SaaS offboarding and access revocation: where do teams break down?

TL;DR: Offboarding gaps leave SaaS access behind after employees depart, and Zluri cites a Gartner-backed study showing only 14% of surveyed companies have systems and processes for SaaS deprovisioning. The real control failure is not removal intent but incomplete revocation across SSO, sessions, app-level entitlements, and shadow IT.

NHIMG editorial — based on content published by Zluri: Automation 4 Ways of Revoking Access to Tools While Offboarding Employees

By the numbers:

• Only 14% of the companies surveyed have systems and processes around SaaS deprovisioning while offboarding.
• 15 days even after access is revoked., or a full 15 days even after access is revoked.

Questions worth separating out

Q: How should security teams handle SaaS access during employee offboarding?

A: Security teams should revoke access across the IdP, application layer, and active sessions, then confirm that no remaining permission paths exist.

Q: Why do SSO-based offboarding processes sometimes leave access behind?

A: SSO revocation removes one authentication path, but it does not always terminate existing SaaS sessions or remove app-specific entitlements.

Q: What breaks when SaaS inventories are maintained in spreadsheets?

A: Spreadsheets go stale quickly and cannot discover shadow IT, so the offboarding team ends up revoking access to only the known applications.

Practitioner guidance

• Map every SaaS access path before deprovisioning Build a leaver checklist that includes SSO, direct app logins, device sessions, delegated access, and unmanaged tools so revocation does not stop at the IdP layer.
• Invalidate active sessions as a required exit step Require application-side session termination for critical SaaS tools, especially where token lifetime can outlast the employee's departure or the IdP disablement event.
• Replace spreadsheet inventories with continuous app discovery Use live discovery to keep the SaaS inventory current, because manual tracking cannot keep pace with shadow IT or fast-changing application adoption.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The four revocation approaches the vendor describes, including spreadsheet tracking, SSO-based removal, SaaS management automation, and self-serve workflow approvals.
• The step-by-step offboarding sequence the vendor outlines for removing authentication, moving data, deleting the user, and removing SSO access.
• The vendor's discussion of Slack session persistence and why SSO deprovisioning alone can leave an access window open.
• The workflow claims around visibility into sign-in logs, audit logs, and app permissions that underpin automated offboarding.

👉 Read Zluri's article on four ways to revoke SaaS access during offboarding →

SaaS offboarding and access revocation: where do teams break down?

Explore further

View Full Forum →  |  NHI Foundation Course →