Employee Offboarding Security: The Access Revocation Gaps That Cause Breaches

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The identity provider suspension step in most offboarding checklists handles a fraction of the access problem. When you disable a user in Okta, Entra ID, or Active Directory, you revoke SSO access to applications federated through that IdP. You do not revoke direct-to-application credentials, API keys, shared account access, OAuth token grants authorized by that user, email forwarding rules the user created, or access to systems that authenticate against LDAP without SSO.
This guide catalogs every access category that survives standard IdP offboarding and the specific steps required to close each one. It is organized as a checklist because offboarding security is a process problem, not a technology problem — the tools exist; the documented procedure is what most organizations lack.
Category 1: SSO-federated applications (the easy ones)
SSO-connected applications revoke access automatically when the IdP account is disabled — this is the one category that most organizations handle correctly.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Category 2: Non-SSO SaaS applications (the gap)
The average enterprise uses 130+ SaaS applications. A fraction are SSO-federated. The remainder authenticate via direct username/password, personal Google or Microsoft account login, or email-only login. These do not receive the IdP suspension signal.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Category 3: API keys and programmatic credentials
API keys created by an employee under their account persist indefinitely after IdP suspension. They are the most dangerous surviving access category because they provide programmatic access that generates no login event, may have no authentication logs monitored by your SIEM, and can be used from any IP address.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Category 4: Shared accounts and credentials
Shared account credentials — root account passwords, shared admin logins, vendor portal passwords kept in a team document — are often not tracked to individual users and survive standard offboarding entirely.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Category 5: Email forwarding rules and mailbox access
A common insider threat vector that survives standard offboarding: employees create inbox forwarding rules that send copies of received emails to a personal account before departure. These rules continue forwarding after the corporate account is disabled — as long as the account exists and forwards are active.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The offboarding security checklist
The complete access revocation checklist for any employee departure:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
The offboarding security gap is predictable: organizations invest in provisioning processes and neglect deprovisioning processes. Provisioning is urgent and visible; the new employee cannot work without access. Deprovisioning is less urgent and invisible; the former employee's ghost accounts accumulate silently until a breach, an audit, or a disgruntled former employee makes them visible. A documented, tiered offboarding checklist that treats access revocation as a security event rather than an HR administrative step closes this gap before it becomes an incident.
Frequently asked questions
What is a SaaS ghost account?
A SaaS ghost account is an active application account belonging to an employee who no longer works at the organization. These accounts exist in SaaS platforms that are not connected to the corporate identity provider via SSO and therefore do not receive the deactivation signal when the employee's IdP account is disabled. They remain active indefinitely unless the application admin manually deactivates them.
Does SCIM provisioning solve the offboarding problem?
SCIM (System for Cross-domain Identity Management) automated provisioning solves the offboarding problem for applications that support SCIM and have been configured with a SCIM connection to your IdP. When the IdP account is disabled, the SCIM provisioner sends a deactivation request to SCIM-connected applications. This is the right long-term solution but requires each application to support SCIM and each connection to be individually configured. Applications without SCIM support still require manual offboarding.
How often should organizations audit former employee access?
A quarterly access review should include a comparison of active accounts in each major system against current employee roster. Any accounts belonging to people no longer in the employee roster should be investigated immediately. Many compliance frameworks (SOC 2, ISO 27001) require periodic access reviews; using those audit exercises to specifically check for ghost accounts from departed employees is an efficient way to combine compliance and security outcomes.
Sources & references
- Ponemon 2025 Cost of Insider Risks Report
- Verizon 2025 Data Breach Investigations Report
- The Offboarding Gap - Roark Tech Services
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
