Remote employee offboarding exposes the real SaaS access gap

At a glance

What this is: This is an offboarding and access governance article showing that remote exit processes break down when SaaS, SSO, shared accounts, and device access are not revoked in sync.

Why it matters: It matters because delayed deprovisioning affects human identity, shared accounts, and the wider lifecycle controls that also govern NHI and privileged access programmes.

By the numbers:

• 32% of companies reported taking more than a week to deprovision employees from SaaS apps who have left.

👉 Read Zluri's offboarding checklist for SaaS, SSO, and remote access cleanup

Context

Remote offboarding is an identity lifecycle problem, not just an HR process. When an employee leaves, access must be removed across SaaS apps, SSO, device sessions, shared accounts, voicemail, and remote access paths before the departure is complete, otherwise the organisation keeps paying for and exposing credentials that should no longer exist.

The article’s central point is that manual spreadsheets and disconnected workflows cannot keep pace with modern offboarding. That is especially relevant to IAM teams because lifecycle controls determine whether a departing user, a shared account, or a dormant entitlement remains usable long enough to become a security issue.

Key questions

Q: What breaks when employee offboarding is not tightly coordinated across identity systems?

A: Access can survive the departure event. If HR, IAM, application owners, and device teams do not remove entitlements in sync, the former employee may still reach SaaS apps, shared accounts, voicemail, or remote access. The failure is not just administrative delay. It is a live identity relationship that outlasts the business decision to end it.

Q: Why do delayed deprovisioning and shadow IT create a larger security problem than unused licenses?

A: Because the issue is not only cost. Delayed deprovisioning leaves a usable access path behind, while shadow IT means some of those paths are invisible to the team doing the cleanup. Together they create lingering exposure that can support insider misuse, data leakage, or accidental retention of privileged access.

Q: What do security teams get wrong about shared accounts during offboarding?

A: They often rotate a password and stop there. That misses active sessions, integrations, delegated permissions, and unclear ownership. A shared account is not secure just because the password changed. It is secure only when the account has a new accountable owner and all prior access paths have been invalidated.

Q: Who is accountable when a former employee still has access after offboarding?

A: Accountability should sit with the business owner of the identity lifecycle, not only with IT operations. Offboarding is a governance process that spans HR, IAM, application owners, and security. If any one of those groups treats revocation as someone else’s task, the organisation creates a predictable control gap.

Technical breakdown

Why delayed deprovisioning leaves standing access behind

Deprovisioning is the coordinated removal of a user’s entitlements, sessions, and dependent accounts across systems. In practice, it often fails because different tools own different parts of the lifecycle. An identity provider may block sign-in, but active app sessions, cached tokens, shared passwords, voicemail, and remote desktop access can remain valid. The real technical problem is orchestration latency: the exit workflow is only as strong as its slowest dependency, and any gap creates a residual access window that attackers or disgruntled insiders can abuse.

Practical implication: map every offboarding dependency and verify revocation order across identity, application, device, and communications systems.

Shared accounts and ownership transfer create hidden control gaps

Shared accounts are especially dangerous because ownership is collective, but accountability is usually unclear. When a user leaves, teams often rotate a password without proving that all sessions, integrations, and downstream privileges were removed. If ownership is not reassigned and separately authenticated, the account becomes a durable access path that is hard to audit. This is an identity governance failure as much as a security one, because the system still has a functioning credential while the business believes the access relationship has ended.

Practical implication: require explicit ownership transfer and session invalidation before any shared account is considered offboarded.

Why shadow IT discovery matters during offboarding

Offboarding only works if the organisation knows which apps and data stores the employee used. Shadow IT means the actual application footprint is wider than the official inventory, so a clean exit on paper can leave real access untouched in untracked SaaS tools. Discovery and entitlement visibility are therefore upstream controls for deprovisioning. Without them, IT can revoke the obvious accounts and still miss the systems where the most sensitive data lives, including file stores, collaboration tools, and niche business applications.

Practical implication: pair offboarding with user-level app discovery so unknown SaaS access is removed before the leaver exits.

Threat narrative

Attacker objective: The objective is to preserve usable business access after employment ends so data, contacts, and internal operations remain exposed to a former insider.

