Access often persists in applications, shared resources, and delegated workflows after the person leaves. HR can trigger the departure, but IT and security still need evidence that every entitlement was revoked. Without that control, former-user access becomes a lifecycle failure that can lead to misuse, audit findings, and data exposure.
Why This Matters for Security Teams
When employee offboarding is treated as an HR event, the organisation often confuses notice of departure with actual access removal. That gap is dangerous because identities are not confined to the HR record. They include application roles, API tokens, delegated approvals, shared mailboxes, privileged sessions, and automation accounts that can survive long after a person leaves. NHI Management Group’s Ultimate Guide to NHIs shows why lifecycle control has to extend beyond people-facing records and into technical entitlement revocation.
The operational risk is measurable. Entro Security reports that 91% of former employee tokens remain active after offboarding, which means departure alone does not stop access. That is why offboarding belongs in identity governance, not just HR workflow design. The NIST Cybersecurity Framework 2.0 frames this as a protection and response issue: access must be removed, verified, and recorded as part of a controlled process.
In practice, many security teams encounter former-user access only after an audit exception, a suspicious login, or a data exposure, rather than through intentional revocation testing.
How It Works in Practice
Offboarding becomes effective only when HR, IT, and security share a single control objective: prove that the departing person can no longer authenticate, authorize, or indirectly influence systems. The HR workflow may start the clock, but it cannot end access by itself. A defensible process maps the departing employee to every identity artifact they touched, including SSO accounts, SaaS entitlements, local app roles, service desk approvals, shared credentials, and any secrets embedded in scripts or pipelines. NHI Management Group’s NHI Lifecycle Management Guide is useful here because lifecycle closure is the real control objective, not just deactivation in one system.
Practitioners usually need four mechanics:
- Trigger offboarding from HR, but execute revocation through identity, PAM, and secrets tooling.
- Revoke or rotate all tokens, keys, certificates, and delegated grants that were issued to the person or their workflows.
- Check for shared accounts, mailbox delegation, group membership, and downstream app inheritance.
- Record evidence that revocation completed, including timestamp, system owner, and exception handling.
This is also where current guidance suggests using access review and change evidence together. The more sensitive the environment, the more important it is to verify that access removal succeeded, not merely that a ticket was closed. NIST guidance on least privilege and identity management supports that posture, while NHI research from 52 NHI Breaches Analysis shows how lifecycle failures often compound into broader compromise when stale access is left behind.
These controls tend to break down when accounts are reused across teams, when apps sit outside the identity stack, or when secrets live in code and CI/CD systems because revocation cannot be proven end to end.
Common Variations and Edge Cases
Tighter offboarding control often increases operational overhead, requiring organisations to balance rapid separation against the need for complete entitlement removal. That tradeoff matters most in environments with federated SaaS, shared admin accounts, and long-lived automations, where one person’s departure can affect many systems at once. Best practice is evolving, but there is no universal standard for this yet: some teams prioritise immediate disablement, while others stage revocation to preserve business continuity before final closure.
The hardest edge cases are delegated access and hidden dependencies. A departing employee may not own the system directly, but they may approve releases, manage group-based access, or hold a token embedded in automation. That means the control must extend to workload identity, not just human login accounts. The Lifecycle Processes for Managing NHIs section of NHIMG’s guide is relevant because offboarding often becomes a secrets and entitlement cleanup problem once automation is involved.
Operationally, the safest pattern is to treat offboarding as a verified identity control with evidence, exceptions, and owner sign-off. Where that discipline is missing, former-user access is usually discovered only after lateral movement, audit failure, or an external notification forces a scramble.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle revocation and stale credential risk after employee exit. |
| NIST CSF 2.0 | PR.AC-4 | Access management requires removal of entitlements when employment ends. |
| NIST AI RMF | Governance applies when automation and identity decisions affect ongoing access. |
Revoke and rotate all NHI credentials during offboarding, then verify closure across every dependent system.
Related resources from NHI Mgmt Group
- What breaks when identity is treated as an administrative task instead of a control plane?
- What breaks when identity governance is treated as admin work instead of security work?
- What breaks when identity logging is treated as the main security control?
- What breaks when an IAM tool cannot support offboarding well?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
