Off-boarding gaps in cloud access create identity risk

At a glance

What this is: This is a cloud off-boarding analysis showing how delayed revocation and over-privileged access can let a terminated employee destroy data after dismissal.

Why it matters: It matters because IAM and NHI teams must treat off-boarding as a security control, not just an HR workflow, especially where cloud access and remote privileges persist.

By the numbers:

• Two days after being fired, the former employee allegedly deleted 21.3GB of data, including 20,000 files and almost 3,500 directories, according to the Department of Justice.

👉 Read Britive's analysis of cloud off-boarding and standing privilege risk

Context

Cloud off-boarding is the process of removing access, tokens, and privileges when a person leaves an organisation. In practice, the weak point is not whether a termination event happens, but whether every cloud entitlement, file path, and remote session is revoked fast enough to prevent damage. This is an IAM and NHI governance problem because the same cleanup logic must cover people, service accounts, and other non-human identities that remain active after a role ends.

The article’s case is a familiar pattern: terminated access still existed long enough for a disgruntled insider to act, even though revocation eventually happened. That is not an unusual failure mode. It shows that standing privilege, delayed deprovisioning, and incomplete asset visibility create a breach window that standard off-boarding checklists often miss.

Key questions

Q: How should security teams handle off-boarding in cloud environments?

A: Security teams should automate termination-triggered revocation across every cloud and SaaS system a person can reach, then verify that active sessions, delegated rights, and shared secrets are gone. Off-boarding is only complete when the full access chain is removed, not when the HR record is updated.

Q: Why do standing privileges make insider risk worse after someone leaves?

A: Standing privileges stay usable until someone explicitly removes them, which means a terminated employee can still reach systems during the revocation window. That expands the blast radius of a malicious exit and makes timing the security control rather than the policy. Zero standing privilege reduces that exposure.

Q: What is the difference between disabling a user account and fully off-boarding access?

A: Disabling a user account stops one login path, but full off-boarding also removes active sessions, cloud roles, application grants, shared credentials, and any NHI secrets tied to that person’s work. Organisations need the second model because a single account disable does not always stop access.

Q: Should organisations rotate secrets after employee off-boarding?

A: Yes, when the exiting employee had exposure to automation, cloud operations, or shared credentials. Rotating API keys, certificates, and tokens closes hidden access paths that user deactivation does not reach. If a person influenced a workflow, the workflow credentials should be treated as part of the exit event.

Technical breakdown

Why standing cloud privileges create off-boarding risk

Standing privilege means access remains permanently available unless someone removes it. In cloud environments, that access may include file servers, application consoles, storage buckets, API permissions, and delegated admin roles. When an employee leaves, every one of those privileges must be evaluated independently. A single revoked account is not enough if active sessions, synced credentials, or auxiliary service access still exist. For NHI governance, the lesson is broader: service accounts and automation tokens also need lifecycle controls so a departed operator cannot indirectly retain control paths.

Practical implication: inventory every persistent privilege and make off-boarding a revocation workflow, not a ticket closeout.

How delayed revocation turns termination into an attack window

Termination creates a narrow but dangerous interval between decision and full access removal. In that interval, a user may still authenticate, reach shared systems, and access data that is already within their privilege set. The problem gets worse when organisations rely on manual checks across multiple clouds and file repositories. IAM teams should treat time-to-revoke as a measurable control, because the security outcome depends on minutes and scope, not just policy language. This same principle applies to NHI secrets that remain valid after a workload or owner changes.

Practical implication: measure and reduce time-to-revoke across all systems, including cloud consoles, file servers, and secret stores.

Why off-boarding must include non-human identity cleanup

NHI exposure often survives personnel change because the account owner changes, but the credentials do not. API keys, certificates, automation tokens, and shared service accounts can keep working long after a person is removed from the organisation. That creates hidden persistence paths, especially in cloud operations where humans and automation share access chains. Off-boarding therefore needs to cover identity lineage, not just the employee directory record. If a person controlled a workflow, the workflow credentials, approvals, and delegated rights must be reviewed and reset as a unit.

Practical implication: couple employee off-boarding with NHI credential review, rotation, and ownership reassignment.

Threat narrative

Attacker objective: The objective was destructive retaliation through removal of operational and customer-related data.

1. Entry via valid post-termination remote access to the former employer’s file server.
2. Escalation through existing permissions that exposed confidential mortgage and software files.
3. Impact through deletion of 21.3GB of data across 20,000 files and nearly 3,500 directories.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Off-boarding is an access control event, not an HR afterthought. The security failure in this case was not the termination itself, but the gap between termination and complete privilege removal. In cloud environments, that gap can span human accounts, remote sessions, shared storage, and delegated automation. Practitioners should treat off-boarding as a control plane workflow with measurable completion time.

