Accountability usually sits with the identity, IT, and application owners together because offboarding spans multiple systems and process handoffs. The organisation needs a clear owner for deprovisioning completion, not just account closure. If no one is responsible for verifying each step, residual access is almost guaranteed to recur.
Why This Matters for Security Teams
Leaver access is not just an HR cleanup issue. When an employee departs, their access may persist across IAM, SSO, SaaS apps, cloud roles, API keys, and service accounts, creating a real opportunity for privilege reuse, impersonation, or delayed detection. NHI Management Group’s Ultimate Guide to NHIs shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which is a strong signal that handoff gaps are common.
The accountability question matters because residual access usually survives when ownership is split between identity administration, application teams, and managers, but no one is responsible for proving completion. That creates a control failure even when individual tasks are performed. OWASP frames this broader risk in the OWASP Non-Human Identity Top 10, where unmanaged credentials and lifecycle gaps are treated as core attack paths, not edge cases.
In practice, many security teams discover leaver access only after an audit, a compromise, or a privileged account review has already exposed the gap.
How It Works in Practice
Accountability should be assigned to a named deprovisioning owner, but effective offboarding is shared execution with a single point of verification. The owner is usually identity security, IAM operations, or a control owner in security governance, while IT, HR, application owners, and cloud platform teams each complete their part of the shutdown. The key is that someone must be answerable for the full outcome, not just for submitting the request.
Operationally, best practice is to tie offboarding to authoritative HR departure events, then drive a workflow that closes human accounts, disables sessions, removes group membership, revokes tokens, rotates shared secrets, and validates application-specific access closure. For agentic or automated workloads, the same principle applies to workload identities, not just people. A leaver may leave behind API credentials, delegated OAuth grants, or service account bindings that outlive the user unless those dependencies are explicitly mapped and revoked.
The NHI lifecycle guidance in Ultimate Guide to NHIs — Key Challenges and Risks is especially relevant here because it highlights how visibility and rotation failures turn simple process gaps into standing exposure. The control pattern should include:
- Authoritative trigger from HR or workforce systems
- Same-day revocation for interactive access
- Short TTL or immediate rotation for secrets tied to the leaver
- Application owner confirmation for high-risk systems
- Exception tracking when revocation cannot be completed automatically
NIST’s identity guidance in the Digital Identity Guidelines supports the broader principle that identity states must be managed through verifiable lifecycle events, not informal follow-up. These controls tend to break down in decentralized SaaS environments because no single platform owner has complete visibility into where the former user was authorized.
Common Variations and Edge Cases
Tighter offboarding controls often increase coordination overhead, requiring organisations to balance faster deprovisioning against business continuity, shared accounts, and application fragility. Current guidance suggests that the more critical the system, the more explicit the ownership and evidence requirements should be, but there is no universal standard for exactly how many approvals or confirmations are enough.
Edge cases usually involve shared administrative accounts, break-glass access, contractor identities, or automation credentials that were created for the departed person but embedded in a workflow. In those cases, accountability extends to the control owner of the asset, not the individual who originally requested it. If a departed employee had delegated access to a mailbox, repository, cloud role, or CI/CD token, the application or platform owner must verify that the dependency is removed, rotated, or reassigned.
The practical lesson from NHI Management Group research is that offboarding fails most often when teams treat account closure as the same thing as access removal. The Ultimate Guide to NHIs also shows why this matters: 91.6% of secrets remain valid five days after notification, which means delays are not theoretical. In the real world, residual access usually persists because no one owns the final verification step, not because nobody started the process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Leaver access often persists through unmanaged NHI lifecycle gaps. |
| NIST CSF 2.0 | PR.AC-4 | Offboarding is access removal and privilege validation across systems. |
| NIST AI RMF | GOVERN | Accountability requires defined ownership and lifecycle governance. |
Verify every NHI tied to a departing user is revoked, rotated, or reassigned before closure.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
