Former employees remain risky when application access, report access, or delegated permissions are not removed at the same pace as employment status changes. The problem is lifecycle drift, where the identity relationship ends on paper but the access path still exists in systems that matter.
Why This Matters for Security Teams
Offboarding is not only a human resources event. It is a control transition that should collapse access, revoke trust, and close delegated pathways before an ex-employee can continue to act inside business systems. When that transition lags, the organisation keeps a live identity path that no longer has a legitimate owner. NHI Management Group’s Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both point to the same operational reality: identity governance must follow lifecycle change, not just status change.
The risk is wider than mailbox access. Former employees may retain report subscriptions, shared folders, delegated admin paths, API tokens, and integrations that were never tied cleanly to a joiner-mover-leaver process. That creates opportunities for data exposure, fraud, and privilege reuse long after separation. The practical failure is usually not a dramatic bypass; it is a slow accumulation of stale entitlements that nobody has a reason to test until an audit, an incident, or a disgruntled ex-worker reveals them. In practice, many security teams encounter post-offboarding access only after a data pull, account abuse, or policy violation has already occurred, rather than through intentional cleanup.
How It Works in Practice
The core issue is lifecycle drift. An employment record ends, but identity-linked access objects continue to exist because they are managed in different systems, by different teams, on different timelines. Good offboarding requires synchronising identity source, directory, SaaS entitlements, reporting subscriptions, delegated roles, secrets, and privileged access paths. The NHI Lifecycle Management Guide is useful here because the same discipline that governs non-human identity expiry also applies to employee-derived access paths that outlive the person.
Current guidance suggests security teams should treat offboarding as a revocation workflow, not a simple disablement event. That means:
- Removing interactive access and federated sessions first, then invalidating refresh tokens and API keys.
- Revoking delegated permissions such as shared inboxes, report runners, admin approvals, and calendar or document delegation.
- Checking for shadow access in SaaS apps where the directory is not the authoritative control plane.
- Rotating secrets that were known to the employee or stored in tools they could reach.
- Confirming closure through logs, not just ticket completion.
This is where identity governance intersects with broader control frameworks. NIST CSF 2.0 emphasises governance and access control, while NHIMG research on the Ultimate Guide to NHIs highlights that stale credentials and overbroad delegation often persist because ownership is unclear. Where possible, offboarding should be tied to automation, with time-bound verification that no inherited path remains active.
These controls tend to break down in federated SaaS estates, because the identity provider can show a user as disabled while downstream applications still honour cached tokens, shared permissions, or locally created accounts.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance fast access removal against business continuity and record retention. That tradeoff is especially visible when the former employee owned critical workflows, customer reports, or application admin duties that cannot be deleted without disruption.
There is no universal standard for this yet, but best practice is evolving around segmented teardown. High-risk access should be revoked immediately, while low-risk read access may need a short, documented retention period for legal or operational reasons. The important distinction is that retained access must be explicit, approved, and monitored.
Edge cases matter. Contractors, interns, and moving employees can create offboarding-like risk when their identity changes faster than their permissions. Shared accounts make matters worse because the access trail does not cleanly map to one person. The same is true for systems that use local admin accounts, service tokens, or manually provisioned report access. NHIMG’s 52 NHI Breaches Analysis is a reminder that missed lifecycle cleanup is not theoretical; it is a repeat pattern in real incidents. Former employees remain risky whenever entitlement ownership, credential revocation, and application-level deprovisioning are not executed as a single control set.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Offboarding is access revocation tied to identity lifecycle. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Stale credentials and tokens after separation are NHI lifecycle failures. |
| NIST AI RMF | Lifecycle governance and accountability reduce identity misuse risk. |
Inventory and revoke any credentials, tokens, or delegated access left behind by the former user.
