Subscribe to the Non-Human & AI Identity Journal
Home FAQ NHI Lifecycle Management What breaks when ex-employee accounts are not deleted…
NHI Lifecycle Management

What breaks when ex-employee accounts are not deleted promptly?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 5, 2026 Domain: NHI Lifecycle Management

Delayed deletion leaves former employees able to authenticate after departure, which can enable data exfiltration, unauthorized access, audit findings, and avoidable licence costs. The failure is usually not one control but several, including incomplete SaaS deprovisioning, missed API tokens, and weak record keeping. Offboarding has to close every active access path, not just the corporate directory.

Why This Matters for Security Teams

When an ex-employee account stays active, the problem is not just unauthorized login. It is persistence across the full access chain: SaaS sessions, VPN access, SSO tokens, cloud consoles, API keys, and service accounts that were never tied back to the person leaving. That creates a gap between HR departure dates and actual access removal, which turns offboarding into a security control rather than an administrative task. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why this issue keeps resurfacing in incident response and audit work, not just HR checklists. For a broader control lens, see the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs. In practice, many security teams encounter stale access only after a former employee has already used one forgotten credential path to move laterally or extract data.

How It Works in Practice

Prompt deletion is effective only when offboarding closes every identity and secret the person could still reach. A corporate directory disablement is a start, but it does not remove cached sessions, delegated SaaS permissions, connected apps, cloud access keys, CI/CD tokens, or shared service credentials. The most reliable approach is to treat departure as an identity lifecycle event with an enforced teardown sequence, not a ticket to be closed later. Common control steps include:
  • Disable SSO and directory access immediately at separation time.
  • Revoke active sessions, refresh tokens, and device trust records.
  • Rotate any secrets, API keys, or certificates the employee could have accessed.
  • Review privileged roles, shared mailboxes, and delegated admin rights.
  • Confirm deprovisioning in each SaaS, cloud, and developer platform, not only in the HR or IAM system.
This is where current guidance suggests combining least privilege with rapid revocation. The Ultimate Guide to NHIs is useful here because it frames offboarding as a visibility and rotation problem as much as an access problem. For implementation design, the NIST Cybersecurity Framework 2.0 supports the broader governance expectation that identities and access should be continuously managed, not reviewed only at infrequent intervals. If an organisation uses automated workflows, the best practice is to tie HR termination events directly to deprovisioning and secret rotation so there is no human delay. These controls tend to break down when accounts are shared across teams, because no single owner can verify every system the former employee touched.

Common Variations and Edge Cases

Tighter offboarding often increases operational overhead, requiring organisations to balance rapid revocation against the need to avoid disrupting shared services or production systems. That tradeoff is real, especially in smaller environments where one employee may have touched infrastructure, SaaS admin panels, and developer tooling. There is no universal standard for this yet, but current guidance suggests three common edge cases need explicit handling:
  • Shared or inherited accounts: if multiple people use one login, deletion must be paired with immediate credential rotation and account splitting.
  • Machine access tied to a person: personal API keys, certificates, or CI/CD tokens often outlive the employee and must be inventoried separately.
  • Privileged contractors or temporary staff: short contracts can create long-lived access if expiry dates are not enforced automatically.
The same issue can also show up in audits long after the person has left if logging is incomplete. If the organisation cannot prove exactly which systems were deprovisioned, it will struggle to show control effectiveness even when the account was eventually disabled. That is why offboarding needs both technical revocation and evidence capture. The Schneider Electric credentials breach is a useful reminder that credential exposure often becomes visible only after an access path has already been abused. In environments with heavy SaaS sprawl or unmanaged developer secrets, the guidance breaks down because the true access surface is larger than the directory record.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Offboarding and revocation failures are core NHI lifecycle weaknesses.
NIST CSF 2.0PR.AC-4Access revocation and least privilege directly address departed-user access.
NIST AI RMFAI RMF governance supports accountable lifecycle management for identity access.

Automate termination-triggered deprovisioning and verify access removal across every connected system.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org