Offboarding is the controlled retirement of a workload, service account, token, certificate, or other non-human identity when it is no longer needed. It includes revoking credentials, removing permissions, and verifying that no residual trust path remains available to attackers.
Expanded Definition
Offboarding is the retirement phase of the NHI lifecycle, where an identity is intentionally removed from service and every path that could still authenticate, authorize, or impersonate it is closed. In practice, that means revoking keys, disabling tokens, expiring certificates, removing RBAC grants, and checking dependent systems for residual trust. In the NHI Lifecycle Management Guide, this is not a one-step cleanup but a controlled process that must be coordinated across owners, platforms, and vaults.
Definitions vary across vendors on whether offboarding starts at decommissioning, revocation, or final verification, but the operational outcome is the same: the workload or agent should no longer be able to act. NIST Cybersecurity Framework 2.0 reinforces the broader expectation that identities and access must be governed as part of resilient operations, even when the identity is not human. The most common misapplication is treating offboarding as a single credential deletion, which occurs when teams remove the primary secret but leave cached tokens, certificates, or inherited permissions active.
Examples and Use Cases
Implementing offboarding rigorously often introduces coordination overhead, requiring organisations to balance fast service retirement against the risk of leaving dormant trust behind. That tradeoff is especially visible in environments with shared pipelines, long-lived certificates, and multiple secret stores.
- A CI/CD service account is removed after the deployment pipeline is retired, but only after checking for mirrored secrets in code, vaults, and build variables.
- An AI Agent loses access to an internal tool when the tool is replaced, and its API key, certificate, and RBAC bindings are all revoked in sequence.
- A third-party integration is terminated, but the offboarding checklist also verifies that webhook endpoints, refresh tokens, and cached credentials have been cleared.
- A service account used by a scheduled job is deleted after the job is deprecated, following guidance in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
- An identity review finds duplicate secrets across systems, so the team uses the NHI Lifecycle Management Guide to define a repeatable retirement workflow.
For implementation teams, the main challenge is not whether to revoke access, but how to prove that every dependent credential and implicit trust path has been eliminated. That is why lifecycle-offboarding should be validated alongside the identity controls described in the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Offboarding failures are a common source of latent exposure because retired NHIs often remain usable long after the business believes they are gone. NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, while 91.6% of secrets remain valid five days after the targeted organisation is notified, highlighting how slowly remediation can lag. That gap matters because an identity that should be dead can still authenticate into production, data stores, or automation paths.
In NHI security, offboarding is inseparable from Zero Trust Architecture and Privileged Access Management: if an identity has standing privilege, then retirement must remove both the secret and the authorization model behind it. The Top 10 NHI Issues and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both emphasize that lifecycle control is what keeps secrets from becoming long-lived attack paths. Organisations typically encounter the real cost only after a decommissioned system, forgotten token, or old integration is abused, at which point offboarding becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Offboarding is core to revoking NHI secrets and eliminating residual access paths. |
| NIST CSF 2.0 | PR.AC-4 | Access rights should be managed and removed when NHIs are retired. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous removal of unnecessary trust and standing access. |
Revoke all NHI credentials, tokens, and grants, then verify no dormant trust remains.
Related resources from NHI Mgmt Group
- Should organisations include ownership checks in offboarding workflows?
- How should security teams handle SaaS offboarding when non-human identities are involved?
- What is the difference between SSO offboarding and full SaaS lifecycle revocation?
- How should security teams handle SaaS offboarding when users also use AI tools?
