Accountability usually sits across HR, IT, and application ownership, but the control owner must be explicit. If no single team owns leaver execution end to end, delayed deprovisioning becomes normal. Organisations should assign one accountable function for identity lifecycle closure, with clear evidence for each removal step.
Why This Matters for Security Teams
Former-employee access is not just an HR closeout problem. It is an identity lifecycle failure that can leave passwords, API keys, service accounts, mailbox rules, SaaS sessions, and privileged entitlements active after departure. The operational risk is highest when ownership is split and no one is accountable for the final deprovisioning step. NHI Management Group highlights that only 20% of organisations have formal processes for offboarding and revoking API keys, which is a strong sign that leaver controls are often incomplete. See the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 for how weak identity lifecycle controls expand exposure.
Security teams often assume a terminated employee is fully removed once an HR record is closed, but access removal is usually distributed across multiple systems with different owners, queues, and delays. That gap matters because a single lingering credential can still be used to reach internal data, cloud resources, or automation pathways. In practice, many security teams encounter post-exit access only after an audit exception, suspicious login, or incident response review, rather than through intentional offboarding validation.
How It Works in Practice
Accountability needs to be explicit, not implied. The cleanest model is to assign one control owner for identity lifecycle closure, then require every downstream system owner to evidence completion in their domain. That owner is responsible for ensuring HR termination events trigger IT, IAM, application, and secrets workflows in the right order, with confirmations for each removal step. Best practice is evolving toward orchestration and proof, not just ticket closure.
Practically, leaver execution should include immediate disablement of primary identity, revocation of active sessions, removal from groups and roles, rotation or invalidation of shared credentials, and review of delegated access, automations, and federated trust relationships. The 52 NHI Breaches Analysis and the Ultimate Guide to NHIs — Key Challenges and Risks show why visible ownership matters when access is distributed across cloud, code, and operational tooling. Current guidance suggests tracking:
- who approved the leaver event,
- which systems were in scope,
- when each access path was removed,
- what evidence confirms revocation, and
- who signs off on exceptions.
This also aligns with identity governance models that treat deprovisioning as a controlled process, not an administrative courtesy. Where possible, use automated workflows to remove standing entitlements quickly and generate tamper-resistant audit evidence. These controls tend to break down in organisations with manual ticketing, shadow IT, or disconnected SaaS estates because the leaver event cannot reliably reach every access path.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance speed against completeness. The tradeoff is real: immediate disablement reduces exposure, but some functions need a short transition window for knowledge transfer, legal hold, or business continuity. Current guidance suggests defining exception handling up front so temporary access is time-bound, approved, and fully logged.
There is also no universal standard for this yet when former employees retain access through non-obvious routes such as shared accounts, delegated admin roles, long-lived tokens, cached sessions, or third-party integrations. Those cases are harder because the named user may be removed while the underlying credential remains valid. The right response is to treat the departure as a full access graph review, not only a directory action. For broader NHI governance context, the Ultimate Guide to NHIs is a useful baseline, especially where human exit events intersect with service accounts and automation. In practice, the biggest misses happen when accountability ends at HR closure and nobody owns the final verification that access is actually gone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Leaver access is an identity lifecycle failure that leaves NHI credentials active. |
| NIST CSF 2.0 | PR.AA-01 | Identity management requires timely removal of access when users leave. |
| NIST AI RMF | GOVERN | Accountability and oversight are core to managing identity lifecycle risk. |
Assign one owner to revoke all human and non-human access and verify completion with evidence.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
