Accountability should sit with the organisation that owns identity governance for the application, not only with the hiring manager or procurement team. If access remains active after offboarding, the failure is usually a missing lifecycle control and unclear ownership across HR, IT, and application administration.
Why This Matters for Security Teams
When SaaS access is not removed after offboarding, the issue is not just an HR process miss. It is a control failure across identity governance, application ownership, and auditability. The accountable party should be the team that owns the lifecycle of the application identity, because that is where provisioning, deprovisioning, and exception handling must be enforced. Without that ownership, stale access becomes a standing privilege risk.
This matters because delayed revocation is one of the most common ways access lingers beyond employment, contractor, or vendor separation. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys in the Ultimate Guide to NHIs, and the same lifecycle weakness shows up in SaaS account cleanup. In practice, teams tend to discover the gap during incident response, not during the termination workflow.
Guidance from the OWASP Non-Human Identity Top 10 reinforces the broader lesson: identity sprawl and poor lifecycle control create exposure that is easy to miss until an account is abused. In practice, many security teams encounter lingering SaaS access only after an ex-employee signs in again, rather than through intentional offboarding assurance.
How It Works in Practice
Accountability works best when it is assigned to a named identity owner for each SaaS platform, with HR and IT acting as upstream and downstream control points. HR should trigger the termination event, IT should enforce the directory and SSO side of removal, and the application owner should confirm that the SaaS entitlement is actually revoked, including any local accounts, delegated admin roles, API tokens, and connected integrations.
This is where lifecycle discipline matters more than generic access review. The NHI Lifecycle Management Guide describes the broader pattern: identities must be created, approved, monitored, and retired with explicit ownership at each stage. For saas offboarding, that means the system of record for identity status must be clear, and the offboarding control must confirm completion rather than assume it happened. A practical workflow usually includes:
- termination event from HRIS or case management
- automatic disablement in IdP and SSO
- app-owner verification that SaaS-native access is removed
- revocation of refresh tokens, API keys, and service credentials
- evidence retained for audit and exception tracking
Where the organisation relies only on the manager or procurement to “close the loop,” orphaned access often survives because neither role can verify technical revocation. NHI Mgmt Group’s Top 10 NHI Issues also underscores that lifecycle blind spots and excessive privilege typically travel together. Current guidance suggests the accountable owner should approve exceptions, but operational control should remain with the platform or identity governance function. These controls tend to break down when SaaS is connected directly to personal email or bypasses the central IdP, because deprovisioning no longer follows a single enforced path.
Common Variations and Edge Cases
Tighter offboarding control often increases administrative overhead, requiring organisations to balance speed of employee exit against the need for reliable revocation. That tradeoff becomes harder when the SaaS estate includes shadow IT, locally managed accounts, or shared admin credentials.
There is no universal standard for this yet, but best practice is evolving toward explicit ownership by application or identity governance teams, with measurable service-level expectations for deprovisioning. If a SaaS app supports SCIM, SSO, or native lifecycle APIs, the application owner should ensure those mechanisms are wired into the offboarding path. If the app does not support automation, the owner should maintain a manual revocation checklist and evidence trail.
Edge cases matter. Contractors, third-party admins, and break-glass accounts may not follow the same workflow as employees, but they still need a clearly assigned accountable owner. The same is true when a terminated user also owns a personal admin token, because disabling the SaaS seat does not necessarily revoke every credential. For broader identity governance context, the Lifecycle Processes for Managing NHIs section shows why retirement controls must be explicit, and the same principle applies to SaaS access. Where shared ownership is vague, accountability dissolves into ticket passing and the access remains active longer than it should.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Lifecycle ownership and revocation map directly to stale SaaS access after offboarding. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and revoked when user status changes. |
| NIST AI RMF | Governance requires accountability for lifecycle decisions and exceptions. |
Assign a single owner for deprovisioning and verify every SaaS identity is removed at termination.
Related resources from NHI Mgmt Group
- Who is accountable when former employees still have SaaS access after offboarding?
- Who is accountable when a former employee still has access after offboarding?
- Who is accountable when access revocation is missed after offboarding?
- Who is accountable when server access remains active after offboarding?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
