The Employee Departure Checklist: Access Control That Actually Works

An employee gave notice this morning. They'll be gone in two weeks.

How much access to company systems, data, and accounts will they still have after they leave?

If the answer isn't "absolutely zero," you have a problem.

Here's what most companies discover too late: departing employees retain access to dozens of systems, sometimes for months. Email forwarding quietly sends sensitive messages to personal accounts. Shared passwords they helped create still work. VPN access remains active. Admin rights nobody documented stay in place.

The former sales manager who can still access your CRM six months after leaving isn't malicious. You just never revoked the access because nobody thought to check.

Let's fix that.

The Scary Access Audit

Before we talk about offboarding, let's talk about what you're actually securing against.

Run this exercise right now: Pick any employee. List every system they can access. Every password they know. Every admin right they have. Every API key or credential they've created.

How long did that take? Did you get them all?

The Access Nobody Tracks

Email and communication:

• Active email account (obvious)
• Email forwarding rules (not obvious)
• Shared mailboxes and distribution lists
• Slack/Teams workspace access
• Access to direct message history

Business systems:

• CRM with complete customer database
• Accounting software with financial data
• Project management with roadmaps and strategy
• HR systems with employee information
• Analytics platforms with business metrics

Shared accounts:

• Company social media passwords they set up
• Vendor portals using shared credentials
• Client systems using company email
• Industry tools with team accounts
• Marketing platforms with shared logins

Developer and technical access:

• GitHub or GitLab repositories
• AWS/GCP/Azure cloud consoles
• Database access (direct or through tools)
• API keys they generated
• SSH keys on servers
• VPN and network access

Third-party access:

• Zapier workflows with credentials
• Integration platforms with API keys
• Contractor portals they set up
• Client systems they have access to
• Partner platforms and tools

Devices and physical:

• Company laptop with saved credentials
• Personal phone with work apps and data
• Two-factor authentication tied to their phone
• Physical access cards and keys
• Home office equipment with stored passwords

A developer left one of our clients last year. Three months later, his access to production AWS was discovered during a security audit. He could have deployed anything, accessed any data, or deleted infrastructure. He didn't—but he could have.

The Timeline-Based Offboarding Checklist

Employee departures happen in three scenarios: resignation (weeks notice), termination (immediate), and planned transition (months notice). The checklist adapts to each.

Pre-Departure Phase (Notice Period)

For voluntary departures with 2+ weeks notice:

Week Before Last Day

Document everything they know:

• List all systems they access regularly
• Identify credentials they created or maintain
• Document admin rights and special permissions
• Note client/partner systems they manage
• Find shared passwords they know
• Identify workflows that depend on their access

Knowledge transfer logistics:

• Assign ownership of their accounts/data
• Transfer documents to team members
• Change passwords on shared accounts (update in password manager)
• Document undocumented access they have
• Reassign admin rights to others
• Update contact information on external accounts

Communication prep:

• Notify IT/security team of departure date
• Identify who needs their access after they leave
• Plan timing of access revocation (end of last day)
• Prepare client/vendor communication about contact changes

Last Day (Resignation/Planned)

Morning of last day:

• Backup any data in their personal workspace
• Export emails if needed for business continuity
• Document current projects and access needs
• Final knowledge transfer sessions

End of day (after they leave):

• Disable email account (don't delete yet)
• Remove email forwarding rules
• Revoke SSO/directory account
• Remove from communication platforms (Slack, Teams)
• Change shared account passwords they knew
• Deactivate VPN access
• Disable development/database access
• Revoke cloud platform access (AWS, GCP, Azure)
• Remove admin rights across all systems
• Revoke API keys and tokens they created
• Remove from password manager shared vaults
• Trigger MDM wipe of personal devices (if applicable)
• Deactivate physical access cards

Immediate Termination Protocol

For terminations effective immediately:

Within 1 hour:

• Disable SSO/directory account (locks most systems)
• Disable email account
• Revoke VPN access
• Remove from communication platforms
• Disable cloud platform access
• Change critical shared passwords
• Revoke database access
• Trigger remote laptop lock/wipe if not collected

Same day:

• Audit access logs for unusual activity
• Review email for forwarding rules
• Document systems they had access to
• Change remaining shared passwords
• Remove admin rights
• Revoke API keys
• Remove from all business systems
• Deactivate physical access
• Collect equipment or arrange pickup

Different approach, same result: Immediate terminations prioritize speed over perfect documentation. Shut down access first, document second.

