Identity Offboarding Checklist: How to Reduce Risk and Strengthen Governance Across Cloud, SaaS and AD

Written By Daniel Mulliss

Identity security is one of the most fundamental controls in any organisation, yet it is still one of the most common sources of avoidable risk.

When a member of staff leaves, changes role, or moves between departments, their access should update immediately and consistently across every system. In many organisations, it does not.

The result is predictable. Dormant accounts remain active for weeks or months. SaaS tools with no central ownership continue granting access long after a user has left. Local admin rights linger without review. These gaps create real exposure and are a common factor in many of the incidents we are asked to investigate.

Recent events such as the Louvre breach illustrate how a single unmanaged account or weak credential can escalate into a significant organisational failure. These are not advanced attacks. They are the result of basic governance controls not being applied consistently.

This guide sets out the practical steps every organisation can take to close identity offboarding gaps and build a reliable, repeatable, and auditable process that reduces risk.

Why Identity Offboarding Still Fails

Identity offboarding sounds simple, yet it consistently breaks down in large environments. The reasons are nearly always the same.

1. HR is not connected to identity systems

When HR removes a leaver from payroll or updates their role, the change is not reflected in identity systems. Cloud platforms, SaaS tools, and legacy apps all operate on their own timelines and processes. Without direct integration, identity teams rely on manual tasks that are easy to miss.

2. SaaS sprawl creates shadow identities

Departments adopt SaaS applications directly, often outside procurement or governance. These tools are rarely connected to the central Identity Provider, which means user access must be removed manually. This is rarely done reliably.

3. Legacy systems sit outside modern controls

Older systems that cannot integrate with SSO or the central IdP rely on local accounts. These accounts are easy to forget, difficult to track, and almost never deprovisioned correctly.

4. No single owner is accountable

HR believes IT will remove access. IT believes HR has logged the leaver. Application owners assume someone else has handled it. With no clear ownership model, gaps appear quickly.

5. Volume and complexity overwhelm manual processes

In organisations with thousands of employees and hundreds of applications, manual offboarding is unmanageable. Without automation, errors are inevitable.

What Good Identity Offboarding Looks Like

Strong identity offboarding has three characteristics:

It is automated, connected, and consistent.

HR becomes the authoritative source of truth for identity events. When a leaver is recorded in the HR system, identity changes flow automatically to the central IdP, cloud platforms, and SaaS tools. Local accounts are minimised and monitored. Evidence is logged and auditable.

This model reduces risk, reduces manual effort, and ensures that access is removed at the point of departure, not weeks later.

The Identity Offboarding Checklist

Use this checklist as a baseline for securing leavers across cloud, SaaS, and legacy environments. This is written for CIOs, CISOs, IT Directors, and governance leads who want a clear, practical framework.

Step 1: Link HR to the Identity Provider

The HR system must be the primary trigger for all identity lifecycle events.
When HR marks a user as a leaver:

  • Their status is updated in the IdP automatically.

  • Downstream access is revoked at the same time.

  • No manual intervention is required to initiate the process.

This removes ambiguity and ensures offboarding begins instantly.

Step 2: Revoke Access Across All Digital Platforms

Once the IdP is updated, access should be removed automatically across:

  • Cloud platforms (Azure, AWS, GCP)

  • Internal Active Directory

  • Core enterprise applications (ERP, CRM, Finance, HR)

  • SaaS tools federated to SSO

  • Developer platforms and CI/CD systems

  • VPN and remote access tools

Access to email, collaboration platforms, and remote access systems should be revoked immediately. Token invalidation should happen in real-time.

Step 3: Close or Rotate Accounts Not Integrated with the IdP

Not every system integrates perfectly. For anything outside the IdP workflow:

  • Disable the account

  • Reset or rotate passwords

  • Remove group memberships

  • Remove access keys or API tokens

  • Log the action for audit

Shared or system accounts should be reviewed to ensure the leaver’s credentials do not persist. Privileged and local admin accounts must be prioritised.

Step 4: Remove from Groups, Roles, and Privileged Access

The leaver should be removed from:

  • Security groups

  • Azure AD roles

  • AWS IAM roles

  • GCP IAM bindings

  • SaaS admin permissions

  • Local administrator groups

Any privileged access should be revoked first. This reduces blast radius immediately.

Step 5: Recover Licences and Assign Assets

Deprovisioning is also an opportunity to recover:

  • SaaS licences

  • Cloud subscriptions

  • Expensive enterprise seats

  • Hardware tokens

  • Device management profiles

This improves cost efficiency and ensures assets are not lost.

Step 6: Review Shared Credentials and API Keys

If a leaver had access to:

  • Shared passwords

  • Shared API keys

  • Admin service accounts

  • Break-glass credentials

these must be rotated immediately. This is one of the most common sources of post-departure exposure.

Step 7: Produce an Audit Log of All Actions

A complete record should be available showing:

  • Date of leaver event

  • Systems where access was removed

  • Time stamps for each system

  • Outstanding manual actions

  • Final sign-off

This is essential for internal audit, external regulators, and governance assurance.

What to Automate

To reduce operational effort and eliminate errors:

  • Automatic deprovisioning triggered from HR

  • Automatic licence recovery

  • Automatic removal from cloud and SaaS applications

  • Automatic revocation of tokens and sessions

  • Automatic attestation workflows

  • Automatic reporting to security and audit teams

Automation improves both security and efficiency, and it removes the risk of human error during high-volume periods.

Core Metrics to Measure Maturity

CIOs and CISOs should track:

  • Percentage of applications connected to SSO

  • Percentage of leavers deprovisioned within 60 minutes

  • Number of orphaned accounts per quarter

  • Number of privileged accounts without MFA

  • Percentage of local admin accounts remaining

  • Volume of unassigned or unused licences

These metrics provide a clear picture of operational health.

FAQs

What if an application cannot integrate with the IdP?

You must have a manual process and assigned owner for deprovisioning. Consider replacing the application if it presents ongoing governance issues.

How quickly should a leaver be deprovisioned?

Within one hour. Anything longer increases risk.

What about contractors and third parties?

They should be managed with the same controls and timelines. End dates must be recorded in the HR or vendor management system.

How do we handle service accounts?

No employee should own a service account. Shared accounts should be rotated at every leaver event.

Reduce Risk, Improve Governance, Strengthen Control

Identity offboarding is one of the simplest and most effective ways to reduce organisational risk. Yet it is also one of the most consistently overlooked.

If your organisation wants to strengthen identity governance, close leaver gaps, or automate identity lifecycle management, we can help.

Book a call with our team to discuss your current identity processes and where automation can make the greatest impact.

 
Daniel Mulliss
Next

The Louvre Heist: A Masterclass in the Security Basics We Still Get Wrong