Accountability sits with the organisation that failed to close access when the employment relationship ended. HR, IAM, and system owners all share responsibility for offboarding, but the control failure is lifecycle enforcement. If access persists after termination, the identity programme has not matched governance to reality.
Why This Matters for Security Teams
Former-employee access is rarely a single-system mistake. It usually reflects a missed lifecycle control across HR exit data, identity governance, application entitlements, and privileged access paths. If a user can still open sensitive reports after termination, the organisation has not enforced revocation at the point where trust should have ended. That is an identity operations failure, not just an audit finding.
For security teams, the risk is not limited to a stale password. A terminated account may still carry group memberships, API tokens, report exports, shared mailbox access, or delegated access in downstream systems. Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s Ultimate Guide to NHIs both point to the same operational reality: access that is not explicitly removed tends to persist in unexpected places. NHIMG also reports that only 20% of organisations have formal processes for offboarding and revoking API keys, which is a strong signal that lifecycle gaps remain common.
In practice, many security teams discover lingering access only after an investigation, not through intentional offboarding verification.
How It Works in Practice
Accountability should be understood as shared responsibility with a clear control owner. HR signals that employment has ended, IAM executes deprovisioning, and system owners confirm that sensitive applications, reporting tools, and privileged paths no longer trust the former employee. The control objective is lifecycle enforcement: termination must trigger prompt, complete, and evidenced revocation across the full identity stack.
Good practice is to make the offboarding event machine-readable and time-bound. The practical sequence is:
- HR sends a termination event to IAM or identity governance as the source of truth.
- Primary credentials are disabled immediately, not at the next review cycle.
- Group memberships, report subscriptions, and delegated access are removed in downstream systems.
- Privileged access, shared accounts, and break-glass paths are checked separately.
- API keys, service tokens, and session grants are revoked or rotated where applicable.
- System owners attest that sensitive reports and exports are no longer reachable.
That workflow is consistent with zero trust thinking and with the broader NHI lifecycle guidance in Ultimate Guide to NHIs — Key Challenges and Risks, because access should be continuously validated rather than assumed to end cleanly. It also aligns with the identity assurance and access control principles in NIST SP 800-63 Digital Identity Guidelines, where authoritative lifecycle status matters as much as credentials themselves.
Organisations should treat post-termination access as a detection gap only after they have verified that revocation automation, entitlement mapping, and exception handling all ran correctly. These controls tend to break down when legacy applications, shared accounts, or manually maintained permissions bypass the normal deprovisioning workflow because no single system can prove that access has ended.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance fast revocation against the need to preserve evidence, preserve business continuity, and avoid breaking shared dependencies. Best practice is evolving here, especially where reports are delivered through BI platforms, data warehouses, or vendor portals that do not support clean identity propagation.
Some edge cases need explicit handling. Contractors may be removed through different HR processes than employees. Shared mailboxes or delegated reporting rights may survive even when the user account is disabled. Privileged reporting roles may be held in a separate PAM or admin plane, which means termination in the core directory does not fully remove access. In environments with local caching or delayed sync, the account can remain active long enough to expose sensitive reports unless TTLs and session revocation are enforced.
NHIMG’s broader research on the identity lifecycle and breach persistence in 52 NHI Breaches Analysis reinforces a useful lesson: stale access is often found only after damage has already occurred. When former employees can still reach reports, the practical question is not only who approved access, but which control failed to remove it before trust expired.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Former-employee access is a lifecycle revocation failure for identity and secrets. |
| NIST CSF 2.0 | PR.AC-4 | Access revocation and least privilege are central to stopping post-termination access. |
| NIST Zero Trust (SP 800-207) | PA.PA-1 | Zero trust requires continuous verification, including after employment ends. |
Map every offboarding step to NHI-01 and verify credentials, tokens, and entitlements are removed immediately.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
