Former employees keep access because offboarding is often treated as a task list instead of a closed lifecycle control. One system may disable a directory account while another SaaS app still trusts a local entitlement or token. The result is residual access that survives the employment event and creates avoidable exposure.
Why This Matters for Security Teams
Offboarding failures are rarely a single missed click. They usually reflect fragmented identity ownership across HR, IAM, SaaS, cloud platforms, and code repositories, where disabling one account does not automatically invalidate downstream entitlements, refresh tokens, SSH keys, or local app trusts. The risk is not just lingering access, but access that remains usable long after the employment event has ended.
This is why lifecycle control matters more than account closure. NHI Management Group’s Ultimate Guide to NHIs notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why residual access is so common. The same control gap appears in human offboarding when teams rely on tickets instead of enforced revocation workflows. The OWASP Non-Human Identity Top 10 frames this as a lifecycle and secrets-governance problem, not merely an IAM housekeeping issue.
In practice, many security teams discover lingering access only after a former employee logs in through a forgotten app, not through a deliberate offboarding control.
How It Works in Practice
Effective offboarding starts by treating identity removal as a coordinated workflow, not a checklist. HR exit data should trigger revocation across the identity stack, and each downstream system needs a defined owner for enforcement. Directory deprovisioning is necessary, but it is not sufficient when SaaS applications, cloud roles, VPNs, secrets stores, and device sessions maintain their own trust state.
Practitioners usually need four actions at the same time: disable primary accounts, revoke active sessions and refresh tokens, remove app-specific entitlements, and rotate any shared secrets the employee could have known or touched. This is especially important where access was granted through delegated admin, service desk exceptions, or local application roles that never flowed back to central IAM. NHI Management Group’s NHI Lifecycle Management Guide is useful here because the same lifecycle logic applies to both human and non-human access when credentials are reused or embedded in workflows.
Strong programs also reconcile identity records after termination. That means checking for orphaned SaaS accounts, unmanaged OAuth grants, personal API tokens, and shadow access paths in collaboration tools. Where possible, use 52 NHI Breaches Analysis to show how long-lived credentials and missed revocations turn routine offboarding into a persistence issue. Guidance from OWASP Non-Human Identity Top 10 and current identity practice both suggest that revocation must be verifiable, not assumed.
- Link HR termination events to automated access revocation.
- Revoke sessions, refresh tokens, and app-specific grants, not just passwords.
- Rotate shared secrets and review exception-based access paths.
- Verify removal with post-offboarding access reconciliation.
These controls tend to break down in hybrid environments where dozens of SaaS tools, legacy directories, and manual exceptions create no single source of truth for revocation.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance rapid revocation against business continuity and help desk load.
Some environments do not fail because access is forgotten, but because it is intentionally retained for a transition period. Current guidance suggests that these exceptions should be time-bound, approved, and logged, not left open-ended. This is especially true for shared mailboxes, break-glass accounts, and contractor access, where business owners often assume temporary access will self-expire. In reality, temporary access commonly becomes permanent when no one owns the cleanup.
Edge cases also appear when former employees had administrative privileges, used personal OAuth consents, or stored credentials in scripts, CI/CD pipelines, or password managers that are not centrally managed. In those cases, offboarding must include secret rotation and application-level review, not just identity disablement. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both underscore the same point: access persists when ownership is unclear and lifecycle controls are incomplete. There is no universal standard for every exception pattern yet, so policy should define who can approve retention, for how long, and how removal is verified.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Targets lifecycle and rotation gaps that leave access active after offboarding. |
| NIST CSF 2.0 | PR.AC-1 | Access provisioning and deprovisioning must be controlled across systems. |
| NIST AI RMF | GOVERN | Lifecycle accountability is part of trustworthy identity governance. |
Map offboarding to formal deprovisioning workflows and verify removal across all connected services.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
