Accountability sits with the identity and access governance process that failed to remove or certify the entitlement when the role changed or the person left. In practice, that spans HR data quality, IAM automation, and privileged access ownership. If any of those controls are disconnected, excess access will persist.
Why This Matters for Security Teams
Former employees retaining admin access is rarely a single IAM mistake. It is usually a breakdown in joiner-mover-leaver handling, where HR timing, access review ownership, and privileged access governance fail to converge. That matters because admin entitlements are the shortest path from an account mismatch to data theft, configuration tampering, or persistence. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is a useful reminder that excess access is often systemic, not exceptional.
For security teams, the real question is not only who held the account, but which control failed to remove, certify, or expire the privilege when the employment relationship changed. The OWASP Non-Human Identity Top 10 reinforces the broader pattern: standing credentials and weak lifecycle governance turn identity sprawl into an access persistence problem. In practice, many security teams encounter the issue only after an audit, incident, or regulatory inquiry has already exposed it, rather than through intentional offboarding control testing.
How It Works in Practice
Accountability should be assigned across the control chain, not left as a vague IT issue. HR owns authoritative employment status, IAM owns deprovisioning automation, and PAM owns privileged entitlement reduction and certification. If any handoff is manual or delayed, former employees can retain access long after termination. Current guidance suggests that organizations should treat offboarding as a time-bound control, not an administrative task.
Practically, the most effective pattern is to trigger access removal from authoritative HR events, then validate the result against directory groups, application roles, cloud admin permissions, and privileged sessions. Where admin access is still required during a transition period, JIT elevation with approval and short TTL reduces the chance that standing access survives the move or exit. The NHI Management Group Ultimate Guide to NHIs — Key Challenges and Risks highlights how persistent secrets and excessive privileges expand exposure, which also applies to former staff accounts that were never fully retired.
- Use HR as the source of truth for termination and role change events.
- Automate deprovisioning for directories, SaaS apps, cloud consoles, and PAM vaults.
- Require quarterly or event-driven recertification for all admin entitlements.
- Separate break-glass accounts from named-user admin access and monitor them closely.
- Log and correlate successful, failed, and delayed removal actions for auditability.
Where this guidance breaks down is in organisations with disconnected HR, contractor-heavy operations, or unmanaged local admin accounts, because no single system can reliably revoke privileges it does not know exist.
Common Variations and Edge Cases
Tighter offboarding controls often increase operational overhead, requiring organisations to balance revocation speed against business continuity. That tradeoff shows up most clearly in regulated environments, on-call engineering teams, and merger or divestiture scenarios where access may need to remain temporarily available for handover or evidence preservation. Best practice is evolving here, but the principle is consistent: temporary exceptions should be explicit, time-boxed, and reviewed.
There is no universal standard for every edge case, but several patterns are common. Contractors and third parties may exit without a traditional HR termination event, so access removal must also listen to vendor lifecycle signals. Shared admin accounts create accountability gaps and should be replaced with named identities plus session attribution. In privileged workflows, PAM can reduce risk, but only if standing admin rights are removed rather than merely hidden. The OWASP Non-Human Identity Top 10 is also relevant because many of the same lifecycle failures apply when humans and service accounts are managed with the same weak process. In mature programs, accountability is assigned to the control owner who can prove removal, not to the person who happened to notice the orphaned access.
For broader remediation strategy, the 52 NHI Breaches Analysis shows how identity failures tend to persist when lifecycle governance is reactive rather than continuous.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle failure and stale privileged access after employment changes. |
| NIST CSF 2.0 | PR.AC-4 | Addresses access management and timely revocation when roles change or end. |
| NIST AI RMF | Governs accountability, oversight, and operational controls for identity-driven automation. |
Tie termination events to immediate access revocation and periodic privilege recertification.
Related resources from NHI Mgmt Group
- Who is accountable when former employees still have Microsoft 365 access?
- Who is accountable when employees keep using former employer accounts or data?
- Why do former employees still keep access after offboarding in many organisations?
- What breaks when SOX access evidence still lives in spreadsheets?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
