TL;DR: Modern SaaS environments fragment onboarding and offboarding across managed apps, unmanaged apps, licenses, and manual handoffs, so access clean-up often fails even when SSO is in place, according to 1Password. The practical issue is lifecycle control, not workflow speed, because incomplete deprovisioning leaves orphaned access, wasted spend, and audit gaps.
NHIMG editorial — based on content published by 1Password: onboarding and offboarding across modern SaaS environments
Questions worth separating out
A: Security teams should treat non-SSO SaaS apps as first-class lifecycle targets.
Q: Why do manual offboarding checklists so often leave access behind?
A: Manual checklists fail because they depend on people remembering every app, owner, and downstream entitlement at the moment a worker leaves.
Q: What do teams get wrong about SSO and lifecycle control?
A: Teams often assume SSO coverage equals complete access governance.
Practitioner guidance
- Build a complete SaaS application inventory Continuously discover managed, unmanaged, and shadow SaaS apps before designing onboarding and offboarding flows.
- Automate offboarding beyond the SSO boundary Create deprovisioning workflows for apps that sit outside federated access, including direct accounts, license removal, and file transfer actions.
- Track license recovery as a governance outcome Measure whether offboarding actually reclaims or reassigns licenses, not just whether a ticket was closed.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How 1Password SaaS Manager automates access across apps that sit outside SSO.
- The specific workflow steps for reclaiming licenses and transferring files or folders during offboarding.
- The article's practical framing for reducing ticket backlog while keeping a clear audit trail.
- The guide's positioning on managing shadow IT in day-one onboarding and leaver processing.
👉 Read 1Password's guide on onboarding and offboarding across SaaS apps →
SaaS onboarding and offboarding: where access handoffs still break?
Explore further
Lifecycle governance fails when organisations treat SaaS access as an authentication problem instead of a coverage problem. The article shows that SSO can remove access from managed applications while leaving unmanaged apps, licenses, and data paths untouched. That is not a tooling gap alone, it is a governance boundary error that leaves the offboarding state incomplete. Practitioners should read this as a signal that lifecycle control must be defined across the whole SaaS estate, not only where federation exists.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What should organisations do when an employee leaves to reduce residual risk?
A: They should revoke access everywhere, confirm that licenses are reclaimed or reassigned, and verify that files or folders are transferred to the right owner. The process should end only when the audit trail shows completion across every relevant SaaS application, not just the central login system.
👉 Read our full editorial: SaaS onboarding and offboarding still fail without full visibility