IT offboarding checklists: where do manual leaver workflows fail?

TL;DR: Manual offboarding remains a common cause of orphaned accounts, stale access and audit failure because identity, SaaS, session, VPN and physical controls are often revoked in separate steps, according to Clarity Security. The governance problem is not speed alone, but whether leaver processes actually close every access path before accountability disappears.

NHIMG editorial — based on content published by Clarity Security: an IT offboarding checklist for modern security and IT teams

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams implement offboarding so former employees lose access everywhere?

A: Start with a single leaver workflow that disables the identity at the source, then fan out to SaaS, VPN, cloud storage, device management and physical access systems.

Q: Why do orphaned accounts keep appearing after employee terminations?

A: Orphaned accounts persist when offboarding only covers the primary directory and ignores downstream systems that authenticate independently.

Q: How do you know if an offboarding process is actually working?

A: Measure how many identities still have active access after termination, how long revocation takes, and how often unmanaged systems are discovered in post-termination reviews.

Practitioner guidance

• Reconcile every leaver workflow to one revocation sequence Build a termination runbook that lists the IdP, SSO, SaaS apps, VPN, cloud storage, shared credentials, devices and physical badges that must be disabled in order.
• Separate access removal from asset transfer Transfer file ownership, inbox custody and application ownership before deletion, but do not delay access revocation while waiting for the business to preserve content.
• Log the evidence needed for audit and remediation Capture who approved the leaver action, what systems were touched, what remained open, and when each step completed.

What's in the full article

Clarity Security's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step leaver checklist template you can adapt for HR-triggered terminations and emergency offboarding.
• Specific handling for SaaS accounts, shared credentials, device retrieval and physical badge deactivation.
• Practical guidance on evidence logging, delayed deletion and post-termination account monitoring.
• The vendor's automation workflow examples for tying HR events to deprovisioning tasks and review steps.

👉 Read Clarity Security's IT offboarding checklist for leaver workflow control →

IT offboarding checklists: where do manual leaver workflows fail?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →