Someone leaves. HR updates a spreadsheet. IT gets an email — maybe. Three weeks later, their Microsoft 365 account is still active, their VPN credentials still work, and they've just landed at a competitor.

The Story by Stats

Stat Source
47% of former employees still had access to company apps after leaving Spin.AI / Google Workspace study, 2025
56% of those admitted to logging into a corporate account after their contract ended Spin.AI, 2025
Only 9% of offboarding processes involved an IT specialist Beyond Identity, 2025
32% of companies take more than a week to fully disable a leaver's access OneLogin / ID Dataweb, 2025
$4.92M average cost of a malicious insider breach in 2025 IBM Cost of a Data Breach, 2025
81 days average time to detect and contain an insider threat incident Ponemon Institute, 2025

When an employee leaves your organisation, you probably assume their access goes with them. In practice, the evidence suggests otherwise — often dramatically so.

A 2025 study found that 47% of former employees still had access to important company applications — including Microsoft 365 and Google Workspace — after leaving.[1] More troubling still: of those, 56% admitted to actually logging in after their employment ended.[1] That is not a theoretical risk. It is people actively using credentials they should no longer have, to access systems they should no longer be able to reach.

This is the ex-employee access problem. It is not exotic. It does not require sophisticated hacking. It requires nothing more than a login that was never disabled, and a former employee who knows the URL.


Why this keeps happening: the IT offboarding gap

The root cause is almost always the same: offboarding is treated as an HR event rather than a security event. Someone submits their resignation, HR processes the paperwork, a line manager is notified, and IT — if they hear about it at all — is somewhere at the end of a chain of manual hand-offs, often working from an email or a shared spreadsheet that nobody keeps current.

A Beyond Identity study of more than 1,000 employees and employers across the UK, US, and Ireland found that only 9% of respondents remembered an IT specialist being involved in their offboarding process.[2] The process was most commonly handled by a line manager (33%) or HR representative (31%). In more than one in ten cases, it was left to a fellow co-worker. The people responsible for revoking system access were not in the room.

The mechanics reflect this. The same study found that at best, only half of organisations were taking even the most basic offboarding precautions: just 50% of departing employees were asked to return company devices, only 41% returned digital key tokens, and only 35% had their accounts deleted or reset.[2]

The consequence is predictable. 32% of companies take more than a week to fully disable all access for a leaver — and that is just the accounts they know about.[3] Shadow accounts, third-party application access, shared credentials, and SaaS tools provisioned outside of IT's visibility can persist for months or years without anyone noticing.


The joiner mover leaver process — and where it breaks down

In identity security, the framework for managing user access throughout their employment lifecycle is known as the joiner mover leaver process — or JML. It maps three distinct moments of risk:

  • Joiners — new employees who need access provisioned quickly and accurately on day one, based on their role and nothing more.
  • Movers — employees who change roles, departments, or seniority. Their access should update to reflect their new function — removing old permissions and adding new ones. In practice, old permissions almost never get removed.
  • Leavers — employees departing the organisation. All access should be revoked immediately and completely, across every system, application, and integration.

Most organisations have some version of a joiner mover leaver process on paper. The failure almost universally happens in execution. Joiners tend to be handled reasonably well because there is a clear deadline — the new starter's first day — and visible consequences if it goes wrong. Movers are largely ignored: role changes happen constantly, feel routine, and rarely trigger a formal access review. The result is "privilege creep" — users who accumulate entitlements over time until a mid-level employee holds access to systems they haven't used in two years and shouldn't have access to at all.

Leavers are where the most acute risk sits. CrowdStrike's 2025 Global Threat Report found that 80% of cyberattacks use identity-based attack methods.[4] Former employee accounts are among the most exploitable identity vectors available: they typically have broad access built up over a tenure, their unusual login activity is less likely to be noticed, and the legitimate user is no longer around to report suspicious behaviour on their account.

The identity drift problem: when the JML lifecycle is disconnected, organisations develop a dangerous divergence between active permissions and employment reality. The HR system knows an employee has left. Active Directory does not. That window — whether it lasts a week or six months — is the attack surface.[5]


What happens when it goes wrong

The consequences of poor IT offboarding fall into two broad categories: accidental and deliberate. Both are expensive.

