Delayed deletion leaves former employees able to authenticate after departure, which can enable data exfiltration, unauthorized access, audit findings, and avoidable licence costs. The failure is usually not one control but several, including incomplete SaaS deprovisioning, missed API tokens, and weak record keeping. Offboarding has to close every active access path, not just the corporate directory.
Why This Matters for Security Teams
When an ex-employee account stays active, the problem is not just unauthorized login. It is persistence across the full access chain: SaaS sessions, VPN access, SSO tokens, cloud consoles, API keys, and service accounts that were never tied back to the person leaving. That creates a gap between HR departure dates and actual access removal, which turns offboarding into a security control rather than an administrative task. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why this issue keeps resurfacing in incident response and audit work, not just HR checklists. For a broader control lens, see the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs. In practice, many security teams encounter stale access only after a former employee has already used one forgotten credential path to move laterally or extract data.How It Works in Practice
Prompt deletion is effective only when offboarding closes every identity and secret the person could still reach. A corporate directory disablement is a start, but it does not remove cached sessions, delegated SaaS permissions, connected apps, cloud access keys, CI/CD tokens, or shared service credentials. The most reliable approach is to treat departure as an identity lifecycle event with an enforced teardown sequence, not a ticket to be closed later. Common control steps include:- Disable SSO and directory access immediately at separation time.
- Revoke active sessions, refresh tokens, and device trust records.
- Rotate any secrets, API keys, or certificates the employee could have accessed.
- Review privileged roles, shared mailboxes, and delegated admin rights.
- Confirm deprovisioning in each SaaS, cloud, and developer platform, not only in the HR or IAM system.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance rapid revocation against the need to avoid disrupting shared services or production systems. That tradeoff is real, especially in smaller environments where one employee may have touched infrastructure, SaaS admin panels, and developer tooling. There is no universal standard for this yet, but current guidance suggests three common edge cases need explicit handling:- Shared or inherited accounts: if multiple people use one login, deletion must be paired with immediate credential rotation and account splitting.
- Machine access tied to a person: personal API keys, certificates, or CI/CD tokens often outlive the employee and must be inventoried separately.
- Privileged contractors or temporary staff: short contracts can create long-lived access if expiry dates are not enforced automatically.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding and revocation failures are core NHI lifecycle weaknesses. |
| NIST CSF 2.0 | PR.AC-4 | Access revocation and least privilege directly address departed-user access. |
| NIST AI RMF | AI RMF governance supports accountable lifecycle management for identity access. |
Automate termination-triggered deprovisioning and verify access removal across every connected system.
Related resources from NHI Mgmt Group
- How should teams reduce the risk of orphaned service accounts and stale tokens?
- What breaks when employee accounts are not linked across platforms?
- What breaks when social media access is tied to employee-owned accounts?
- What breaks when organisations cannot see all non-employee accounts in one place?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org