User deprovisioning and offboarding: why do access reviews miss it?

TL;DR: User deprovisioning removes access, credentials, and permissions when people leave, change roles, or finish contracts, and the article argues that manual offboarding leaves orphaned accounts, audit gaps, and lingering exposure across IAM and IGA workflows, according to SecurEnds. Timely deprovisioning is not a back-office task but a control that determines whether identity governance actually closes the access loop.

NHIMG editorial — based on content published by SecurEnds: user deprovisioning, SCIM, and identity lifecycle management

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams automate user deprovisioning across SaaS applications?

A: Security teams should connect the authoritative exit event, usually from HR or contractor records, to the identity platform and then push revocation through SCIM, APIs, or connector-based workflows.

Q: Why do orphaned accounts remain a serious IAM risk?

A: Orphaned accounts remain risky because they preserve access after the business relationship has ended, which gives attackers or insiders a low-friction path into systems and data.

Q: What do organisations get wrong about access reviews and offboarding?

A: Many organisations assume access reviews will catch stale access after the fact, but reviews are only effective if offboarding is already timely and reliable.

Practitioner guidance

• Automate the leaver trigger from the authoritative source Connect HR, contractor management, or identity master records directly to the IAM workflow so access removal starts from a trusted exit event rather than a manual ticket.
• Map every connected application to a revocation path Inventory which systems support SCIM, API-based deactivation, or admin-console removal, then document the fallback process for anything that cannot be revoked automatically.
• Prove that deprovisioning completed, not just initiated Require audit evidence for account disablement, group removal, session termination, and license removal so offboarding can be verified during access reviews and compliance checks.

What's in the full article

SecurEnds' full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of how manual deprovisioning typically flows through HR, IT, and application teams.
• Examples of SCIM-based deprovisioning across Google Workspace, Salesforce, Slack, and other connected apps.
• Practical discussion of access reviews, audit readiness, and why offboarding logs matter during compliance checks.
• A walkthrough of how SecurEnds positions automation across the identity lifecycle, including vendor, contractor, and intern access.

👉 Read SecurEnds' full guide on user deprovisioning and offboarding automation →

User deprovisioning and offboarding: why do access reviews miss it?

Explore further

View Full Forum →  |  NHI Foundation Course →