Accidental exposure

Not every ex-employee who retains access intends harm. Public sharing links set to "anyone with the link" persist indefinitely. A shared Google Drive folder containing salary data remains accessible to someone who left 18 months ago. A former developer still has read access to a production database because nobody reviewed their permissions when they changed teams six months before leaving. These are not malicious acts — they are the quiet accumulation of access that was never properly governed.

The cost of negligent insider incidents averaged $676,517 per event in 2025 — and organisations experienced an average of more than 13 such incidents per year.[6]

Deliberate misuse

When access is retained deliberately, the damage is significantly more severe. The average cost of a malicious insider breach reached $4.92 million in 2025 — the highest of any initial attack vector tracked by IBM.[7] These incidents are also the hardest to detect: they use legitimate credentials, generate activity that looks like normal usage, and take an average of 81 days to detect and contain according to the Ponemon Institute.[6]

Real-world examples are consistent and varied. A former vice president retained a shadow account they had created before termination and used it to sabotage records after leaving. A former developer used still-active cloud credentials to delete production infrastructure. A recently departed sales executive downloaded a complete prospect list in the three days before their notice period ended and shared it to their personal email — access that wasn't revoked until the following week.[8]

In each case, the technical mechanism was not sophisticated. It was an account that was not disabled, credentials that were not revoked, or access that was not audited. The attack surface was created not by a hacker, but by an incomplete IT offboarding process.


The SaaS sprawl problem

The challenge has grown considerably harder as organisations adopt more SaaS applications outside of central IT control. A decade ago, revoking access meant disabling an Active Directory account and recovering a laptop. In 2026, the average organisation uses dozens of SaaS tools — many provisioned directly by individual teams — each with its own login, its own permission model, and its own connection to company data.

When a marketing manager leaves, disabling their Microsoft 365 account does not revoke their access to Canva, HubSpot, Mailchimp, Slack, Notion, or any other tool they provisioned through their personal account or a work email alias. A developer's GitHub access, AWS IAM roles, and third-party CI/CD integrations are not covered by SSO revocation if they were set up independently. Freelancers and contractors granted guest access to SharePoint folders or Google Drive are frequently never offboarded at all — their access simply continues, indefinitely, because no process exists to track or end it.

IBM's 2025 analysis found that 46% of data breaches involve dormant or orphaned accounts of this kind.[9] These are not accounts that were actively compromised through a sophisticated attack — they are accounts that were simply forgotten.


What good IT offboarding looks like: a practical checklist

An effective IT offboarding process is not a single action taken on a leaver's last day. It is a structured workflow that begins before someone's notice period ends and accounts for every system, credential, and access point they touched. Here is what it should cover:

  1. Trigger IT the moment resignation is accepted — not on the last day. The window between resignation and departure is when data exfiltration is most likely to occur. Access reviews and monitoring should start immediately when a departure is confirmed, not when the leaver has already left the building.

  2. Maintain a complete access inventory. You cannot revoke access you don't know exists. Every system, application, and integration should be catalogued and linked to the individuals who hold access. Without this, IT offboarding is necessarily incomplete — there will always be accounts missed.

  3. Disable SSO and the primary identity provider first. Disabling the Microsoft Entra ID or Okta account should be the first action on departure day, as it cascades deprovisioning across any application using federated authentication. This is not the end of the process — it is the beginning. Applications not connected to SSO must be handled separately.

  4. Go beyond the directory. SSO revocation does not cover everything. Manually revoke access to: VPNs, cloud platforms (AWS, Azure, GCP), code repositories (GitHub, GitLab, Bitbucket), project management tools, CRM systems, finance platforms, shared inboxes, and any application provisioned outside of central IT. Sophisticated leavers — or sophisticated attackers using a compromised account — may have created shadow credentials specifically to maintain access after offboarding.[5]

  5. Revoke and rotate shared credentials the leaver knew. If a departing employee had access to shared admin passwords, API keys, or service account credentials, those must be rotated on departure. Shared credentials do not expire automatically when one person leaves.

  6. Review and remove third-party access grants. Audit OAuth tokens, API integrations, and any connected applications authorised under the leaver's account. These persist independently of account deactivation in many systems.

