Because revocation does not necessarily remove the subscription, data ownership, or delegated app relationship. Many organisations stop at authentication control and never reconcile the application, contract, and license layers. That leaves inactive seats on the books and creates hidden budget leakage that only shows up when the app inventory is cross-checked against leaver records.
Why This Matters for Security Teams
Offboarding leakage is usually treated as an access problem, but spend leakage is a lifecycle problem. When a leaver’s account is disabled, the subscription may still be active, a delegated app relationship may still exist, and the license may still be consuming budget. That is why revocation alone does not close the loop. NHIMG’s NHI Lifecycle Management Guide shows the same pattern in machine identities: if the lifecycle is not reconciled end to end, inactive assets remain live and accumulate cost. The issue is not limited to people-driven SaaS. It also appears in app-to-app integrations, service accounts, and shared automation credentials where ownership is unclear. Industry guidance such as the OWASP Non-Human Identity Top 10 treats lifecycle hygiene as a core control because unmanaged identity sprawl often hides both security and financial exposure. In practice, many security teams encounter leaked spend only after finance reconciles invoices against leaver records, rather than through intentional identity governance.
How It Works in Practice
Effective offboarding requires three reconciliations, not one. First, access revocation should disable authentication and remove active sessions. Second, application ownership should be reassigned so the business system does not retain an orphaned owner or delegated grant. Third, contract and license records should be updated so the organisation stops paying for what is no longer in use.
For human users, this usually means connecting HR leaver events to IAM, SaaS administration, and procurement. For NHIs, it means extending the same workflow to secrets, tokens, and integrations that survive employee departure. NHIMG’s Guide to the Secret Sprawl Challenge is useful here because secret sprawl and licence sprawl often share the same root cause: no single control plane knows where the asset is used. Vendor research reinforces the scale of the issue. Entro Security reports that 91% of former employee tokens remain active after offboarding, which illustrates how easily revocation can stop at the authentication layer while the downstream relationship continues.
- Map every application, connector, and delegated permission to an owner and cost centre.
- Trigger offboarding from HR or identity events, then validate against SaaS admin and procurement records.
- Separate access removal from subscription cancellation and license reclamation.
- Audit shared credentials and service accounts for orphaned dependencies before closing the case.
Current best practice is to automate these checks where possible, but there is no universal standard for this yet. These controls tend to break down in federated SaaS estates with shadow IT because the procurement record, identity record, and application owner are often maintained in different systems.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance immediate cost recovery against business continuity and audit effort. The tradeoff is most visible when a single account supports multiple apps or a shared integration underpins several workflows. In those cases, cancellation can save money but also break production dependencies if ownership was never documented.
There are also cases where spend should not be removed immediately. A shared enterprise license may remain justified even after one user leaves, and a delegated app may need to remain active until data export, retention, or legal hold obligations are complete. The right question is not only whether access was revoked, but whether the subscription, data ownership, and delegation have been formally re-homed. NHIMG’s Top 10 NHI Issues highlights how lifecycle gaps and secret duplication create hidden residual risk, while the broader 52 NHI Breaches Analysis shows that identity misuse often persists long after the original user or system is gone.
Where organisations rely on manual checklists, finance savings usually lag behind access revocation by days or weeks. That delay is acceptable only if the interim state is tracked explicitly and reviewed by both security and procurement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle gaps let orphaned identities and subscriptions persist after offboarding. |
| NIST CSF 2.0 | PR.AC-1 | Access removal must be paired with entitlement cleanup and reassignment. |
| NIST CSF 2.0 | GV.OV-1 | Spend leakage is a governance issue that needs measurement and oversight. |
Reconcile every identity against its owner, usage, and retirement state before closing offboarding.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
