Accountability usually sits with the identity governance owner, application owner, and HR or people-operations process that triggered the leaver event. The control failure is rarely one team alone. Effective programmes assign clear ownership for revocation, exception handling, and audit evidence so offboarding does not depend on informal follow-up.
Why This Matters for Security Teams
Offboarding failures are not just an HR process gap. They are an identity control failure that can leave workforce accounts, privileged sessions, and connected service access active long after employment ends. That matters because workforce iam is usually distributed across directories, SaaS apps, PAM, and ticketing workflows, so no single team sees the full blast radius when revocation stalls. Current guidance in the NIST Cybersecurity Framework 2.0 treats identity, access review, and asset protection as shared operational responsibilities, not one-off tasks.
NHIMG research on lifecycle failures shows why this is a recurring risk area. The NHI Lifecycle Management Guide and Top 10 NHI Issues both point to weak lifecycle ownership as a common cause of lingering access, duplicate credentials, and missed revocation steps. A useful benchmark from Entro Security notes that 91% of former employee tokens remain active after offboarding, which underscores how often the control failure survives beyond the people event itself.
In practice, many security teams encounter the account still active only after an incident review, not through intentional offboarding validation.
How It Works in Practice
Accountability should be assigned by control point, not by assumption. HR or people operations usually owns the leaver trigger, identity governance owns the revocation workflow, application owners own edge cases and application-specific disables, and security or IAM owns monitoring, evidence, and exception escalation. That division is consistent with the lifecycle discipline described in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
In a mature offboarding flow, the workflow should be time-bound and auditable:
- The leaver event is generated from the authoritative HR source.
- Identity governance disables the primary directory account and removes group entitlements.
- PAM or privileged tooling revokes elevated roles, checkouts, and session access.
- Application owners handle systems that do not integrate cleanly with central identity controls.
- Security verifies completion, exceptions, and evidence for audit.
For workforce identities, this is where NIST-style governance matters: it is not enough to say access should be removed. The control must define who confirms revocation, who approves exceptions, and who owns retries when downstream systems fail. If a directory disable succeeds but SaaS tokens, VPN access, or cached API keys remain live, accountability must still trace back to the owning control and the system owner that failed to enforce it. That pattern is echoed in NHIMG research on lifecycle breakdowns and in the 2025 State of NHIs and Secrets in Cybersecurity, which highlights how stale access persists when revocation is incomplete.
These controls tend to break down in hybrid environments with manual app-by-app deprovisioning because revocation depends on tribal knowledge and delayed human follow-up.
Common Variations and Edge Cases
Tighter offboarding controls often increase operational overhead, requiring organisations to balance speed against completeness. That tradeoff is real in enterprises with contractors, federated SaaS, or regional HR systems, where a single “offboarded” event may not map cleanly to every identity store. Best practice is evolving, but there is no universal standard for exactly how to split accountability across HR, IAM, app owners, and legal holds.
One common edge case is immediate suspension versus full revocation. Security teams may disable sign-in first, then complete downstream cleanup later when legal, payroll, or investigation requirements are involved. Another is shared or overused accounts, where the leaver event does not cleanly identify all affected access paths. NHIMG has repeatedly highlighted that lifecycle and access sprawl are recurring weaknesses, and implementation teams should treat the Ultimate Guide to NHIs — Standards as a governance reference when defining evidence, ownership, and escalation paths.
The practical answer is that accountability should always land with the named owner of the failed control, even if the root cause began in HR data quality, IAM orchestration, or an application that could not be automated. That is how teams prevent offboarding from becoming a vague cross-functional issue that no one can close.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Offboarding is an identity lifecycle control tied to managed access removal. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege fails when departed users retain unnecessary access. |
| NIST AI RMF | GOVERN | AI RMF governance maps well to accountability for identity process ownership. |
Define accountable owners, escalation paths, and evidence requirements for every offboarding control.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
