Access can remain active in connected applications even after the HR or service desk ticket is marked complete. That leaves former employees, contractors, or delegated users with permissions that no one is actively reviewing. Effective offboarding must revoke access in the target systems, not just record the request as done.
Why This Matters for Security Teams
When offboarding is reduced to a ticket closure exercise, the organisation records completion without proving that access was actually removed from downstream systems. That gap is especially dangerous for non-human identities, delegated access, and federated applications where the HR record, service desk record, and target-system state can diverge. NIST’s NIST Cybersecurity Framework 2.0 emphasizes that identity and access outcomes must be managed operationally, not just documented administratively.
NHIMG’s NHI Lifecycle Management Guide treats offboarding as a lifecycle control, because stale access is a live exposure, not a paperwork issue. The practical risk is that former employees, contractors, and service identities can retain permissions long after the organization believes the relationship has ended. In mature environments, the ticket is only evidence that a request was made; it is not evidence that the access path was destroyed.
In practice, many security teams discover lingering access only after an audit, a leak, or an incident investigation, rather than through intentional offboarding verification.
How It Works in Practice
Effective offboarding requires a control sequence that reaches the target systems, not just the ticketing queue. The process should identify every identity tied to the person or workload, revoke entitlements in connected applications, invalidate active tokens or keys, and confirm that privileged paths such as API access, cloud roles, and shared service accounts are no longer usable. This is where lifecycle discipline matters: the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs frames offboarding as a repeatable sequence, not a one-time administrative step.
For human accounts, that may mean disabling SSO sessions, revoking directory access, and forcing password resets where federated systems still depend on local credentials. For NHIs, the equivalent may include deleting API keys, rotating certificates, removing CI/CD secrets, terminating workload identity bindings, and revoking delegated OAuth grants. The key is verification. A closed ticket should be backed by evidence that each dependent system acknowledged revocation.
- Inventory all identities linked to the departing user or workload.
- Revoke access in source and target systems, not just in the HR or ITSM record.
- Invalidate long-lived secrets, refresh tokens, certificates, and service credentials.
- Confirm that privileged roles, group memberships, and automation links are removed.
- Log proof of revocation for audit and incident response.
NHIMG research shows why this matters operationally: 91% of former employee tokens remain active after offboarding, which means “done” in the ticket system often still leaves usable access behind. The problem is amplified when identities are reused across applications, when secrets are stored outside proper managers, or when downstream systems do not support centralized deprovisioning. These controls tend to break down when applications are decoupled from the identity source and revocation depends on manual follow-up in systems that do not share a common lifecycle hook.
Common Variations and Edge Cases
Tighter offboarding control often increases operational overhead, requiring organisations to balance speed of separation against verification depth. That tradeoff is unavoidable when access spans SaaS apps, cloud platforms, partner portals, and machine identities. Current guidance suggests treating high-risk accounts differently from routine ones, because a contractor laptop, a service account, and a dormant admin role do not present the same residual risk.
One common edge case is delegated access. A manager may inherit calendar, inbox, or application permissions that persist after the primary account is disabled, so the offboarding process must include shared access review. Another is federation. If an application maintains its own local account or cached session state, directory deprovisioning alone will not remove access. For NHIs, the same issue appears when a service account is shared across multiple workloads or when secrets are embedded in code or pipelines. NHIMG’s Top 10 NHI Issues highlights how lifecycle failures and overused identities turn a single missed revocation into broad exposure.
There is no universal standard for every offboarding scenario yet, especially for agentic or highly automated environments. Best practice is evolving toward continuous verification, where ticket closure is only accepted after the access path is proven dead in the systems that matter.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding failures leave NHI credentials active after termination. |
| NIST CSF 2.0 | PR.AC-4 | Access removal must be enforced, not just recorded in tickets. |
| NIST AI RMF | AI RMF stresses lifecycle governance for identities used by automated systems. |
Apply lifecycle accountability to every identity, including service and agent credentials.
Related resources from NHI Mgmt Group
- What breaks when employee offboarding is treated as an HR task instead of an identity control?
- What breaks when an IAM tool cannot support offboarding well?
- What breaks when onboarding and offboarding are managed through the same workflow layer?
- What breaks when offboarding is slow in an IAM programme?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
