Subscribe to the Non-Human & AI Identity Journal

What breaks when employee offboarding is handled as a simple account deletion?

Account deletion alone leaves residual access paths in SaaS apps, shared passwords, OAuth grants, owned files and personal device copies. The result is that a former employee may still reach data or workflows even though the directory account is gone. Effective offboarding must terminate every access path, not just the primary login.

Why This Matters for Security Teams

Simple account deletion solves only the directory record. It does not reliably revoke SaaS entitlements, OAuth grants, shared mailbox access, tokens cached on devices, or file ownership that continues to expose data after departure. That gap turns offboarding into an access persistence problem, not an HR closeout task. NHI Management Group’s Ultimate Guide to NHIs shows how lifecycle failures and weak revocation practices create lasting exposure, while NIST SP 800-53 Rev 5 Security and Privacy Controls treats access removal as a control activity, not a clerical cleanup.

For teams already dealing with SaaS sprawl, device sync, and delegated app access, the real risk is that the deleted account becomes a false signal of safety. If the user had created API keys, approved OAuth scopes, or transferred work into shared systems, those paths can outlive the identity record. In practice, many security teams discover the residual access only after a data exposure, a suspicious login, or a post-departure workflow abuse rather than through intentional offboarding validation.

How It Works in Practice

Effective offboarding has to trace every identity and access dependency tied to the employee, then revoke each one in sequence. That includes directory groups, SaaS sessions, application-specific roles, refresh tokens, API keys, service account, shared secrets, inbox delegation, document ownership, and device-bound credentials. The operational goal is to eliminate all reachable trust paths, not just the primary authentication account. NHI Management Group’s NHI Lifecycle Management Guide is useful here because the same lifecycle logic applies when an employee has created or used non-human access paths during their tenure.

Current guidance suggests offboarding should be automated where possible and verified with post-revocation checks. A practical sequence looks like this:

  • Disable primary login and session refresh first.
  • Revoke OAuth consents and connected app grants.
  • Rotate shared secrets, keys, and credentials the employee could access.
  • Reassign file, mailbox, ticketing, and repository ownership.
  • Invalidate device trust, cached tokens, and mobile app sessions.
  • Confirm removal through logs, access reviews, and application-level checks.

This matters because identity systems often show “disabled” while downstream systems still honor access tokens, delegated permissions, or cached sessions. The issue is especially visible in modern SaaS stacks, where one user may touch dozens of applications outside the core directory. NIST guidance on account and session control supports this kind of layered revocation, and the Top 10 NHI Issues research reinforces how incomplete lifecycle processes become security gaps when credentials and permissions are scattered across systems. These controls tend to break down in federated SaaS environments with delegated admin rights because the directory owner cannot see or revoke every downstream entitlement from one console.

Common Variations and Edge Cases

Tighter offboarding often increases operational overhead, requiring organisations to balance rapid termination against business continuity and auditability. Not every departure needs the same response, and best practice is evolving around how much automation is acceptable for high-trust roles versus standard users. A terminated employee who owns a shared mailbox, a code repository, or a finance workflow can create service disruption if permissions are removed without reassignment, so the safer pattern is coordinated transfer followed by revocation.

There is also no universal standard for every SaaS app’s offboarding semantics. Some platforms revoke sessions immediately; others leave API tokens valid until they expire or are manually rotated. Personal devices add another edge case because locally cached files, synced folders, and password managers may retain data after centralized access is gone. For that reason, the strongest programs combine account disablement with secret rotation, ownership reassignment, and device posture checks. The Lifecycle Processes for Managing NHIs section is relevant because the same principle applies: removing one credential source does not guarantee removal of all usable access paths.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Offboarding must revoke lingering non-human credentials and access paths.
OWASP Agentic AI Top 10 Autonomous workloads can retain access after human departure via delegated credentials.
CSA MAESTRO Covers lifecycle governance for identities used by agentic and automated systems.
NIST CSF 2.0 PR.AC-4 Access permissions must be managed and revoked as part of identity governance.
NIST SP 800-63 Session and authenticator lifecycle matters when credentials outlive the account.

Trace and remove every agent, token, and delegation the employee could have created or approved.