TL;DR: Offboarding often stops at human accounts while OAuth tokens, API keys, SSH keys, service accounts, and AI agent identities remain active in cloud, CI/CD, and SaaS environments, leaving a hidden attack surface, according to Token Security. The control failure is not deprovisioning itself but the broken assumption that employee exit cleanly ends machine access.
NHIMG editorial — based on content published by Token Security: Offboarded Employees and the Non-Human Identities They Leave Behind [The Complete Guide]
By the numbers:
- 53% of IT leaders are terrified by the risk of a cyberattack through an unmanaged account when an employee is not properly deprovisioned.
- 75% of companies reported having machine identities without dedicated personnel managing them, increasing vulnerabilities to data loss and compromised access.
- 82% of 1,100 executives at large enterprises plan to integrate AI agents within the next three years.
Questions worth separating out
Q: How should security teams offboard non-human identities when an employee leaves?
A: Treat the employee departure as a full identity lifecycle event.
Q: Why do orphaned service accounts and tokens create so much risk after offboarding?
A: They create risk because access can persist after employment ends, often with no accountable owner and no automatic expiration.
Q: What breaks when employee offboarding does not include machine identity cleanup?
A: The governance chain breaks at ownership, visibility, and revocation.
Practitioner guidance
- Map every employee-linked machine identity before offboarding. Build a departure checklist that inventories API tokens, OAuth grants, SSH keys, service accounts, cloud roles, and automation credentials tied to the employee across cloud, GitHub, SaaS, and internal tooling.
- Assign a named owner to each NHI at creation. Do not wait for exit day to discover who owns an identity.
- Revoke long-lived secrets as part of the exit workflow. Rotate API keys, tokens, and shared credentials immediately after departure, then confirm that CI/CD pipelines, GitHub repositories, Slack, Jira, and SaaS integrations no longer hold valid access.
What's in the full article
Token Security's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step offboarding checklist for employee-owned machine identities across cloud, SaaS, and developer tooling
- Detailed guidance on rotating API keys, OAuth tokens, SSH keys, and shared secrets after departure
- Practical inventory and ownership transfer approach for NHIs created by scripts, pipelines, and AI agents
- Token Security's visibility and risk graph workflow for prioritising revocation and remediation
👉 Read Token Security's guide to offboarding employees and the NHIs they leave behind →
Offboarding and orphaned NHIs: what IAM teams are missing?
Explore further
Employee offboarding is now an NHI lifecycle problem, not just an HR control. The article shows that departure workflows which end at disabling human accounts leave the more dangerous assets untouched: tokens, keys, service accounts, and agent credentials. That is a governance failure because the organization has not actually ended the employee’s operational reach. Practitioners should treat offboarding as a full identity inventory and revocation event across human and machine access.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- GitGuardian found that 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
A question worth separating out:
Q: Who should be accountable for NHIs after an employee exits?
A: The accountable owner should be the person or team that can actually revoke, rotate, or transfer the identity without waiting for the former employee. If no such owner exists, the identity is not governed. Offboarding is the moment to assign that responsibility, because after the employee leaves, accountability becomes harder to reconstruct.
👉 Read our full editorial: Offboarded employees leave behind hidden non-human identity risk