Employee Offboarding Security: The Access Revocation Gaps That Cause Breaches

60%
of corporate data breaches in 2025 involved former employee access that formally remained active after departure
$17.4M
average annual cost of insider-related incidents per organization in the 2025 Ponemon Cost of Insider Risks Report
1 in 4
former employees retain access to at least one corporate system for more than a week after departure
40+
average number of SaaS applications an enterprise employee touches — most not covered by SSO

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The identity provider suspension step in most offboarding checklists handles a fraction of the access problem. When you disable a user in Okta, Entra ID, or Active Directory, you revoke SSO access to applications federated through that IdP. You do not revoke direct-to-application credentials, API keys, shared account access, OAuth token grants authorized by that user, email forwarding rules the user created, or access to systems that authenticate against LDAP without SSO.

This guide catalogs every access category that survives standard IdP offboarding and the specific steps required to close each one. It is organized as a checklist because offboarding security is a process problem, not a technology problem — the tools exist; the documented procedure is what most organizations lack.

Category 1: SSO-federated applications (the easy ones)

SSO-connected applications revoke access automatically when the IdP account is disabled — this is the one category that most organizations handle correctly.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Category 2: Non-SSO SaaS applications (the gap)

The average enterprise uses 130+ SaaS applications. A fraction are SSO-federated. The remainder authenticate via direct username/password, personal Google or Microsoft account login, or email-only login. These do not receive the IdP suspension signal.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Category 3: API keys and programmatic credentials

API keys created by an employee under their account persist indefinitely after IdP suspension. They are the most dangerous surviving access category because they provide programmatic access that generates no login event, may have no authentication logs monitored by your SIEM, and can be used from any IP address.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Category 4: Shared accounts and credentials

Shared account credentials — root account passwords, shared admin logins, vendor portal passwords kept in a team document — are often not tracked to individual users and survive standard offboarding entirely.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Category 5: Email forwarding rules and mailbox access

A common insider threat vector that survives standard offboarding: employees create inbox forwarding rules that send copies of received emails to a personal account before departure. These rules continue forwarding after the corporate account is disabled — as long as the account exists and forwards are active.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The offboarding security checklist

The complete access revocation checklist for any employee departure:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The offboarding security gap is predictable: organizations invest in provisioning processes and neglect deprovisioning processes. Provisioning is urgent and visible; the new employee cannot work without access. Deprovisioning is less urgent and invisible; the former employee's ghost accounts accumulate silently until a breach, an audit, or a disgruntled former employee makes them visible. A documented, tiered offboarding checklist that treats access revocation as a security event rather than an HR administrative step closes this gap before it becomes an incident.

Frequently asked questions

What is a SaaS ghost account?

A SaaS ghost account is an active application account belonging to an employee who no longer works at the organization. These accounts exist in SaaS platforms that are not connected to the corporate identity provider via SSO and therefore do not receive the deactivation signal when the employee's IdP account is disabled. They remain active indefinitely unless the application admin manually deactivates them.

Does SCIM provisioning solve the offboarding problem?

SCIM (System for Cross-domain Identity Management) automated provisioning solves the offboarding problem for applications that support SCIM and have been configured with a SCIM connection to your IdP. When the IdP account is disabled, the SCIM provisioner sends a deactivation request to SCIM-connected applications. This is the right long-term solution but requires each application to support SCIM and each connection to be individually configured. Applications without SCIM support still require manual offboarding.

How often should organizations audit former employee access?

A quarterly access review should include a comparison of active accounts in each major system against current employee roster. Any accounts belonging to people no longer in the employee roster should be investigated immediately. Many compliance frameworks (SOC 2, ISO 27001) require periodic access reviews; using those audit exercises to specifically check for ghost accounts from departed employees is an efficient way to combine compliance and security outcomes.

Sources & references

  1. Ponemon 2025 Cost of Insider Risks Report
  2. Verizon 2025 Data Breach Investigations Report
  3. The Offboarding Gap - Roark Tech Services

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.