Leaver offboarding gaps still create orphaned accounts and audit risk

At a glance

What this is: This is an IT offboarding guide showing how delayed or incomplete leaver handling leaves active access, orphaned accounts and audit gaps behind.

Why it matters: It matters because IAM, PAM and lifecycle teams need one revocation process that closes human access, shared credentials and downstream SaaS entitlements before a departing user becomes a security gap.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Clarity Security's IT offboarding checklist for leaver workflow control

Context

Leaver handling is the point where identity governance turns from policy to execution. Once HR triggers a termination, access must be revoked across identity provider, SaaS, sessions, VPN, shared credentials, devices and badges before stale access becomes an entry point.

For human identity programmes, the failure mode is rarely a single control gap. It is the gap between a documented offboarding checklist and the actual sequence of revocation across systems that do not all obey the same source of truth.

Key questions

Q: How should security teams implement offboarding so former employees lose access everywhere?

A: Start with a single leaver workflow that disables the identity at the source, then fan out to SaaS, VPN, cloud storage, device management and physical access systems. Confirm that local application accounts and shared credentials are also revoked. The goal is not a ticket closure, but complete removal of every path the former user could still use.

Q: Why do orphaned accounts keep appearing after employee terminations?

A: Orphaned accounts persist when offboarding only covers the primary directory and ignores downstream systems that authenticate independently. SaaS, legacy apps and shared credentials often survive because they are managed outside the main identity plane. That creates residual access even after HR has closed the employment record.

Q: How do you know if an offboarding process is actually working?

A: Measure how many identities still have active access after termination, how long revocation takes, and how often unmanaged systems are discovered in post-termination reviews. A working process should produce evidence that access, ownership transfer and deletion steps all completed in the correct order.

Q: Who is accountable when a terminated user still has access?

A: Accountability sits with the identity, IT and business owners who approved and executed the offboarding process, not with the leaver alone. If access remains, the programme failed to coordinate revocation across systems or failed to maintain evidence that the steps were completed.

Technical breakdown

Why leaver offboarding fails across distributed access systems

Offboarding fails when identity is treated as a single control plane but access is actually distributed across the IdP, SSO, SaaS apps, VPN, device management, cloud storage and physical access systems. Disabling a user at the source does not necessarily revoke application-local accounts, shared credentials or active browser sessions. That is why ghost accounts persist after termination. The practical issue is lifecycle coordination, not just account disablement. A complete leaver workflow has to propagate revocation to every system that can still authenticate or authorise the departed identity.

Practical implication: map every post-termination access path and verify that each one is revoked, not just the primary directory account.

Why evidence logging matters in offboarding

Offboarding evidence is the audit trail that proves revocation actually happened. Without timestamps, account lists, and ownership transfer records, teams cannot demonstrate that access was removed in the correct order or within policy. Evidence also matters for operational continuity, because some assets must be transferred before deletion, especially files, inboxes and application ownership. Good hygiene here is not about paperwork for its own sake. It is about being able to prove that access, data custody and business continuity were handled as separate governance steps.

Practical implication: record who was deprovisioned, what was transferred, and when each control action occurred.

How automated leaver workflows reduce orphan account risk

Automated leaver workflows reduce risk by turning termination into a structured workflow rather than a manual ticket chain. The useful pattern is trigger, orchestration and verification. HR or another source event initiates revocation, the workflow fans out to relevant systems, and a final review checks for accounts that escaped the IdP. That final check is critical because not all identities are governed centrally. The strongest programmes treat automation as a way to reduce latency and miss rate, not as a substitute for governance ownership.

Practical implication: automate revocation where possible, but keep a final review step for unmanaged or shadow accounts.

NHI Mgmt Group analysis

Leaver offboarding is a lifecycle control, not an administrative task. The article shows that termination events are security events because identity persists after employment unless revocation is propagated across every system that can still authorise the user. The failure is not the checklist itself, but the assumption that one directory action closes all access. For human IAM, that assumption is dangerous because SaaS, VPN, device and badge controls often sit outside the first revocation step.

Ghost accounts are the visible symptom of access lifecycle failure. When accounts remain after departure, the programme has lost lifecycle coherence across joiner, mover and leaver processes. The issue is not only residual authentication, but residual ownership, billing, and audit accountability. That makes ghost accounts a governance indicator, not just an access hygiene issue.