  7. Document everything with a timestamp. For UK businesses operating under UK GDPR, a documented and auditable offboarding process is not just best practice — it is evidence of the "appropriate technical and organisational measures" required by the ICO. In the event of a post-departure data breach, the audit trail of when access was revoked, and by whom, is critical.

  8. Automate wherever possible. Manual IT offboarding checklists introduce human error, depend on timely communication between HR and IT, and do not scale. Automating provisioning reduces identity-related security incidents by over 67%, according to CloudEagle's 2025 IGA Report.[10] When an HR system records a termination date, the identity engine should begin deprovisioning automatically — not wait for an email.


Don't forget about people who haven't left yet

While leavers represent the most visible risk, the mover stage of the joiner mover leaver process is where unaddressed privilege creep silently accumulates. An employee promoted from junior developer to engineering manager three years ago still has read access to every repository they ever worked on. A finance analyst who moved to sales operations still has access to payroll exports. A PA whose executive left the organisation has retained delegated access to the new executive's calendar and mailbox.

None of these represent deliberate wrongdoing. All of them represent unnecessary access — and unnecessary access, whether held by a current employee or a former one, is a breach waiting for a trigger. Regular access reviews — at minimum annually, quarterly for privileged accounts — are the only mechanism that catches what the joiner mover leaver process misses in day-to-day execution.


The businesses that survive aren't the luckiest — they're the most prepared

The ex-employee access problem is not a niche security concern for large enterprises with complex IT environments. It affects every organisation that has ever hired and lost a member of staff — which is every organisation. It requires no sophisticated attack. It exploits a process failure, not a technical vulnerability.

The organisations that avoid serious incidents are not the ones that got lucky with the people who left. They are the ones that treat IT offboarding as a security-critical event, not an administrative afterthought — with a documented joiner mover leaver process, a complete access inventory, automated deprovisioning, and an audit trail that holds up to scrutiny.

If you don't know how many former employees could log into your systems right now, that is the question worth answering first.


Sources

  1. Spin.AI, Google Workspace Secure Employee Exit, February 2025. spin.ai
  2. Beyond Identity, Former Employees Admit to Using Continued Account Access to Harm Previous Employers. beyondidentity.com
  3. ID Dataweb, Managing Joiner-Mover-Leaver Risk in 2025 with Automated Onboarding and Offboarding, citing OneLogin analysis. iddataweb.com
  4. Lumos, How to Manage the Joiners, Movers, and Leavers (JML) Process in 2025, citing CrowdStrike 2025 Global Threat Report. lumos.com
  5. ConductorOne, The Joiner-Mover-Leaver Process for IAM, 2026. conductorone.com
  6. Ponemon Institute, 2025 Cost of Insider Risks Global Report, via Brightdefense and Syteca analysis. brightdefense.com
  7. Secureframe, 110+ of the Latest Data Breach Statistics to Know for 2026, citing IBM Cost of a Data Breach 2025. secureframe.com
  8. DoControl, How Do I Know If Former Employees Still Have Access to Company Data?, 2025. docontrol.io
  9. CloudEagle, Joiner-Mover-Leaver Best Practices for IT Teams 2025, citing IBM 2025 data. cloudeagle.ai
  10. CloudEagle, Joiner-Mover-Leaver Best Practices for IT Teams 2025, citing CloudEagle 2025 IGA Report. cloudeagle.ai

more similar articles

Claude logo with black writing and orange icon
Categories: Security

If Claude Mythos can find your vulnerabilities, so can your adversaries

0 min read|Last Updated: April 17, 2026|
A padlock appears on a computer monitor in a dimly-lit office. It references the blog title referencing Ransomware in 2026.
Categories: Security

Ransomware in 2026: What SMBs Need to Know (and Most Don’t)

0 min read|Last Updated: April 17, 2026|
The outline of a red envelope on a dark background with a warning logo on it. The image is designed to reflect the article's title Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It
Categories: Security

Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It

0 min read|Last Updated: April 10, 2026|
A padlock with a dark background, it is showing login screens from applications, reflecting the article's title MFA Is Not Optional in 2025 Why One Password Is Never Enough
Categories: Identity and Access Management

MFA Is Not Optional in 2026: Why One Password Is Never Enough

0 min read|Last Updated: April 10, 2026|