Accountability should sit with the identity and access owners who can confirm that revocation completed across directories, applications, devices, and privileged systems. HR may trigger the process, but IAM and security teams own the control outcome because incomplete offboarding is an access governance failure.
Why This Matters for Security Teams
Incomplete revocation after mass layoffs is not just an HR process gap. It is an access-control failure that can leave former employees with valid sessions, API keys, VPN access, or privileged entitlements long after separation. The accountability question matters because the control owner is the only party positioned to verify that revocation actually reached every directory, application, endpoint, and admin plane. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which shows how often revocation is treated as a checklist instead of an enforced outcome. See the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 for the broader identity risk pattern.
Teams often assume that terminating a user in the HR system or primary IdP is enough, but that assumption fails when access is distributed across SaaS apps, legacy directories, service accounts, and cached credentials. In practice, many security teams encounter residual access only after a post-termination alert, customer incident, or privilege review has already exposed the gap.
How It Works in Practice
Accountability should be assigned to the identity and access owners who can prove closure, not simply initiate it. HR can trigger the event, but IAM, security, and system owners must ensure revocation completes across all systems of record and all enforcement points. That includes directory deprovisioning, SSO session termination, token and refresh-token invalidation, mailbox and collaboration access removal, privileged access management, device trust revocation, and any service account or API credential tied to the departed user.
Operationally, good revocation work needs orchestration and evidence. Current guidance suggests treating offboarding as a workflow with audit outputs, not a single action. A robust process usually includes:
- Automated termination triggers from HR into IAM and PAM workflows.
- Immediate session kill and token revocation where the platform supports it.
- Checks for standing admin roles, break-glass access, and delegated entitlements.
- Validation across downstream apps and shadow IT where central SSO does not enforce access.
- Exception handling for legal hold, ongoing investigations, or asset recovery with time-bound approvals.
This is where identity governance, secrets management, and endpoint control intersect. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because the same lifecycle weakness that leaves NHI credentials unrotated also leaves human-access paths partially live. For implementation discipline, compare your workflow against the OWASP Non-Human Identity Top 10 and use it as a prompt to extend revocation beyond accounts into secrets and privileges. These controls tend to break down when applications keep independent local credentials or cached sessions outside the IAM control plane because revocation cannot be enforced from one place.
Common Variations and Edge Cases
Tighter revocation control often increases operational overhead, requiring organisations to balance speed of separation against the time needed to verify every downstream dependency. That tradeoff becomes sharper during mass layoffs, mergers, or outsourced workforce reductions, when thousands of identities may need to be disabled within hours.
There is no universal standard for this yet, but current guidance suggests a few important edge cases. First, some access must remain active for legal, payroll, or forensic reasons, so revocation should be granular and time-bound rather than all-or-nothing. Second, contractors and vendors may sit outside the employee lifecycle process, which is why access governance must cover third parties as well as staff. Third, shared accounts and service credentials create ambiguity: if a departed worker knew the secret, the secret itself may need rotation even if the account stays in use.
For evidence and remediation planning, the broad patterns documented in the 52 NHI Breaches Analysis reinforce a simple lesson: incomplete revocation is usually discovered by exposure, not by design. The practical answer is to make IAM and security accountable for closure, while HR remains accountable for initiating the personnel event.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Revocation completeness is an access-control and least-privilege issue. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Incomplete revocation often leaves credentials and secrets active after separation. |
| NIST AI RMF | Accountability for automated access decisions needs governance and traceability. |
Verify departed-user access is fully removed across systems and recheck residual entitlements.
Related resources from NHI Mgmt Group
- Who should be accountable when SaaS access persists after offboarding?
- Who is accountable when a cloud workload retains privileged access after it should have been removed?
- Who is accountable when access remains active after a mass exodus?
- Who is accountable when access revocation is missed after offboarding?