Post-Departure Cleanup

Week 1 after departure:

• Audit all systems for remaining access
• Check cloud platforms for orphaned resources (EC2 instances, storage buckets in their name)
• Review code repositories for personal branches or credentials
• Search for hardcoded credentials or API keys in code
• Verify no email forwarding to personal accounts
• Confirm shared account passwords were changed
• Check contractor/vendor access they arranged
• Remove from external platforms (client portals, partner systems)
• Update emergency contact lists

Week 2-4 after departure:

• Convert email to shared mailbox (if needed for business continuity)
• Final review of access logs for activity
• Archive their documents and email
• Remove from all license counts (cost savings)
• Update org charts and contact lists
• Verify no lingering permissions in file sharing
• Check for scheduled tasks/automation in their name

Month 1-3 after departure:

• Review any systems that required special deprovisioning
• Final audit of cloud resource cleanup
• Confirm no unexpected charges from their access/usage
• Update process documentation based on gaps found
• Archive final email and files per retention policy

System-by-System Offboarding Guide

Generic checklists miss specific details. Here's how to actually revoke access in common business systems.

Google Workspace

Immediate actions:

1. Suspend user account (Admin console > Users > Suspend)
2. Check for email forwarding (Gmail > Settings > Forwarding, also check filters)
3. Transfer Google Drive files to manager (Admin > Data > Transfer tool)
4. Remove from shared drives and group memberships
5. Review calendar sharing and delegate access
6. Transfer ownership of Google Groups they created

Later:

• Convert to shared mailbox if needed (keep for 30-90 days)
• Delete account after retention period
• Archive email per legal/compliance requirements

Microsoft 365

Immediate actions:

1. Block sign-in (Azure AD > Users > Block sign-in)
2. Revoke all sessions (force logout)
3. Check for mail forwarding rules (Exchange admin > Recipients > Mailbox delegation)
4. Remove from Teams and channels
5. Transfer OneDrive files to manager
6. Remove from SharePoint permissions
7. Remove from distribution lists and shared mailboxes

Later:

• Convert mailbox to shared mailbox (keep for historical access)
• Remove license (cost savings)
• Delete account after retention period

Salesforce / CRM

Immediate actions:

1. Deactivate user (Setup > Users > Deactivate)
2. Transfer ownership of leads, opportunities, accounts they own
3. Remove from sharing rules and permission sets
4. Check for API integrations using their credentials
5. Review reports and dashboards they created
6. Remove from Chatter groups

Note: Salesforce charges per active user. Deactivate immediately to free license.

Slack / Microsoft Teams

Immediate actions:

1. Deactivate account
2. Export their direct messages if needed for business records
3. Remove from all channels (especially private channels)
4. Transfer ownership of channels they created
5. Revoke any Slack apps or integrations they installed with their credentials

AWS / Cloud Platforms

Immediate actions:

1. Disable IAM user access (delete access keys)
2. Remove from IAM groups
3. Revoke console access
4. Check for EC2 key pairs in their name
5. Review S3 buckets they created
6. Check for running resources in their name (EC2, Lambda functions)
7. Remove from any shared AWS accounts or Organizations

Later:

• Audit CloudTrail logs for their activity
• Clean up orphaned resources
• Review Cost Explorer for unexpected charges

GitHub / GitLab

Immediate actions:

1. Remove from organization
2. Revoke personal access tokens (if you can identify them)
3. Remove SSH keys from repositories
4. Transfer ownership of repositories they own
5. Remove from teams and code review assignments
6. Check for GitHub Actions or CI/CD workflows using their credentials

Later:

• Review commit history for hardcoded credentials
• Check for personal branches with unmerged work

Shared Accounts and Passwords

This is where most companies fail offboarding.

For every shared credential the employee knew:

1. Change the password
2. Update in password manager
3. Notify team who uses that account
4. Verify no automation depends on old password

Common shared accounts:

• Company social media (Facebook, LinkedIn, Twitter, Instagram)
• Vendor portals (shipping, suppliers, service providers)
• Industry-specific platforms
• Client systems using shared credentials
• Marketing platforms (Google Ads, email marketing)

If you don't have a password manager tracking who has access to shared accounts, you can't effectively revoke it. This is the strongest argument for password managers beyond personal convenience.

The Shared Password Problem

Employee leaves. Company Twitter account still uses the password they created two years ago. Instagram too. And the UPS account. And the primary vendor portal.

You have two choices:

Option 1: Change everything they might know

• Time-consuming (hours of password resets)
• Disruptive (team needs new passwords)
• Necessary if you can't confirm what they knew

Option 2: Know exactly what they had access to

• Requires good password management from the start
• Password manager tracks shared vault access
• Change only confirmed shared credentials

Why password managers matter for offboarding:

Without password manager:

• "Did Sarah know the Instagram password?"
• "I think she might have reset it once?"
• "Better change it to be safe... wait, who else needs it?"
• Repeat for 30+ shared accounts

With password manager:

• Check Sarah's shared vault access history
• See she accessed Instagram, UPS, Vendor Portal credentials
• Change those three passwords
• Update in shared vault
• Team gets new passwords automatically

The API Key and Integration Problem

Modern businesses run on integrations. Employees set up Zapier workflows, connect platforms, generate API keys.

