SaaS offboarding gaps are driving wasted spend and access risk

At a glance

What this is: This is an analysis of how incomplete SaaS offboarding creates unused spend, residual access, and compliance risk across sanctioned and shadow applications.

Why it matters: It matters because identity programmes that stop at access revocation leave licenses, data, and audit trails behind, which affects NHI, human IAM, and lifecycle governance alike.

By the numbers:

• 38% of employees have accessed a prior employer’s accounts after leaving the company.
• 52% of employees admit to downloading work apps without IT approval.

👉 Read 1Password's analysis of SaaS offboarding gaps and license leakage

Context

SaaS offboarding is the process of removing a departing employee’s access, reclaiming licenses, and closing out related data paths. The governance gap appears when organisations treat offboarding as account revocation only, while apps, licenses, file transfers, inboxes, and shadow IT remain outside consistent control.

For identity teams, the issue is broader than user deprovisioning. SaaS sprawl creates a lifecycle problem across human IAM and adjacent non-human access patterns, because apps, integrations, and delegated permissions can outlive the employee relationship even after the primary account is closed.

Key questions

Q: How should teams close SaaS access without leaving orphaned licenses behind?

A: Treat offboarding as a lifecycle process, not a single revoke action. Close access, delete or retire the account where appropriate, reclaim the license, transfer owned files and inboxes, and keep evidence of each step. If an app cannot be automated through the IdP, route it through a manual closure path so the subscription does not survive the employee.

Q: Why do offboarding programs still leak spend even when access is revoked?

A: Because revocation does not necessarily remove the subscription, data ownership, or delegated app relationship. Many organisations stop at authentication control and never reconcile the application, contract, and license layers. That leaves inactive seats on the books and creates hidden budget leakage that only shows up when the app inventory is cross-checked against leaver records.

Q: What do security teams get wrong about SaaS offboarding?

A: They often assume the identity provider is the whole control plane. In reality, SSO covers only part of the application estate, and many tools need separate steps for account deletion, file transfer, inbox routing, and license release. A complete program measures whether the app itself was closed, not just whether the user can still sign in.

Q: Who is accountable when a former employee still has SaaS access?

A: Accountability usually sits across IAM, IT operations, and the application owner, because each controls a different part of the lifecycle. IAM can revoke central access, but operations and app owners often control license reclamation and data transfer. Organisations need a named owner for complete offboarding, or stale accounts will remain a shared failure.

Technical breakdown

Why SSO-only offboarding leaves control gaps

Single sign-on can centralise authentication for some applications, but it does not govern the full SaaS estate. Many apps are not behind SSO, and even where integration exists, the connector may only disable access instead of deleting the account or reclaiming the license. That leaves a residual footprint across application records, billing, and data ownership. In practice, offboarding becomes fragmented across identity providers, IT service desks, and manual follow-up tasks, which is where errors accumulate. Practical implication: treat SSO as one control plane, not the offboarding workflow itself.

Practical implication: map which SaaS apps only lose access, which also reclaim licenses, and which still need manual closure.

How shadow IT turns offboarding into spend leakage

Shadow IT is not just an inventory problem. When employees adopt unsanctioned apps, those accounts can persist after departure because they are invisible to standard joiner-mover-leaver workflows. The result is orphaned licenses, untracked data stores, and unmanaged collaboration surfaces that continue to consume budget. This is especially costly when the same application is used informally by multiple teams, because no single owner sees the full lifecycle burden. Practical implication: continuous discovery has to feed offboarding, or the organisation only ever cleans up what it already knows about.

Practical implication: connect discovery data to leaver workflows so unsanctioned apps are identified before the employee exits.

Why access reviews matter after deprovisioning

Offboarding is not complete when the primary account is closed. Access reviews are the control that verifies whether residual entitlements, delegated permissions, or shared assets still need to exist after role change or departure. Without that follow-through, organisations miss orphaned accounts, stale sharing relationships, and licenses that should be repurposed or retired. The article’s example shows that business continuity and compliance both depend on proving what was transferred, what was deleted, and what remains assigned. Practical implication: schedule access reviews as a lifecycle checkpoint, not a periodic audit after the fact.

Practical implication: require evidence of data transfer, license reclamation, and account closure before offboarding is marked complete.

Threat narrative

Attacker objective: The objective is to exploit lingering SaaS access and ownership gaps after employee departure, whether for unauthorised account use, data exposure, or silent budget leakage.

