Accountability usually sits with identity governance, IT operations, and application owners together. The practical standard should be that no single team can close the case until actual access removal is verified in each system that held the entitlement.
Why This Matters for Security Teams
When access remains active after offboarding, the issue is not just a missed ticket. It is a control failure across identity governance, HR-triggered deprovisioning, application ownership, and downstream entitlement cleanup. Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG research both point to the same operational reality: identities often outlive the business event that should have ended them.
NHIMG’s The 2025 State of NHIs and Secrets in Cybersecurity reports that 91% of former employee tokens remain active after offboarding, which shows how easily lifecycle gaps persist when ownership is unclear. For security teams, accountability matters because a deprovisioning gap can become an access path long after employment has ended, and the remediation burden spreads across multiple teams if no single control owner is defined.
In practice, many security teams encounter lingering access only after an incident review or audit finding, rather than through intentional offboarding verification.
How It Works in Practice
The practical answer is shared accountability with clear handoffs. Identity governance should own the offboarding workflow, IT operations should execute or validate directory and platform removals, and application owners should confirm that access was actually removed inside each system that issues its own entitlements. A ticket closure is not evidence; verification is.
Effective programs usually combine HR-triggered workflow, automated provisioning and deprovisioning, and attestation at the application layer. That means checking not only directory groups and SSO assignments, but also direct local accounts, API tokens, service accounts, delegated admin roles, and any exceptions granted outside the main IAM stack. The NHI Lifecycle Management Guide is useful here because the same lifecycle discipline applies whether the identity is human or non-human: issuance, use, review, suspension, and revocation must all be observable.
- Define one accountable owner for the offboarding control, even if execution is distributed.
- Require proof of removal from each authoritative system before closure.
- Track exceptions separately so temporary access does not become permanent drift.
- Reconcile HR termination data against IAM, PAM, and application logs within a defined SLA.
For identity assurance design, the OWASP Non-Human Identity Top 10 helps frame the same issue as a lifecycle and credential control problem, not a one-time deletion task. Where offboarding is fragmented across SaaS, cloud consoles, and custom apps, the control tends to break down because no single system has complete authority over all entitlements.
Common Variations and Edge Cases
Tighter offboarding controls often increase coordination overhead, requiring organisations to balance rapid termination with complete verification. The tradeoff is real: a faster process reduces exposure, but a shallow process leaves standing access behind.
There is no universal standard for every environment, but current guidance suggests that shared accountability should be explicit in policy, while operational ownership should remain system-specific. Contractors, privileged users, and users with shadow IT access usually need separate handling because their entitlements may not follow the standard HR-led path. In some environments, direct database users, cloud console roles, and local admin access are not visible to central IAM, so the cleanup process must include manual confirmation or compensating controls.
NHIMG’s Top 10 NHI Issues highlights how lifecycle gaps and overexposure compound each other, and the lesson carries over to human offboarding: if revocation is not auditable, accountability is only partial. The practical rule is to treat access removal as complete only when every authoritative source has been checked and every exception has a named owner.
Where organisations rely on manual spreadsheets or delayed app-owner responses, this guidance breaks down because offboarding becomes slower than access reuse and residual entitlements persist past the termination window.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Offboarding failures are lifecycle revocation issues for identities and tokens. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and removed when employment ends. |
| NIST SP 800-63 | Digital identity lifecycle guidance supports proof of deactivation after termination. |
Use identity lifecycle procedures to confirm accounts, tokens, and authenticators are deactivated.
Related resources from NHI Mgmt Group
- Who is accountable when vendor access remains active after a banking engagement ends?
- Who is accountable when a user remains active after directory removal?
- Who is accountable when access remains active after a mass exodus?
- Who should be accountable when a SaaS application is retired but access remains?
