance, and protective technology.
The most common misapplication is treating off-boarding as a ticket closeout, which occurs when the visible account is disabled but connected secrets, tokens, and delegated roles remain active.
Examples and Use Cases
Implementing off-boarding rigorously often introduces operational friction, requiring organisations to weigh speed of separation against the risk of leaving behind usable access.
- A departing engineer leaves behind a CI/CD service account; the off-boarding workflow revokes the account, rotates the pipeline secret, and invalidates any cached tokens.
- An AI agent used for customer support is retired; the team removes tool permissions, deletes its signing certificate, and confirms no stored prompts or session keys can be reused.
- A contractor’s access ends, but the account still belongs to a shared RBAC group; the off-boarding review checks group membership, inherited permissions, and any standing JIT approvals.
- A third-party integration is decommissioned after a vendor change; the organisation confirms webhook credentials, API keys, and secret-manager references are also removed, not just the app registration.
- A security team uses the lifecycle guidance in the Ultimate Guide to NHIs to build a repeatable exit checklist for service accounts, secrets, and certificate revocation.
In practice, many teams use NIST Cybersecurity Framework 2.0 language to structure the workflow into identify, protect, detect, and respond steps rather than treating separation as a purely HR-driven action.
Why It Matters in NHI Security
Off-boarding matters because the exit path is one of the easiest places for access to persist unnoticed. In NHI environments, a removed employee or retired workload can still leave valid secrets, stale certificates, or dormant delegated authority behind, creating a silent entry point for attackers. NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why separation failures remain common in mature-looking IAM programmes. For deeper lifecycle context, see the Ultimate Guide to NHIs.
The governance implication is straightforward: off-boarding is not just cleanup, it is risk containment for access that is no longer justified. Strong programmes pair it with logging, secret rotation, and post-exit verification so that access removal is demonstrable, not assumed. This aligns with the access discipline expected in NIST Cybersecurity Framework 2.0 and the broader Zero Trust mindset. Organisations typically encounter the consequences only after a breach, audit finding, or failed vendor termination, at which point off-boarding becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Off-boarding must remove secrets and inactive NHI access paths. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and removed when no longer required. |
| NIST Zero Trust (SP 800-207) | SC-2 | Zero Trust requires continuous verification and revocation of trust when context changes. |
Treat departure as a trust change event and immediately revoke standing access, tokens, and sessions.
Related resources from NHI Mgmt Group
- Why do OAuth applications create persistent access risk even after off-boarding?
- How should security teams handle off-boarding in cloud environments?
- What is the difference between disabling a user account and fully off-boarding access?
- Should organisations rotate secrets after employee off-boarding?