What happens when they leave:

API keys they generated keep working. Zapier workflows keep running. Integrations keep accessing data. All using credentials tied to an account that no longer exists.

How to audit and clean up:

Zapier / Integration Platforms

1. Review all zaps/workflows
2. Identify ones created by departing employee
3. Check which use their credentials vs. service accounts
4. Transfer ownership or recreate with service account
5. Test that workflows still work after account deactivation

API Keys

1. Audit each platform for API keys (GitHub, AWS, Stripe, etc.)
2. Check key naming conventions for their name
3. Review key usage logs for their access patterns
4. Rotate keys they created
5. Update systems using those keys

Service Accounts vs. Personal Accounts

The root problem: integrations tied to personal accounts.

Bad pattern:

• Salesforce → Zapier integration using Sarah's Salesforce credentials
• Sarah leaves
• Integration breaks when her account is deactivated
• Panic ensues

Good pattern:

• Salesforce → Zapier integration using service account (integrations@company.com)
• Sarah leaves
• Integration keeps working
• No business disruption

Create service accounts for:

• API integrations
• Automation platforms
• Scheduled tasks
• System-to-system connections

Use personal accounts for:

• Individual user work
• Personal productivity
• Direct user activity

The Physical and Device Problem

Don't forget the physical world.

Company Devices

Laptop/desktop:

• Collect device on last day (or arrange shipping)
• Trigger remote wipe if device not collected
• Check for personal files needing backup
• Wipe and reimage before reassignment
• Remove from device management (Jamf, Intune, etc.)

Mobile devices:

• Remove work email and apps from personal phones
• Trigger MDM wipe of work data
• Revoke mobile device certificates
• Remove from mobile device management

Physical access:

• Deactivate access cards/badges
• Collect physical keys
• Update alarm codes they knew
• Remove from building access systems
• Collect parking passes

Personal Devices with Work Access

BYOD (Bring Your Own Device) challenges:

If employees use personal phones/laptops for work:

• Email apps with saved credentials
• Slack/Teams with message history
• VPN configurations
• Saved passwords in browser
• Work files in Downloads folder

Mitigation:

• Mobile device management (MDM) for work data separation
• Container apps (work profile on Android, managed apps on iOS)
• Remote wipe capability for work data only
• Clear BYOD policy about data removal on departure

Without MDM:

• Trust employee to remove work data
• Change all passwords they might have saved
• Assume they retained some data
• Plan accordingly for sensitive information

The Automation That Breaks

Employee departs. Suddenly things stop working.

Common automation failures:

Scheduled reports: Configured to run as the departed employee, fail when account is disabled.

Database jobs: Scheduled tasks using their credentials can't execute.

Cron jobs: Server automation running under their account stops.

Email automation: Workflows sending from their email address break.

Calendar-based triggers: Zapier zaps triggered by their calendar events fail.

How to prevent:

1. Audit scheduled tasks before offboarding

   • Check cron jobs, SQL jobs, task scheduler
   • Identify tasks running as departing employee
   • Reassign to service accounts

2. Use service accounts for automation

   • Create system users for scheduled tasks
   • Never use personal accounts for business automation
   • Document which automations use which accounts

3. Test deactivation before making it permanent

   • Some systems let you simulate user deactivation
   • Run test offboarding in staging environment
   • See what breaks before it affects production

The Graduated Offboarding Strategy

Not all employees need the same treatment.

Low-Risk Departures

Characteristics:

• Short tenure (less than 6 months)
• Limited access to sensitive systems
• No admin rights or special permissions
• Standard role with standard access

Approach:

• Standard checklist
• Disable primary accounts
• Change any shared passwords they knew
• Standard timeline (end of last day)

High-Risk Departures

Characteristics:

• IT/engineering role with admin access
• Access to financial systems or customer data
• Long tenure with accumulated access
• Departure on bad terms

Approach:

• Accelerated timeline (disable access immediately upon notice)
• Comprehensive audit of all systems
• Review access logs for unusual activity
• Change all shared credentials (assume they know everything)
• Monitor for 30-60 days post-departure

Executive Departures

Characteristics:

• Broad access across company
• Customer and partner relationships
• Strategic information and roadmaps
• Public-facing role

Approach:

• Planned transition with documented access
• Coordinated revocation with communications team
• Transfer of external relationships
• Archival of strategic documents and email
• Extended timeline for knowledge transfer

Contractor/Consultant Endings

Characteristics:

• Project-based access
• Often overlooked in offboarding
• May have access to client systems
• Sometimes no formal departure notice

Approach:

• Scheduled expiration dates on access
• Regular audits of contractor access
• Clear end-date based revocation
• Check if they still need access post-project

The Offboarding Checklist Generator

Every company is different. Build your own checklist.

