Notifications
Clear all
Topic starter
11/06/2026 10:54 pm
TL;DR: Incomplete SaaS offboarding leaves orphaned licenses, lingering access, and compliance exposure, with 38% of employees admitting they have accessed a prior employer’s accounts after leaving and manual deprovisioning still taking about eight hours per leaver, according to 1Password and Ponemon Institute research. The control gap is not just identity revocation but lifecycle closure across apps, licenses, data transfer, and audit evidence.
NHIMG editorial — based on content published by 1Password: SaaS offboarding gaps are driving wasted spend and access risk
By the numbers:
- 38% of employees have accessed a prior employer’s accounts after leaving the company.
- 52% of employees admit to downloading work apps without IT approval.
Questions worth separating out
Q: How should teams close SaaS access without leaving orphaned licenses behind?
A: Treat offboarding as a lifecycle process, not a single revoke action.
Q: Why do offboarding programs still leak spend even when access is revoked?
A: Because revocation does not necessarily remove the subscription, data ownership, or delegated app relationship.
Q: What do security teams get wrong about SaaS offboarding?
A: They often assume the identity provider is the whole control plane.
Practitioner guidance
- Rebuild offboarding around closure states Define separate end states for access revoked, account deleted, license reclaimed, data transferred, and audit evidence stored.
- Connect shadow IT discovery to leaver workflows Use application discovery data to identify apps outside SSO before the employee exits, then route those apps into the same offboarding process as managed services.
- Separate access removal from license recovery Track whether each integration disables login only or also removes the subscription.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- A worked cost model for orphaned SaaS licenses across a 500-employee organisation and 15% turnover.
- Operational guidance on how SaaS management platforms complement IdPs when apps sit outside SSO.
- Examples of reclaiming licenses, transferring files, and redirecting mailboxes during leaver workflows.
- Implementation details for audit trails and access review exports that support compliance evidence.
👉 Read 1Password's analysis of SaaS offboarding gaps and license leakage →
Incomplete SaaS offboarding: what IAM teams need to close now?
Explore further
12/06/2026 7:20 am
Lifecycle closure, not access revocation, is the real offboarding control. This article exposes the difference between removing a login and closing the identity relationship. If licenses, inboxes, file ownership, and app-specific accounts remain behind, the organisation has not offboarded anything in governance terms. Practitioners should treat offboarding as a state change across entitlements, data custody, and audit evidence, not a ticket that ends when SSO access disappears.
A few things that frame the scale:
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: Who is accountable when a former employee still has SaaS access?
A: Accountability usually sits across IAM, IT operations, and the application owner, because each controls a different part of the lifecycle. IAM can revoke central access, but operations and app owners often control license reclamation and data transfer. Organisations need a named owner for complete offboarding, or stale accounts will remain a shared failure.
👉 Read our full editorial: SaaS offboarding gaps are driving wasted spend and access risk
