Employee Offboarding Security Checklist

Departing employees: comprehensive offboarding.

Immediate

Employee offboarding is one of the most consequential security events that happens routinely. Every departing employee creates the risk of post-departure access if their accounts are not deprovisioned thoroughly and quickly. The discipline of complete offboarding distinguishes mature security programs from immature ones; the cost of bad offboarding is paid in incidents that come months or years later.

The day-of immediate actions:

• Disable IDP account.: The single most important action. Disabling the SSO account at the IDP cuts off authenticated access to every connected application immediately. The departed employee cannot log in anywhere that authenticates through SSO; the cascade is automatic.
• Revoke MFA tokens.: Hardware security keys, authenticator apps, SMS-based MFA. Each is revoked in the IDP. The MFA factor cannot be reused even if the employee retained their password somehow.
• Remove from groups.: Groups in the IDP that grant access to applications. Slack channels with sensitive data. GitHub teams with repository access. Any group membership that confers access gets removed. The membership removals propagate via SCIM to downstream applications.
• Disable session tokens.: Active sessions in connected applications can persist for hours or days after IDP disable. Aggressive session revocation (force-logout in major SaaS, revoking tokens in API platforms) closes the gap. The session that was active at the moment of offboarding does not continue.
• Day-of timing.: All of these happen on the employee's last day, ideally within minutes of their departure. The HR system triggers the offboarding workflow; the IT systems execute. Human delays in the chain create exposure windows; automation closes the windows.

The day-of actions cover the highest-impact risks. Subsequent phases catch what these miss.

Week 1

Day-of actions cover the centralized identity layer. Subsequent week catches the cases where the centralized layer did not cover everything: long-lived API tokens the employee created, SaaS tools that were not integrated with the IDP, third-party services with their own authentication, personal mobile devices with cached credentials.

• Audit recent access.: Review the audit logs for the departed employee's recent activity. What systems did they touch in the past 30 days? Each is a potential location of persistent credentials or stored data that needs to be addressed.
• Revoke persistent tokens.: API tokens, OAuth tokens, personal access tokens. These can persist independently of the IDP account. The audit identifies them; the revocation invalidates them. The employee's GitHub personal access token, npm publish token, AWS access key all get rotated.
• Catch missed integrations.: SaaS tools that were not integrated with the IDP. Third-party tools the employee accessed via individual logins. Each is a checklist item to verify; missing any leaves an exposure window.
• Inventory of installed devices.: Company laptops returned. Mobile devices wiped or returned. Personal devices with cached company data identified and remediated. The endpoint security inventory is reviewed.
• Manager confirmation.: The departing employee's manager confirms the offboarding completion. The confirmation is captured; if anything was missed, the manager is the human in the loop who notices.

Week one is the cleanup phase. The IDP layer caught the obvious access; the audit catches what the IDP missed.

Ongoing

Beyond the initial offboarding, the discipline includes ongoing review to catch the cases where access drifted back, where new exposure paths emerged, or where the offboarding was incomplete.

• Annual review of departed users.: Once a year, audit the access state of users who departed in the past year. Confirm they have no active access anywhere. The audit catches the cases where someone got re-enabled inadvertently, where a new tool was added without offboarding the inactive user, where access had been preserved for a project that has since ended.
• Ensure no residual access.: The audit produces a list of access anomalies. Each is investigated and remediated. The pattern over multiple audits informs whether the offboarding process needs improvement.
• Drift catches.: New SaaS tools that the team adopted after the employee left. Manually-created accounts that were not part of the IDP. Configuration changes that re-granted access. Each is a drift case that the audit catches.
• Process improvement feedback.: The audit findings feed back into the offboarding process. Patterns of missed deprovisioning produce updates to the runbook. The next offboarding benefits from the lessons of previous ones.
• Cross-reference with HR.: The HR system has the authoritative list of departed employees. Cross-checking this against the active accounts in major systems is the audit's foundation. Any mismatch is investigated.

Employee offboarding security is one of those quiet operational disciplines that pays back across years. Nova AI Ops integrates with HR systems and IDP audit streams, surfaces the cases where deprovisioning has been incomplete, and produces the audit reports that compliance frameworks expect from access management programs.