Accountability sits with the identity, IT and business owners who approved and executed the offboarding process, not with the leaver alone. If access remains, the programme failed to coordinate revocation across systems or failed to maintain evidence that the steps were completed.
Why This Matters for Security Teams
A terminated user with lingering access is not just an HR closure problem. It is a control failure across identity governance, privileged access, application owners, and asset owners. The key issue is not whether the person left in good faith; it is whether revocation actually propagated everywhere the account was trusted. NHIMG notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which is why access persistence is so common in practice. The same failure pattern appears in human and non-human identity estates, and the OWASP Non-Human Identity Top 10 treats stale credentials and lifecycle gaps as first-order risks.
Accountability sits with the teams that owned the offboarding workflow and the systems that held the entitlements, not with the departed employee. If a leaver can still sign in, the organisation failed to enforce the control boundary that should have been closed at termination. In practice, many security teams discover this only after an audit exception, an insider-risk review, or a post-incident access check rather than through a clean offboarding process.
How It Works in Practice
Accountability is usually shared, but it should be explicit. HR or People Operations triggers the termination event. Identity and access management executes deprovisioning. IT and application owners remove sessions, tokens, VPN access, SSO grants, and local entitlements. Business owners confirm that access matched the role and that no exception remains. When this chain breaks, the organisation cannot credibly say access was revoked, even if one system was updated.
Current guidance suggests treating termination as a workflow, not a ticket. That means the workflow must track every dependent system, including SaaS apps, PAM vaults, shared mailboxes, cloud consoles, and service accounts that the user could reach. NHIMG’s NHI Lifecycle Management Guide and lifecycle processes for managing NHIs highlight the same operational truth for machine identities: if revocation is not complete and evidenced, the identity is still active from a risk perspective.
- Revoke SSO, MFA, and directory access first, then chase application-specific grants.
- Expire active sessions and refresh tokens, not just passwords or group membership.
- Remove privileged roles, emergency access, and delegated admin rights separately.
- Verify completion with logs, screenshots, or workflow evidence that an auditor can test.
Best practice is evolving toward event-driven offboarding, where termination triggers policy checks across the full identity estate and flags any remaining access as an exception. That approach aligns with the OWASP Non-Human Identity Top 10 emphasis on lifecycle governance and with NHIMG’s broader observation that visibility into service accounts is often incomplete. These controls tend to break down when access is distributed across shadow IT, legacy directories, and manually managed vendor portals because revocation cannot be centrally verified.
Common Variations and Edge Cases
Tighter offboarding controls often increase operational overhead, requiring organisations to balance speed of termination against the cost of complete revocation and evidence collection. That tradeoff becomes sharper where accounts are shared, federated, or replicated across subsidiaries and third parties. Guidance is not universal for every environment, but current practice favours a documented exception process rather than assuming partial revocation is good enough.
Edge cases matter. A terminated employee may still have access through a shared admin account, a cached session, an unmanaged SaaS tenant, or a non-human credential they once created for automation. In those cases, the question is less “who clicked offboard” and more “who owned the control that should have killed all paths to access.” NHIMG’s Top 10 NHI Issues and the broader Ultimate Guide to NHIs reinforce that stale identities, excessive privilege, and weak offboarding are usually governance failures, not isolated technical misses.
Where organisations use delegated administration or outsourced IT, accountability should be contractually assigned and operationally testable. Otherwise, gaps are blamed on the last team to touch the ticket, which hides the real defect in process ownership and control design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding and revocation gaps create stale identity risk. |
| NIST CSF 2.0 | PR.AC-4 | Access revocation and least privilege are core to identity control. |
| NIST AI RMF | GOVERN | Accountability for access failures requires clear ownership and oversight. |
Assign explicit ownership for offboarding outcomes and track exceptions under AI RMF GOVERN.
