Hiring and departures are routine business events—handled by HR, managed through established processes, tracked in systems that have nothing to do with IT. Except that they do. Every new employee who joins your organization receives access to systems, data, and tools. Every departing employee who leaves takes with them the ability—if it is not actively revoked—to continue accessing those same resources. The gap between how businesses think about staff transitions and how those transitions affect their security posture is one of the most consistent and preventable sources of risk in any organization.
When a new employee starts, there is natural pressure to get them productive quickly. Access provisioning—setting up accounts, granting permissions, configuring devices—often happens in a rush and without a formal process. The result is predictable: employees end up with access to systems they do not need for their role, permissions that were copied from a colleague without being reviewed, and accounts created across platforms without any central record of what was provisioned.
This access sprawl is not just an administrative inconvenience. From a security perspective, every account and permission that exists without a business justification is an unnecessary attack surface. An employee account with administrative rights it does not need is a higher-value target than one with appropriate, minimal access. And without a complete record of what was provisioned at onboarding, there is no reliable way to ensure it is all removed at departure.
Incomplete offboarding is one of the most documented and persistent security failures in organizations of all sizes. Studies of data breaches and insider incidents consistently find that former employee credentials—accounts that were never disabled, cloud application access that was never revoked, shared passwords that were never rotated—feature prominently in unauthorized access events.
The risk is not limited to malicious intent. A former employee who retains access to business systems may not intend to misuse it—but if their personal credentials are subsequently compromised in a breach of an unrelated service, that access becomes a vector into your environment through no fault of their own. The only reliable protection is ensuring that departure severs access completely and immediately.
Offboarding has become significantly more complex as organizations have adopted more cloud-based applications. In the era of on-premises software, IT managed access centrally and could disable a user account to cut off access across most systems. In a modern SaaS environment, an employee may have active accounts in dozens of applications—some provisioned by IT, many adopted independently through shadow IT. Disabling the primary identity provider account cuts off SSO-connected applications but misses anything that was set up with a separate login.
Maintaining a complete inventory of the applications employees use, enforced through a combination of IT-managed provisioning and regular access audits, is the prerequisite for complete offboarding. Without it, there is no reliable way to know when the job is done.
The moment an employee joins your organization, the clock starts on a process that needs to be undone—cleanly and completely—the moment they leave. The organizations that handle this well do not treat it as an IT task to be completed when time allows. They treat it as a security-critical process with defined steps, clear ownership, and zero tolerance for incomplete execution. Given how frequently former employee access features in breach investigations, that level of discipline is not excessive. It is appropriate.