SaaS onboarding and offboarding still fail without full visibility

At a glance

What this is: This is a lifecycle governance article showing that SaaS onboarding and offboarding break down when teams rely on SSO and manual checklists instead of full app visibility.

Why it matters: It matters because IAM teams cannot govern joiner-mover-leaver access, licenses, and audit evidence consistently unless they can see and act across managed and unmanaged SaaS apps.

👉 Read 1Password's guide on onboarding and offboarding across SaaS apps

Context

SaaS onboarding and offboarding are lifecycle problems, not just IT ticketing problems. When apps live outside SSO and access decisions are spread across tickets, checklists, and tribal knowledge, the organisation loses control over who has access, where data lives, and when licenses should be reclaimed.

The article frames a familiar failure pattern for modern identity programmes: access is granted faster than it is governed. That creates orphaned accounts, lingering licenses, and incomplete audit trails across SaaS estates that keep expanding beyond the reach of manual process.

For teams building lifecycle controls, the right reference point is the NHI Lifecycle Management Guide, because the same governance logic applies whenever access must be provisioned, reviewed, and removed across a distributed application landscape.

Key questions

Q: How should security teams handle onboarding and offboarding across SaaS apps that are not behind SSO?

A: Security teams should treat non-SSO SaaS apps as first-class lifecycle targets. Build an application inventory, define the deprovisioning path for each app, and automate account closure, license reclamation, and file transfer where possible. The goal is complete access removal, not just disabling the primary identity provider.

Q: Why do manual offboarding checklists so often leave access behind?

A: Manual checklists fail because they depend on people remembering every app, owner, and downstream entitlement at the moment a worker leaves. In practice, delays, shadow IT, and fragmented ownership create orphaned accounts and lingering licenses. A repeatable workflow with discovery and evidence collection closes those gaps more reliably.

Q: What do teams get wrong about SSO and lifecycle control?

A: Teams often assume SSO coverage equals complete access governance. It does not. SSO manages the authenticated path, but many applications, licenses, and file ownership changes sit outside that boundary. A secure lifecycle programme has to manage the entire access footprint, including unmanaged apps and manual transfer steps.

Q: What should organisations do when an employee leaves to reduce residual risk?

A: They should revoke access everywhere, confirm that licenses are reclaimed or reassigned, and verify that files or folders are transferred to the right owner. The process should end only when the audit trail shows completion across every relevant SaaS application, not just the central login system.

Technical breakdown

Why SSO does not complete offboarding

Single sign-on centralises authentication, but it does not automatically govern every app, license, or downstream entitlement tied to a worker. In SaaS-heavy environments, many applications remain outside the SSO control plane, which means disabling one login does not necessarily remove the underlying account, transfer files, or reclaim paid seats. Lifecycle closure therefore depends on coverage across the whole application estate, not only the federated layer. That is why offboarding can still leave data, spend, and access behind even when the primary identity provider is cleanly deprovisioned.

Practical implication: map every SaaS application to a deprovisioning path, not just an authentication path.

Why manual lifecycle steps create orphaned access

Manual onboarding and offboarding usually fail at the handoff points. Tickets get delayed, managers forget application ownership, and ad hoc checklists miss shadow IT and contractor accounts that were never fully catalogued. The result is orphaned access that persists after employment changes, often alongside unused licenses that continue to cost money. Lifecycle control only works when discovery, approval, execution, and evidence collection are connected into one repeatable process. Fragmented workflows are the reason access reviews often look complete on paper but incomplete in reality.

Practical implication: remove human handoffs from the critical path for account closure and license reclamation.

What auditable SaaS lifecycle control requires

A reliable SaaS lifecycle process needs visibility into all apps, automated provisioning and deprovisioning, and a record of what changed, when, and by whom. That audit trail matters because offboarding is not only a security event but also a compliance and continuity event. Where files, folders, and licenses must be transferred, the process should make that ownership change explicit rather than implied. In practice, this is the difference between closing an employee record and actually closing their access footprint.

Practical implication: require auditable evidence for every lifecycle action, including asset transfer and entitlement removal.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Lifecycle governance fails when organisations treat SaaS access as an authentication problem instead of a coverage problem. The article shows that SSO can remove access from managed applications while leaving unmanaged apps, licenses, and data paths untouched. That is not a tooling gap alone, it is a governance boundary error that leaves the offboarding state incomplete. Practitioners should read this as a signal that lifecycle control must be defined across the whole SaaS estate, not only where federation exists.

