Secure Offboarding Checklist

Offboarding gaps create orphaned accounts, a top audit finding and a soft target for attackers. Use this to ensure access is removed promptly and verifiably.

Trigger and timing

• Offboarding is triggered automatically from the HR system of record.
• Define timing by risk: immediate for involuntary or privileged, same-day for standard.

Revoke access

• Disable the primary identity in the IdP and revoke active sessions and tokens.
• Deprovision downstream apps via SCIM and verify removal, do not assume it propagated.
• Revoke privileged access, vault entries, and standing cloud entitlements.
• Rotate any shared or service-account credentials the person knew.
• Remove from groups, distribution lists, and external/partner systems.

Devices and data

• Retrieve or remotely wipe company devices.
• Reassign or preserve owned data, mailboxes, and resources.
• Remove app passwords, personal access tokens, and API keys they created.

Verify and evidence

• Confirm no active sessions remain after revocation.
• Run a reconciliation report to catch apps the IdP does not manage.
• Retain evidence of what was removed and when.

Common failure modes

• SaaS apps outside SCIM are missed and access lingers.
• Personal access tokens and API keys outlive the account.
• Contractors and third parties are not in the HR-driven process at all.