Notifications
Clear all
Topic starter
25/06/2026 5:06 pm
TL;DR: Delayed de-provisioning, orphan secrets, and shared access are the core failure patterns in IT onboarding and offboarding, according to Entro Security, with its checklist guidance showing why employee lifecycle steps now double as identity security control points. Lifecycle governance, not just user provisioning, is where secrets exposure and residual access are won or lost.
NHIMG editorial — based on content published by Entro Security: Secure IT onboarding and offboarding checklists
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should organisations manage onboarding and offboarding for secrets and service accounts?
A: Treat onboarding and offboarding as lifecycle controls for every identity that can access data, not just employee accounts.
Q: Why do offboarding failures create such a large security risk?
A: Offboarding failures matter because access often survives in places the directory does not govern, especially tokens, API keys, and shared secrets.
Q: What do security teams get wrong about secrets shared in collaboration tools?
A: Teams often treat chat, ticketing, and documentation platforms as harmless convenience layers, but those systems become part of the identity surface once secrets are pasted there.
Practitioner guidance
- Build a complete credential inventory before every offboarding event Track all accounts, tokens, API keys, secrets, and shared credentials associated with the departing person, including items created in chat, tickets, repositories, and cloud consoles.
- Require revocation proof for every secret-bearing system Do not close an exit workflow until each credential has a recorded revocation status across the directory, cloud platforms, collaboration tools, and any connected automation.
- Separate shared access from named ownership Replace shared credentials with individually owned identities wherever possible, and keep a documented mapping from each secret to a business owner and a retirement date.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- The complete onboarding and offboarding checklist for access, devices, and secrets
- The article's step-by-step handling of account deactivation, token rotation, and data wiping
- Practical examples for remote workers, developers, and collaboration-tool secret sharing
- The full set of security checklist items for provisioning, revocation, and exit interviews
👉 Read Entro Security's checklist for secure IT onboarding and offboarding →
IT onboarding and offboarding: where do NHI controls fail most?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:36 pm
Standing access is the real lifecycle failure, not just delayed offboarding. The article shows that access removal only works when the organisation knows every place a credential was issued, copied, or reused. That is a lifecycle governance problem, not a directory problem, because the same identity can persist in email, cloud, chat, and code. Practitioners should treat residual access as an entitlement accounting failure, not an isolated admin task.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- The same research found 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, showing how fast identity-bearing configuration can spread.
A question worth separating out:
Q: Who is accountable when residual access remains after an employee leaves?
A: Accountability sits with the identity, security, and system owners who control issuance, use, and retirement of the credential. Human offboarding is not complete until the organisation can show that access was removed everywhere it existed. For regulated environments, that evidence should be auditable and tied to the same lifecycle record as the original entitlement.
👉 Read our full editorial: IT onboarding and offboarding are now NHI control points
