Ownership should be shared across HR, IT, IAM, and the application business owner, because each controls a different part of the exit. HR confirms the departure, IT and IAM remove access, and the business owner confirms data transfer or retention. Clear ownership prevents gaps between systems.
Why This Matters for Security Teams
Employee offboarding is rarely a single-team task because access removal and data cleanup happen in different systems with different owners. HR confirms the departure, but IT and IAM must remove credentials, tokens, and active sessions while the application business owner decides what data is retained, transferred, or deleted. When that handoff is unclear, dormant access and orphaned data linger.
That lag matters because offboarding failures are not theoretical. NHI Management Group’s Ultimate Guide to NHIs notes that only 20% of organisations have formal processes for offboarding and revoking API keys, while 91% of former employee tokens remain active after offboarding in Entro Security’s 2025 State of NHIs and Secrets in Cybersecurity. The operational lesson is simple: if ownership is not assigned before the employee exits, cleanup becomes a best-effort afterthought instead of a controlled process.
In practice, many security teams discover the gap only after an audit finding, a data request, or an incident exposes that nobody owned the full exit path.
How It Works in Practice
Best practice is a shared ownership model with one accountable coordinator and multiple executing owners. HR should own the termination trigger and timing, because it is the first source of truth for the exit event. IAM and IT should own technical deprovisioning, including account disablement, token revocation, MFA reset, device recovery, and removal from SSO, VPN, and SaaS platforms. The application or data owner should own post-access cleanup decisions such as mailbox retention, file transfer, shared folder reassignment, and deletion approvals.
That model works best when it is translated into a documented offboarding workflow with timestamps, checkpoints, and evidence collection. A good workflow usually includes:
- HR confirms the separation date and notifies downstream owners.
- IAM removes primary access and any privileged or shared entitlements.
- IT revokes endpoint, remote access, and device-based access.
- The business owner validates which records must be retained, transferred, or deleted.
- Security or compliance verifies completion and retains audit evidence.
This is also where NHI hygiene matters, especially for service accounts, API keys, automation tokens, and shared secrets linked to the departing employee. The NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10 both reinforce that access cleanup must include non-human credentials, not just human accounts. If an employee created or maintained an integration, the offboarding owner should also verify whether the underlying secret is rotated, transferred, or retired.
Current guidance suggests that the most reliable control is not a single team doing everything, but a clearly mapped RACI with automated tasking and signoff across HR, IAM, IT, and the business owner. These controls tend to break down in fast-growing environments where access lives in many SaaS apps, secrets are embedded in automation, and nobody has a complete inventory of what the employee touched.
Common Variations and Edge Cases
Tighter offboarding control often increases coordination overhead, requiring organisations to balance speed against completeness. That tradeoff becomes visible when the employee owns critical workflows, when multiple apps store the same data, or when legal retention rules conflict with a request to delete everything immediately.
There is no universal standard for this yet, but current practice is to assign a single process owner for coordination while preserving system ownership for execution. For example, HR should not be asked to delete application data, and IAM should not decide retention policy. Instead, they should escalate to the appropriate business or compliance owner when deletion, archive, or legal hold decisions are required.
Edge cases usually involve privileged users, contractors, and employees who maintained shared automation. In those cases, offboarding should include secret rotation, service account reassignment, and verification that no personal mailbox, calendar, or cloud storage remains a dependency. The Top 10 NHI Issues highlights how quickly orphaned access can become a broader control failure when credentials are duplicated or left active across systems. For data cleanup, the business owner should always confirm retention exceptions before deletion proceeds.
Where this guidance breaks down most often is in organisations that lack a complete identity and application inventory, because cleanup cannot be trusted for systems that are not known at the time of offboarding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Offboarding must cover leaked or orphaned non-human access after employee departure. |
| NIST CSF 2.0 | PR.AA-01 | Offboarding is an identity and access assurance workflow with auditability needs. |
| NIST AI RMF | Shared accountability supports governance and lifecycle controls for automated and data-driven systems. |
Assign ownership across governance, technical deprovisioning, and retention decisions with clear accountability.
