Accountability sits with the identity governance process, not with a single platform owner, because the organisation failed to maintain a unified view of account ownership. HR, IAM, and application teams all need a shared source of truth for identity state. Without it, leaver actions can complete in one system while access persists elsewhere.
Why This Matters for Security Teams
When an employee leaves, the real failure is rarely the exit itself. It is the fragmented identity lifecycle behind it. A leaver may be disabled in HR or one SaaS platform, yet still retain access in another system because ownership, provisioning, and deprovisioning are split across teams. That gap turns a routine offboarding task into an access governance problem that can expose data, admin paths, and automation secrets.
Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG research on Ultimate Guide to NHIs both point to the same operational truth: identity state must be governed as a lifecycle, not a set of isolated account actions. If one system still thinks the person is active, standing access can persist long after employment ends.
In practice, many security teams discover the problem only after an audit, incident, or unauthorized access review rather than through intentional offboarding verification.
How It Works in Practice
Accountability should sit with the identity governance process because no single platform can reliably own the full leaver journey. The organisation needs a shared source of truth for identity state, plus automated downstream enforcement that removes access everywhere an identity is represented. That includes cloud consoles, SaaS applications, PAM vaults, API tokens, and any delegated admin relationship.
A practical workflow usually includes HR as the trigger, IAM as the orchestration layer, and application owners as control validators. The important point is not who clicks the disable button, but who is responsible for proving that access is actually removed. That is why many teams map leaver controls to lifecycle governance and access review obligations in CISA Zero Trust Maturity Model guidance and related identity assurance practices.
- HR records termination or role change in the system of record.
- IAM propagates the event to connected directories and apps.
- Privileged and non-privileged accounts are both checked, including local accounts and break-glass access.
- Secrets, tokens, and sessions are revoked or expired, not only passwords reset.
- Application owners confirm completion for systems outside central provisioning.
NHIMG’s 52 NHI Breaches Analysis shows how identity gaps often persist across systems even when one layer appears closed. That is why shared evidence of closure matters more than a single ticket closing. These controls tend to break down when organisations rely on manual deprovisioning across many SaaS tenants because missed integrations leave residual access behind.
Common Variations and Edge Cases
Tighter offboarding control often increases operational overhead, requiring organisations to balance speed against assurance. Not every account is provisioned through the same path, and that creates exceptions that identity teams must explicitly govern.
For example, contractor access may live in a separate vendor portal, privileged access may be managed through PAM with its own expiry model, and service accounts may outlive the employee who requested them. Best practice is evolving on how much automation is enough, but there is no universal standard for this yet. The current direction is to treat every access path as a revocable identity binding, not just a user record.
Two common edge cases deserve attention. First, shared mailboxes and delegated admin roles often survive termination because no single application owner sees them as “real” accounts. Second, federated SaaS access can remain active until the next token refresh unless session revocation is explicitly enforced. In both cases, the accountable function is identity governance, with application teams responsible for implementing the technical hooks and HR responsible for providing accurate termination timing. In practice, failures show up most often where shadow IT and manually created local accounts bypass the central joiner-mover-leaver process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Leaver access gaps are a lifecycle governance failure across identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access removal are central to post-exit access control. |
| NIST SP 800-63 | Identity proofing and lifecycle state support accurate account disablement. |
Tie authoritative identity state to account lifecycle actions and periodic reconciliation.
Related resources from NHI Mgmt Group
- Who is accountable when a cloud workload retains privileged access after it should have been removed?
- Who is accountable when a former employee still has access after leaving?
- Who should be accountable when SaaS access persists after offboarding?
- Who is accountable when access revocation is incomplete after mass layoffs?
