TL;DR: A survey of 118 IT leaders found that remote workforce offboarding remains difficult because organisations struggle to see, observe, and remediate access across connected and disconnected systems, according to Zluri. The operational problem is not just leaver handling, but the broader IAM attack surface created when identity data, access reviews, and remediation are not unified.
NHIMG editorial — based on content published by Zluri: Remote Workforce Offboarding: Security Threats Report 2021
By the numbers:
- We surveyed 118 IT leaders to find their perspectives on offboarding.
Questions worth separating out
Q: How should security teams improve remote workforce offboarding?
A: Start by mapping where access actually lives, then connect leaver workflows to those systems so revocation is not dependent on manual follow-up.
Q: Why does offboarding create risk in hybrid identity environments?
A: Hybrid environments increase risk because identity state is split across tools and teams, which makes it easy for access to survive after the business need has ended.
Q: How do you know if offboarding is actually working?
A: Look for short identity cleanup lag, complete revocation across primary systems, and consistent handling of exceptions such as legacy apps and shared accounts.
Practitioner guidance
- Inventory all identity sources before tightening offboarding Build a complete map of directories, SaaS apps, local systems, and shadow access points so leaver workflows can reach every entitlement path rather than only the obvious ones.
- Separate visibility from remediation in your operating model Assign one team or control to detect lingering access and another to execute revocation, then define escalation paths for systems that cannot be remediated automatically.
- Measure identity cleanup lag after every departure Track the time between employment end and complete access removal across core systems, because the longest delays usually reveal the biggest exposure windows.
What's in the full report
Zluri's full report covers the operational detail this post intentionally leaves for the source:
- Survey detail on how 118 IT leaders currently manage offboarding across different environments
- Specific breakdowns of the security threats executives associate with remote workforce exits
- The report's guidance on tools and protocols used to reduce lingering access in practice
👉 Read Zluri's report on remote workforce offboarding and IAM attack surface risk →
Remote workforce offboarding: what IAM teams are missing?
Explore further
Offboarding is an IAM attack surface control, not a clerical process. Zluri frames the problem correctly by linking leaver handling to security threats, because the real failure is lingering access after the business relationship ends. When identity data is scattered, organisations cannot prove that access has been fully removed. Practitioners should treat offboarding as exposure reduction, not administrative closure.
A few things that frame the scale:
- 67% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who should own lifecycle revocation when identity spans multiple systems?
A: Ownership should sit with the identity governance function, with clear execution responsibilities in IT and application teams. The organisation needs one accountable process for revocation, even if the actual removal steps differ by system. Without that accountability, offboarding becomes inconsistent and hidden access persists longer than it should.
👉 Read our full editorial: Remote workforce offboarding exposes the IAM attack surface gap