Access rights that outlive the employee
Why revoking permissions at offboarding is not a formality, and how to keep it from falling through the cracks.
When an employee leaves, the company thinks about paperwork, knowledge transfer, and - if there is time - finding a replacement. Revoking access rights often ends up at the bottom of that list, or falls off it entirely.
I am not talking about malicious intent. More often it is simply an organisational gap: HR closes the personnel side, IT does not know the person has left, and the former employee can still log into the corporate email or a system with customer data for several weeks - not because they intend harm, but because nobody stopped them.
The scale of the problem
This is not a rare situation. In a mid-sized company with dozens of systems and hundreds of employees, tracking all access manually is difficult. Any given employee may have a corporate account, access to several SaaS services, an account in the document management system, possibly a VPN, remote server access, and cloud service accounts.
If there is no process that explicitly connects an offboarding event to revoking each of those access rights, some of them will stay active. It is a matter of when, not if.
Why this is a risk, not just messiness
Most cases where a former employee uses a surviving access are not deliberate attacks. It is either accidental, an impulse during a conflict, or using data for a new employer. All three can cause damage.
Customer data passed to a competitor. Access to a financial system used to view information that should no longer be available. Corporate email correspondence continuing for months after a person left.
Beyond direct damage there is a regulatory dimension. If the company processes personal data or operates in a regulated sector, active access by a former employee can be a violation that needs to be explained.
Where control typically gets lost
Large companies with mature IT have identity management systems that automate the process. Smaller and mid-sized companies more often rely on a manual process - or no process at all.
Common places where control is lost:
Third-party SaaS services. When a company uses a dozen cloud tools - each with its own accounts - revoking access at offboarding requires an explicit step for each one. Easy to miss.
Shared credentials. If several employees used a shared login for some service, the departure of one of them changes nothing automatically.
Technical accounts. Developers and system administrators often access servers and systems via SSH keys or personal tokens. If those are stored only locally, they are easy to forget.
What helps
The practical minimum is an offboarding checklist that explicitly lists every system and service and requires confirmation that each access has been revoked. The checklist should cover both obvious items - corporate email, CRM - and less obvious ones: cloud storage, external services, development tools.
The next step is Single Sign-On. If most services authenticate through a single identity provider, disabling one account closes access to most of them in one action. That does not solve the problem completely, but it simplifies it significantly.
Regular audits. Once a quarter or twice a year, compare the list of active accounts in key systems against the current employee list. Discrepancies almost always turn up.
A simple check
If a key person leaves today - how long until all of their access is guaranteed to be closed, and who is responsible for that? If there is no answer, it is a risk worth fixing before it materialises.