The account you forgot to close

Published on
1 minutes read

Every company has a plan for the first day. Almost none have a real plan for the last one.

Onboarding is loud. A new person shows up, they need access, and everyone can see whether it worked. Offboarding is quiet. Someone leaves, the laptop comes back, and the accounts mostly just… stay. That quiet is exactly where risk accumulates.

What actually happens when someone leaves

In most environments I audit, offboarding is a mental checklist owned by one busy person. Suspend the mailbox, maybe. Remove them from chat, eventually. But the shared drives they had access to, the third-party apps they logged into with their work account, the API key they generated two years ago for a project nobody remembers — those almost never get touched.

So you end up with:

  • Former employees who can still log in weeks after their last day
  • Personal phones that keep syncing company files
  • Tokens and service accounts tied to a person who is long gone
  • Group memberships silently handing out access to people who left

None of it is malicious. It is just what happens when leaving depends on someone remembering, instead of on a system.

A live account for someone who left isn't a loose end. It's an unlocked door you've forgotten you have.

Offboarding is the same problem as onboarding, backwards

If one system decides who exists — your HR record, or your directory in Entra — then leaving is just a status change. Flip it, and everything downstream should follow: mail suspended, files handed to a manager, licences reclaimed, tokens revoked, every group membership removed.

The goal is simple: no human should have to remember the twelve places an account lives. The system remembers, every time, in the same order.

Start with the unglamorous audit

Before automating anything, I do the boring part first. List every account and integration, match it against the people who actually still work there, and close the gaps. It is usually a sobering afternoon.

Then we make sure those gaps cannot quietly reopen: access that maps to roles, so removing someone removes everything at once, and an offboarding flow that runs the day they leave — not the quarter after, when someone finally notices.

Onboarding makes a good first impression. Offboarding is what keeps you out of the incident report. Both deserve to be a system, not a habit.