Step 1: List All Systems

Create master list of every business system:

• Authentication (email, SSO)
• Communication (Slack, Teams, Zoom)
• CRM and sales tools
• Accounting and financial
• Project management
• Development tools
• Cloud platforms
• Shared accounts
• Physical access
• Mobile devices

Step 2: Document Access Patterns by Role

What does each role access?

• Sales: CRM, email, communication, customer systems
• Engineering: GitHub, AWS, database, development tools
• Finance: Accounting, banking, payroll, email
• Marketing: Social media, analytics, email marketing, CMS

Step 3: Identify Critical Timing

What must be disabled immediately vs. what can wait?

Immediate (within 1 hour):

• SSO/directory account
• Email (disable forwarding first)
• VPN and network access
• Cloud platforms with production access
• Financial systems

Same day:

• Communication platforms
• CRM and business tools
• Admin rights
• Shared account passwords

Within 1 week:

• External platforms and portals
• Archive email and files
• Clean up orphaned resources

Step 4: Assign Ownership

Who is responsible for each step?

IT/Security:

• Disable directory accounts
• Revoke VPN access
• Deactivate physical access
• Trigger device wipes

Managers:

• Knowledge transfer coordination
• Transfer file ownership
• Notify clients/partners
• Confirm completion

HR:

• Trigger offboarding process
• Coordinate timeline
• Collect equipment
• Legal/compliance requirements

Step 5: Create Role-Specific Checklists

Generic checklist + role-specific additions:

Base offboarding checklist: Applies to everyone

Plus engineering addendum:

• GitHub/GitLab removal
• AWS/cloud access revocation
• SSH key removal
• API key rotation
• Database access revocation

Plus finance addendum:

• Banking platform access
• Payroll system revocation
• Accounting software deactivation
• Expense system removal

Plus executive addendum:

• Board portal access
• Strategic document archival
• External relationship transfer
• Extended knowledge transfer

The Tools That Help

Manual offboarding works, but tools make it reliable.

Identity and Access Management

If you have SSO (Google, Microsoft, Okta):

• Single account deactivation cascades to connected apps
• Centralized audit of access
• Automated deprovisioning workflows possible

If you don't have SSO:

• Password manager becomes your access tracker
• Document which systems each role uses
• Checklist-based manual revocation

HR / IT Service Management

BambooHR, Rippling, Gusto:

• Trigger offboarding workflows from HR system
• Checklist enforcement
• Integration with IT systems for account deactivation

Without HR automation:

• Shared checklist in project management tool
• Assign offboarding tasks to IT/managers
• Track completion manually

Mobile Device Management

Jamf, Intune, Google Workspace Device Management:

• Remote wipe capability
• Force sign-out of work accounts
• Remove work data from personal devices

Without MDM:

• Trust employees to remove data
• Change all passwords
• Accept some data retention risk

Access Review Tools

Quarterly access audits:

• Review who has access to what
• Identify access that should have been revoked
• Catch offboarding failures

Manual alternative:

• Export user lists from each system
• Cross-reference with employee roster
• Remove accounts for departed employees

What Good Offboarding Actually Looks Like

Six months after proper offboarding implementation:

When someone leaves:

• HR updates status in system
• Offboarding checklist auto-generates
• IT gets notification with role-specific tasks
• Manager coordinates knowledge transfer
• All access revoked by end of last day
• Audit confirms no lingering permissions

Metrics that matter:

• Time to revoke all access: < 2 hours from departure
• Percentage of systems documented: 100%
• Failed offboarding audits: 0
• Average time to complete checklist: 3 hours
• Security incidents from ex-employee access: 0

The Bottom Line

Employee offboarding is not an HR problem. It's a security problem that happens frequently enough to get right.

The departing employee probably isn't malicious. But "probably" isn't a security strategy. And that one time in 50 when someone is upset, or when credentials get phished from their personal email, or when a laptop gets stolen—that's when incomplete offboarding becomes a breach.

Build the checklist before you need it. Test it with the next departure. Update it based on what you missed. Make it systematic.

The best time to plan offboarding is before someone gives notice. The second-best time is right now.

You don't need enterprise IAM tools. You need a documented process that someone actually follows every time.

And if you just discovered that the person who quit three months ago still has VPN access? Fix it today. Then build the checklist so it doesn't happen again.