Standing privilege creates avoidable blast radius in every identity domain. When access persists by default, the organisation is relying on perfect timing to prevent misuse. That is not a defensible model for either employee identities or NHIs. Zero standing privilege reduces the number of identities that can be abused after a personnel event, which makes deprovisioning far more reliable.

Identity governance must follow the work, not just the worker. The key issue is not merely who the employee is, but which systems, secrets, and delegated rights were tied to that person’s role. If those assets are not re-owned, rotated, or retired at exit, the organisation leaves behind latent access paths. Security teams should map off-boarding to identity lifecycle management, not just to user disablement.

Cloud off-boarding exposes the limits of manual revocation. When teams must check dozens of apps and systems by hand, revocation is always slower than the risk window. That is especially true where humans and automation share the same cloud estate. The practical conclusion is clear: automation, inventory accuracy, and lifecycle policy enforcement must replace one-off cleanup.

Identity blast radius is the right concept for post-termination risk. The smaller the accessible surface after a person leaves, the less damage a malicious insider can do. That means separating high-risk access, shortening credential lifetime, and continuously verifying who or what still has reach. Practitioners should design for containment first, because complete prevention is unrealistic at exit time.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the same survey.
• For a deeper lifecycle lens, see the NHI Lifecycle Management Guide for provisioning, rotation, and off-boarding controls.

What this signals

Identity cleanup is becoming a resilience issue, not just an administrative task. As cloud estates and automation layers expand, any delay in removing access can turn a routine termination into a data-loss event. The programme implication is clear: off-boarding must be measured, tested, and audited like any other security control, not treated as a back-office completion step.

Identity blast radius should now be a board-relevant metric. If a departed employee can still touch file systems, secrets, or admin consoles, the organisation has not reduced risk, it has merely documented it. Teams should focus on how much remains reachable after exit and how quickly that reach is removed.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey, the same off-boarding discipline that protects people must also protect NHIs. Credential lifetime, ownership transfer, and automated rotation are becoming the practical control points that separate contained exits from lingering access.

For practitioners

• Implement termination-triggered access revocation Tie HR exit events to automated deprovisioning for cloud consoles, file servers, shared drives, and privileged apps so access closes within minutes, not hours.
• Inventory standing privileges before someone leaves Maintain a current map of every persistent entitlement, including remote access, delegated admin rights, and shared service credentials, so off-boarding can remove the full set.
• Rotate and re-own related NHI secrets When a staff member who touched automation or cloud operations exits, rotate API keys, certificates, tokens, and service account passwords linked to their workflows.
• Record and review time-to-revoke Measure the interval between termination and full access removal across identity systems, then investigate any delay that leaves a former employee able to authenticate.
• Link off-boarding to access review evidence Require proof that the account, active sessions, and downstream entitlements were removed before the case is marked closed, and retain that evidence for audit.

Key takeaways

• Off-boarding fails when access removal lags behind termination, because the delay creates a usable breach window.
• Standing privileges and shared credentials magnify insider risk by extending post-exit reach across cloud systems and NHI pathways.
• Security teams should automate revocation, rotate related secrets, and prove that the full identity chain was closed.

Key terms

• Standing Privilege: Standing privilege is access that remains active by default until someone removes it. In cloud and identity systems, it increases the chance that a former employee, contractor, or workload can keep using permissions after the business no longer needs them. It is a core driver of post-termination risk.
• Off-boarding: Off-boarding is the process of removing a departing user’s access, credentials, and related entitlements from the environment. In mature IAM programmes, it also includes reviewing sessions, shared secrets, delegated roles, and linked non-human identities so that exit events do not leave behind hidden access paths.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if it is misused or compromised. For departed users, the blast radius depends on how many systems, secrets, and privileges remain reachable after termination. Smaller blast radius means better containment and less residual exposure.
• Just-In-Time Access: Just-In-Time access is a pattern that grants permissions only when they are needed and removes them after the task ends. It reduces standing exposure during employee exits and operational handoffs because the access does not persist unless a live request or policy action keeps it open.

Deepen your knowledge

Off-boarding, zero standing privilege, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a termination process that also has to cover cloud access and automation secrets, it is worth exploring.

This post draws on content published by Britive: Off-boarding Matters: How to Protect Your Company and Customers from Employees with Bad Intentions. Read the original.