1. Entry occurs through apps and integrations that are outside IT’s direct control, especially shadow IT and partially integrated SaaS services.
2. Credential and account persistence continue after departure when access is removed but licenses, delegated access, or unmanaged app accounts remain active.
3. Impact shows up as wasted spend, unnecessary exposure of customer or employee data, and increased compliance burden when orphaned accounts are not closed.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Lifecycle closure, not access revocation, is the real offboarding control. This article exposes the difference between removing a login and closing the identity relationship. If licenses, inboxes, file ownership, and app-specific accounts remain behind, the organisation has not offboarded anything in governance terms. Practitioners should treat offboarding as a state change across entitlements, data custody, and audit evidence, not a ticket that ends when SSO access disappears.

Shadow SaaS creates a hidden lifecycle debt that standard IAM cannot see. The problem is not only unmanaged applications, but unmanaged ownership of those applications after people leave. That means the control failure sits at discovery, entitlement mapping, and license reclamation, not just at deprovisioning. The practitioner conclusion is simple: if discovery is incomplete, offboarding will be incomplete too.

Orphaned license persistence: this is the named failure mode the article illustrates. Access was removed in some cases, but the account, subscription, or data-bearing relationship remained live, which turns every leaver into a possible cost centre and exposure point. The implication is that lifecycle governance must explicitly distinguish access removal from account retirement and license recovery.

Access reviews after departure are a compliance control, not an optional hygiene step. The article makes clear that organisations need proof of closure, reuse, or deletion across SaaS assets. That is why the governance question is not whether the leaver left, but whether the organisation can demonstrate that the related digital estate did too. Practitioners should use offboarding evidence as an audit artefact, not an internal assumption.

Identity governance must now include SaaS economics as well as security. The spend leakage described here is a governance signal, not just a finance problem. If orphaned licences and redundant applications are not reclaimed, security teams inherit a growing inventory of unmanaged access that finance teams are quietly subsidising. The conclusion for practitioners is to align IAM, IT operations, and procurement around one lifecycle inventory.

From our research:

• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• For a broader control lens, see the NHI Lifecycle Management Guide for how lifecycle closure and visibility change the offboarding equation across machine and service identities.

What this signals

Orphaned-access risk is becoming a lifecycle design problem, not a clean-up task. Organisations that still treat offboarding as a revoke-only process will keep paying for dormant licenses and stale entitlements. The more apps sit outside SSO, the more the programme depends on discovery, contract reconciliation, and evidence of closure rather than a single identity control.

The operational signal to watch is whether your leaver workflow produces a complete inventory delta, not just a disabled user record. If it does not, the next audit will expose the gap for you, and the finance team will likely find the waste before security does.

For teams building out lifecycle governance, the practical shift is to connect access reviews, procurement, and app discovery into one closure model. That is how you move from manual exception handling to a repeatable identity control surface.

For practitioners

• Rebuild offboarding around closure states Define separate end states for access revoked, account deleted, license reclaimed, data transferred, and audit evidence stored. Require each leaver workflow to hit all five states before the case closes.
• Connect shadow IT discovery to leaver workflows Use application discovery data to identify apps outside SSO before the employee exits, then route those apps into the same offboarding process as managed services.
• Separate access removal from license recovery Track whether each integration disables login only or also removes the subscription. Where the connector cannot reclaim the license, make manual reclaim mandatory in the offboarding checklist.
• Make access reviews post-departure mandatory Review remaining entitlements after offboarding to confirm no shared inboxes, delegated permissions, or orphaned records were left behind, and retain the results for audit.
• Unify identity, ITSM, and procurement records Maintain one inventory of apps, users, contracts, and licenses so leaver actions can be reconciled against spend, ownership, and compliance requirements in the same workflow.

Key takeaways

• Incomplete SaaS offboarding leaves a dual problem: residual access risk and ongoing spend leakage.
• The strongest evidence in the article is that access revocation alone does not reclaim licenses, close shadow IT apps, or satisfy audit expectations.
• Practitioners should redesign offboarding as a full lifecycle closure process with discovery, reclamation, transfer, and proof of completion.

Key terms

• SaaS offboarding: The process of removing a departing user from software access while also closing the related account, subscription, and data-handling obligations. In mature programmes, it includes license recovery, file transfer, inbox ownership changes, and evidence that the app lifecycle has ended cleanly.
• Orphaned license: A software subscription seat that remains active after the original user no longer needs it. Orphaned licenses create direct cost leakage and can also preserve access paths or data ownership links that should have been retired during offboarding.
• Shadow IT: Software used for work without IT approval or visibility. It often starts as a productivity shortcut, but it becomes a governance problem when those apps are outside standard identity controls and therefore outside normal offboarding, audit, and procurement processes.
• Access review: A formal check to confirm whether a user, account, or entitlement still needs to exist. For SaaS offboarding, it is the control that catches residual access after departure and helps prove that licenses, shared assets, and delegated permissions have been handled correctly.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: SaaS offboarding gaps are driving wasted spend and access risk. Read the original.