Accountability sits with the organisation’s lifecycle process, not a single spreadsheet owner. Security, IT operations, HR, and procurement each hold part of the chain. When the handoff is not tracked, the organisation loses both the device and the evidence needed to show where the process failed.
Why This Matters for Security Teams
When a company-owned device goes missing after offboarding, the question is not just who had it last. It is whether the organisation had a defensible lifecycle process that tied asset return, access removal, and evidence retention together. That matters because offboarding failures rarely stay isolated: a missing laptop can become a missing credential cache, a missing audit trail, and a missing opportunity to prove control ownership.
NHIMG’s Top 10 NHI Issues and NHI Lifecycle Management Guide both point to the same operational reality: lifecycle gaps create accountability gaps. That pattern also aligns with the NIST Cybersecurity Framework 2.0, which treats governance, asset management, and recovery as connected functions rather than separate checkboxes.
Security teams often assume physical custody ends the moment HR marks an employee as offboarded, but accountability in practice spans IT, security, HR, procurement, and sometimes facilities. In practice, many security teams encounter missing devices only after access logs, return receipts, and ticket ownership have already fragmented beyond reconstruction.
How It Works in Practice
The accountable party is usually the organisation, but the operational ownership should be explicit. A good offboarding workflow assigns clear handoffs: HR triggers termination, IT disables accounts and revokes sessions, security confirms risk-based controls, procurement or asset management tracks the device, and managers verify return. The key is not a single owner for every step, but a documented chain of custody with timestamps, approvals, and escalation rules.
For company-owned devices, the device record should include serial number, assigned user, return deadline, shipping label or collection method, and the ticket that proves when the device left the employee’s control. If a laptop is not returned, the record should show whether the delay is due to logistics, employee non-compliance, or an internal process failure. That evidence is what turns an incident into something the organisation can remediate instead of speculate about.
Two controls matter most:
- Immediate revocation of credentials, sessions, VPN access, and MDM trust when offboarding begins.
- Device recovery tracking with documented escalation after the return window expires.
This is where lifecycle guidance from the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs becomes relevant even for endpoint assets: identity, access, and retirement must be managed as one workflow. In parallel, Zero Trust Architecture reinforces that trust should not persist after the employment relationship ends, whether the missing item is a human device or a non-human workload credential.
One useful benchmark from Entro Security’s 2025 research is that 91% of former employee tokens remain active after offboarding, which shows how often termination events outpace access cleanup. These controls tend to break down when offboarding is handled as an HR event without a matching IT and asset-management closure step, because the missing device then becomes only one symptom of a wider control failure.
Common Variations and Edge Cases
Tighter offboarding controls often increase administrative overhead, requiring organisations to balance speed against evidentiary rigor. That tradeoff is real in distributed, BYOD-adjacent, or contractor-heavy environments, where devices may cross borders, use third-party couriers, or sit in shared custody before final return.
There is no universal standard for this yet, but current guidance suggests the organisation should retain accountability until the asset is either recovered, formally written off, or transferred through an approved disposal process. If a manager, help desk agent, or logistics vendor was the last documented custodian, that does not remove organisational responsibility. It does, however, sharpen where the process review should focus.
Edge cases matter:
- Remote workers may return devices late because shipping instructions were unclear or never issued.
- Departing executives may carry higher data exposure, so the missing device requires stronger incident handling.
- Shared devices or lab assets need room-level or pool-level custody records, not employee-only tracking.
The practical lesson is simple: accountability should be mapped to the control owner, not the person who first notices the loss. The best outcome is a process that can prove who had responsibility at each step, which is exactly what most organisations lack when the device disappears after offboarding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Offboarding device loss is a governance and accountability failure. |
| NIST CSF 2.0 | PR.AA-05 | Missing devices often retain active access after termination. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Highlights lifecycle control failures that mirror offboarding gaps. |
Assign lifecycle owners and prove handoffs for every offboarding step.