Evidence capture is part of control effectiveness. A leaver process without an evidence log cannot prove that access was removed in the right order or that exceptions were handled deliberately. This is where identity governance and audit readiness converge. Teams that cannot show the revocation chain should assume the control is not dependable enough for high-risk access.

Lifecycle offboarding without source-of-truth coverage: The checklists work only when every account is visible to the governance process. That assumption fails whenever local SaaS accounts, shared credentials, or unmanaged systems sit outside the main identity plane. The implication is that programme maturity is limited by coverage, not by policy language.

Manual leaver handling creates an identity blast radius. Every delay between termination notice and complete revocation increases the window in which a former employee, attacker or internal misuse path can still operate. The more fragmented the environment, the larger that blast radius becomes. Practitioners should treat revocation latency as a measurable governance risk.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to The State of Secrets in AppSec.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to The State of Secrets in AppSec.
• For lifecycle governance detail, the NHI Lifecycle Management Guide shows how provisioning, rotation and offboarding need to be managed as one control chain.

What this signals

Leaver governance now behaves like a latency problem. When termination handling depends on manual tickets, the control degrades in proportion to environment size and application sprawl. Teams should expect that any unowned or shadow application will be the first place revocation fails, so the next programme milestone should be full coverage mapping, not another checklist revision.

Lifecycle completeness is the real maturity metric. A mature identity programme can show that access, ownership and evidence were all closed in one chain, not that a form was filled out. That is why the most valuable improvement path is to connect HR events, IAM controls and audit evidence into one workflow, with a clear review path for out-of-band accounts.

Ghost accounts are a signal that identity boundaries are too narrow. If your programme only measures the IdP, it will miss local SaaS accounts, shared secrets and physical access artefacts that survive employee departure. The practical next step is to align offboarding controls with the NIST Cybersecurity Framework 2.0 protect and recover functions while tightening lifecycle coverage through the Ultimate Guide to NHIs.

For practitioners

• Reconcile every leaver workflow to one revocation sequence Build a termination runbook that lists the IdP, SSO, SaaS apps, VPN, cloud storage, shared credentials, devices and physical badges that must be disabled in order. Then test the workflow against a real departing-user sample to find where access survives the first pass.
• Separate access removal from asset transfer Transfer file ownership, inbox custody and application ownership before deletion, but do not delay access revocation while waiting for the business to preserve content. Treat continuity tasks and security tasks as linked but distinct controls.
• Log the evidence needed for audit and remediation Capture who approved the leaver action, what systems were touched, what remained open, and when each step completed. Use the log to spot repeated exceptions, unmanaged applications and manual handoffs that slow revocation.
• Audit for accounts outside the identity provider Search for local SaaS accounts, legacy application logins and shared credentials that are not governed by the IdP. Any account that can still authenticate after termination should be brought into the offboarding workflow or removed.

Key takeaways

• Incomplete leaver handling turns a routine HR event into an identity security exposure because access often survives outside the primary directory.
• The scale of the problem is measurable, and secrets and lifecycle data show that revocation and remediation gaps persist long after notification.
• The strongest control improvement is end-to-end lifecycle closure across access, ownership, evidence and unmanaged accounts, not a better checklist alone.

Key terms

• Leaver workflow: A leaver workflow is the sequence of actions used to remove access when a person leaves an organisation. It coordinates account disablement, session termination, asset recovery, data transfer and evidence logging so departure does not leave behind active or unowned access.
• Ghost account: A ghost account is an account that remains active after the person who owned it has left or no longer needs access. These accounts create hidden entry points, complicate audits and often persist because they sit outside the primary identity governance workflow.
• Identity evidence log: An identity evidence log records what access was removed, when it was removed and who approved the action. It supports audits, incident review and operational accountability by proving that lifecycle controls were executed, not merely planned.
• Lifecycle completeness: Lifecycle completeness is the degree to which identity governance covers the full path from joiner to mover to leaver across all relevant systems. It means access, ownership and deletion are coordinated so no account, credential or entitlement is left outside control.

What's in the full article

Clarity Security's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step leaver checklist template you can adapt for HR-triggered terminations and emergency offboarding.
• Specific handling for SaaS accounts, shared credentials, device retrieval and physical badge deactivation.
• Practical guidance on evidence logging, delayed deletion and post-termination account monitoring.
• The vendor's automation workflow examples for tying HR events to deprovisioning tasks and review steps.

👉 Clarity Security's full post covers the checklist template, automation flow and evidence log details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.