Shadow IT turns offboarding into a discovery problem. If teams cannot continuously identify the applications employees actually use, they cannot credibly deprovision them later. The article’s emphasis on unmanaged apps is a reminder that access recertification and leaver processing depend on accurate application inventory. Practitioners should expect the largest control failures where app discovery is weakest.

Orphaned access is the visible symptom of a broader lifecycle design flaw. When accounts linger after a move or exit, the real failure is that access state is not tied to a dependable ownership model. This is where NHI lifecycle discipline and human JML discipline converge: access that outlives accountability becomes a standing risk whether the identity is a person or a non-human account. Practitioners should treat persistent access as a lifecycle exception to eliminate, not a cleanup task to postpone.

Auditable offboarding is now a control requirement, not an administrative extra. The article ties offboarding to audit trail quality, license recovery, and continuity handling for files and inboxes. That combination means the lifecycle process has to prove completion, not merely attempt it. Practitioners should prioritise evidence generation as part of the process design, because unproven offboarding is not controlled offboarding.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The State of Secrets in AppSec.
• For a lifecycle-focused next step, review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls that fit modern identity programmes.

What this signals

Lifecycle blind spots are the hidden tax in SaaS-heavy identity programmes. As organisations add more apps outside central control, the operational burden shifts from authentication to coverage, which means offboarding, license recovery, and ownership transfer become the real control points. Teams that cannot see every app cannot prove that access has been removed everywhere.

Identity governance now has to treat SaaS inventory as a control surface. The programme signal is clear: if discovery remains fragmented, lifecycle execution will remain partial. That is why the strongest near-term improvements will come from connecting application discovery, joiner-mover-leaver workflows, and evidence generation into one process rather than optimizing each step separately.

For practitioners

• Build a complete SaaS application inventory Continuously discover managed, unmanaged, and shadow SaaS apps before designing onboarding and offboarding flows. Use the inventory as the source of truth for deprovisioning coverage, license reclamation, and manager notification paths.
• Automate offboarding beyond the SSO boundary Create deprovisioning workflows for apps that sit outside federated access, including direct accounts, license removal, and file transfer actions. Do not stop at disabling the primary login if downstream accounts still exist.
• Track license recovery as a governance outcome Measure whether offboarding actually reclaims or reassigns licenses, not just whether a ticket was closed. Tie that metric to manager approval and application ownership so spend recovery and access removal happen together.
• Require an audit trail for lifecycle completion Record the entitlement changes, file transfers, and ownership handoffs that occur during joiner and leaver processing. If the evidence is missing, treat the workflow as incomplete even if the account was touched.

Key takeaways

• SaaS onboarding and offboarding fail most often where visibility ends and manual handoffs begin.
• SSO alone does not close the lifecycle loop because unmanaged apps, licenses, and file ownership can persist after departure.
• The control that changes the outcome is complete, auditable lifecycle execution across every application in use.

Key terms

• SaaS Lifecycle Governance: SaaS lifecycle governance is the discipline of controlling access from joiner to leaver across cloud applications. It includes provisioning, entitlement review, deprovisioning, license recovery, and evidence collection so the organisation can prove access was removed everywhere it mattered.
• Orphaned Account: An orphaned account is an application account that remains active after the person or process that owned it has changed or left. In SaaS environments, orphaning often happens outside SSO, where direct accounts and unmanaged apps persist without a clear ownership or offboarding path.
• Shadow IT: Shadow IT is software used without formal approval or visibility from the security or IT function. In lifecycle programmes it creates a discovery gap, because any app that is invisible at onboarding is also easy to miss at offboarding, leaving access and data behind.
• License Reclamation: License reclamation is the process of recovering, reassigning, or terminating software seats when access is removed. It matters because offboarding is only partially complete if the user account is closed but the paid entitlement, billing record, or application ownership still persists.

Deepen your knowledge

SaaS onboarding and offboarding lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a lifecycle programme for fragmented SaaS estates, it is worth exploring.

This post draws on content published by 1Password: onboarding and offboarding across modern SaaS environments. Read the original.