1. Entry occurs through ordinary employee access that remains active after resignation, termination, or role change because deprovisioning lags behind the exit process.
2. Credential access and privilege retention persist through SaaS sessions, shared passwords, SSO links, and remote access paths that are not revoked in the same workflow.
3. Impact follows when a former employee can still view CRM records, internal files, or communications, creating insider leakage, competitive exposure, or account misuse.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity lifecycle is only real when revocation matches the departure event: This article shows that offboarding fails when access removal is treated as a follow-up task instead of a synchronous security control. The leaver still holds a valid identity relationship if SaaS, SSO, device, and communications access are not removed together. For IAM teams, the practical conclusion is that lifecycle completeness matters more than paperwork completion.

Delayed deprovisioning is a standing-access problem, not an exit-admin problem: The article’s own example, supported by the OneLogin figure, shows that the risk is not just cost leakage from unused licenses. It is the persistence of a live access path after the business believes it has ended. That is a classic NHI-style lifecycle lesson applied to human identity governance: access that outlives accountability becomes an exposure window.

Shadow IT turns offboarding into an inventory problem before it becomes a security problem: If the organisation cannot see every app the employee used, it cannot prove deprovisioning is complete. This is where lifecycle governance, SaaS discovery, and entitlement visibility intersect. Practitioners should treat unknown application usage as an offboarding failure mode, not just a discovery gap.

Shared-account ownership transfer is the control point most teams under-specify: The article correctly points out that passwords are often changed without proving that the account’s operational ownership has moved. That leaves a policy-compliant-looking account with unresolved access history. The governance lesson is simple: if no named owner exists after exit, the account was never fully deprovisioned.

Remote-work offboarding exposes the limits of human-centred lifecycle assumptions: Access is no longer confined to a laptop and a badge. It spans SaaS, session tokens, voicemail, VPN, and collaboration tools, which means lifecycle governance must be built as a cross-system control plane. The practitioner takeaway is to design offboarding around access surfaces, not departments.

From our research:

• 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• For deeper lifecycle context, see NHI Lifecycle Management Guide for the governance patterns that keep access removal aligned with ownership changes.

What this signals

Standing-access drift: offboarding is increasingly a lifecycle assurance problem, not a ticket-closure exercise. Teams that still rely on manual handoffs will keep finding that access survives longer than the employment relationship, especially where SaaS discovery and session control are fragmented.

The practical next step is to treat revocation completeness as a measurable control, not a procedural assumption. That means checking whether every departing user’s access was removed across primary identity systems, application layers, and communication channels before the exit is considered closed.

For broader lifecycle guidance, teams should align offboarding with the patterns in the NHI Lifecycle Management Guide and use the Top 10 NHI Issues to benchmark where governance gaps most often accumulate across identity programmes.

For practitioners

• Build a single offboarding control list Define one authoritative checklist that covers SaaS, SSO, shared accounts, device sessions, VPN, voicemail, and external collaboration tools. Use it to prevent handoff gaps between HR, IT, security, and app owners.
• Revoke access in dependency order Block sign-in, terminate live sessions, remove application entitlements, and then reclaim licenses so a user cannot retain access through cached authentication or overlooked downstream permissions.
• Inventory shadow IT before the last workday Use user-level application discovery to identify the full SaaS footprint tied to the departing employee, including tools that never appear in the official procurement list.
• Transfer shared-account ownership explicitly Require a named owner, an approved password change, and a confirmation that all associated sessions and integrations have been reviewed before the account is considered closed.

Key takeaways

• Remote offboarding fails when access removal is not synchronized across SaaS, SSO, shared accounts, and remote access.
• Delayed deprovisioning creates a standing-access window that is more dangerous than the cost of unused licenses.
• The strongest control is complete lifecycle revocation backed by discovery, ownership transfer, and session invalidation.

Key terms

• Deprovisioning: Deprovisioning is the controlled removal of a user’s access, sessions, and dependent entitlements when they no longer need them. In practice it should cover identity providers, SaaS applications, device sessions, and shared credentials so no residual access survives the exit event.
• Shadow IT: Shadow IT is software or service use that exists outside approved inventory and governance processes. It matters during offboarding because access cannot be removed from systems the organisation does not know about, leaving hidden entitlements and data paths active after departure.
• Shared Account Ownership: Shared account ownership is the assignment of accountability for credentials used by more than one person or process. It is weak when the account has no named custodian, because password changes alone do not prove that prior access paths, integrations, and sessions have been closed.
• Identity Lifecycle: Identity lifecycle is the full joiner, mover, leaver process that governs how identities are created, changed, reviewed, and removed. For offboarding, it means access removal must be tied to the departure event across every system where the identity can still act.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Employee Offboarding: 5 Security Guidelines for a Remote Workplace. Read the original.