Former employee access remains active: what should teams change?

TL;DR: Patchy IT offboarding leaves former employee access, shared credentials, and remote login paths active long enough to create breach, compliance, and license waste risks, according to Zluri. Offboarding is still being treated as an admin task instead of a lifecycle control point, while TechRepublic says 70% of IT decision-makers need up to an hour to deprovision a single leaver’s accounts.

NHIMG editorial — based on content published by Zluri: Lifecycle Management Secure IT Offboarding Checklist

By the numbers:

• 20% of businesses have experienced data breaches connected to former employees.
• 70% of IT decision-makers surveyed said it could take up to an hour to deprovision all of a single former employee’s corporate application accounts.

Questions worth separating out

Q: What breaks when offboarding removes SSO access before application access?

A: Teams can strand active application sessions, preserve app-level admin rights, and lose the ability to transfer ownership cleanly.

Q: Why do former employees remain a security risk after their accounts are disabled?

A: Because disabling one identity layer does not always revoke all downstream access, sessions, tokens, or remote entry methods.

Q: How can security teams tell whether offboarding actually worked?

A: They should confirm that app access, shared credentials, remote login paths, ownership records, and logs all show the same removed state.

Practitioner guidance

• Sequence deprovisioning bottom-up Remove access from applications first, then revoke identity provider access, so you can still transfer ownership and clear app-specific admin rights before the directory account is closed.
• Rotate every shared credential at exit Change passwords, invalidate tokens, and terminate sessions for any shared account the departing user could still reach, especially collaboration and utility tools that are often overlooked.
• Transfer ownership before access removal Reassign documents, subscriptions, and administrative responsibility to a successor before the leaver is fully disabled, or you risk losing the ability to manage the asset later.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• The full seven-step offboarding checklist, including ownership transfer, application removal, SSO revocation, and hardware recovery sequence
• The discovery methods Zluri describes for finding employee applications across SaaS, directory, HR, finance, and device systems
• The practical handling of shared accounts, remote access methods, and delayed application deletion buffers
• The tool-specific workflow for transferring documents, forwarding email, and tracking leaver activity in the platform

👉 Read Zluri’s seven-step checklist for secure IT offboarding →

Former employee access remains active: what should teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →