Teams can strand active application sessions, preserve app-level admin rights, and lose the ability to transfer ownership cleanly. The directory may look disabled while the application still allows access or retains important data. Bottom-up deprovisioning avoids this by clearing downstream access first and only then closing the identity provider entry.
Why This Matters for Security Teams
Offboarding is not complete when the directory account is disabled. If application access is removed in the wrong order, active sessions can stay alive, app-local admin roles can persist, and ownership of critical records can become stranded. That creates a gap between what the identity provider shows and what the application still permits, which is exactly where cleanup failures hide.
This matters because most environments now rely on federated login, service accounts, delegated administration, and shared application ownership. The operational risk is not just unauthorized reuse of access, but also broken handoffs when someone leaves and no one can safely transfer control. NHI Management Group has repeatedly highlighted lifecycle control as the difference between visible deprovisioning and actual access removal in the NHI Lifecycle Management Guide. OWASP similarly treats weak lifecycle handling as a recurring identity failure pattern in the OWASP Non-Human Identity Top 10.
In practice, many security teams discover this only after an account has been disabled but the application still accepts the old session or retains privileged ownership.
How It Works in Practice
The cleanest approach is bottom-up deprovisioning: revoke application access first, confirm the app no longer accepts the identity, transfer ownership and administrative duties, then close the upstream SSO or directory entry. That sequence matters because many applications cache sessions, issue long-lived refresh tokens, or maintain their own authorization records separate from the identity provider. Disabling SSO alone often stops new logins, but it does not reliably invalidate what the application already knows.
Practitioners should treat offboarding as a workflow, not a single action. A practical sequence usually includes:
- Identify all downstream applications, shared accounts, and delegated roles tied to the identity.
- Revoke app-local access and tokens, including API keys, refresh tokens, and session grants.
- Transfer ownership of files, dashboards, pipelines, and admin controls before deactivation.
- Validate that the application rejects reuse of the prior identity and cannot silently reauthorize it.
- Only then disable the directory or SSO record and archive evidence of completion.
This aligns with the lifecycle emphasis in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and with current zero-trust guidance from NIST SP 800-207, which assumes access must be continuously verified and explicitly removed at the resource layer. This is especially important when apps maintain their own authorization store or when SaaS platforms do not immediately honor upstream deactivation. These controls tend to break down when applications have independent role stores and long-lived sessions because the identity provider is no longer the source of truth for active access.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance faster account closure against the need to preserve access continuity and ownership transfer. That tradeoff is real in environments with shared mailboxes, CI/CD systems, or customer-facing admin portals where abrupt removal can interrupt service delivery.
Current guidance suggests treating these as exceptions with documented handoff steps, not as reasons to skip downstream revocation. In SaaS apps with poor SCIM support, teams may need manual checks to confirm role removal and token invalidation. In internally hosted applications, the challenge is often even harder because application owners control session lifetimes, not the directory team. The 52 NHI Breaches Analysis shows how frequently lifecycle gaps and lingering access show up together, especially where ownership and credential cleanup are not tied to the same workflow.
There is no universal standard for exactly how long to wait between downstream revocation and directory closure, so teams should define timing based on session TTL, token expiry, and business-critical handoff needs. The key edge case is any application that can outlive SSO, because once the directory is closed, the organisation can lose the easiest path to prove, transfer, or forcibly revoke what remains active.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Lifecycle and offboarding gaps leave app access active after SSO removal. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed across the resource layer, not only the IdP. |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero Trust requires explicit, continuous authorization at each resource, not directory trust. |
Revoke downstream app access and tokens before disabling the upstream identity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
