Employee offboarding and SaaS access: where do teams still fail?

TL;DR: Remote offboarding can leave former employees with lingering SaaS, CRM, email, and SSO access, creating avoidable exposure when deprovisioning is delayed or incomplete, according to Zluri and OneLogin. The governance gap is not the exit process itself but the failure to terminate access quickly enough across every identity system.

NHIMG editorial — based on content published by Zluri: Security & Compliance Employee Offboarding: 5 Security Guidelines for a Remote Workplace

By the numbers:

• 32% of companies reported taking more than a week to deprovision employees from SaaS apps who have left.

Questions worth separating out

Q: What breaks when employee offboarding is not tightly coordinated across identity systems?

A: Access can survive the departure event.

Q: Why do delayed deprovisioning and shadow IT create a larger security problem than unused licenses?

A: Because the issue is not only cost.

Q: What do security teams get wrong about shared accounts during offboarding?

A: They often rotate a password and stop there.

Practitioner guidance

• Build a single offboarding control list Define one authoritative checklist that covers SaaS, SSO, shared accounts, device sessions, VPN, voicemail, and external collaboration tools.
• Revoke access in dependency order Block sign-in, terminate live sessions, remove application entitlements, and then reclaim licenses so a user cannot retain access through cached authentication or overlooked downstream permissions.
• Inventory shadow IT before the last workday Use user-level application discovery to identify the full SaaS footprint tied to the departing employee, including tools that never appear in the official procurement list.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step offboarding checklist for remote workers, including asset recovery and account closure sequencing.
• The deprovisioning workflow details for SSO, IdP, remote access, and connected SaaS applications.
• The discussion of how discovery tools help identify shadow IT before a user leaves.
• The article's practical notes on shared account handling, voicemail changes, and backup storage during exit.

👉 Read Zluri's offboarding checklist for SaaS, SSO, and remote access cleanup →

Employee offboarding and SaaS access: where do teams still fail?

Explore further

View Full Forum →  |  NHI Foundation Course →