Skip to main content

Personnel Security › Managing Leavers — Access Revocation

Managing Leavers — Access Revocation

When an employee or contractor leaves your organisation, every minute of delay in revoking their access is a minute of unnecessary risk. Former employees who retain access to systems, data, and physical facilities after departure are a well-documented source of data breaches, sabotage, and intellectual property theft. The leaver process is not an HR formality — it is a critical security control that must execute reliably, completely, and immediately.

The Leaver Risk Window

  • Resignation period. The highest risk begins when an employee gives notice. From that moment, they have both the motive (loyalty has shifted) and the means (existing access) to exfiltrate data.
  • Last day failures. Many organisations fail to revoke all access on the employee’s last day. Active directory accounts may be disabled, but VPN tokens, cloud application passwords, shared service accounts, and physical access badges often persist.
  • Contractor offboarding. Contractors are frequently overlooked in leaver processes because they are not managed through the same HR systems as employees. Third-party access must be included in the offboarding checklist.
  • Involuntary departures. Employees who are dismissed or made redundant pose an elevated risk. Access should be revoked simultaneously with the notification, not at the end of a notice period.

Building a Reliable Leaver Process

  • Comprehensive checklist. Maintain a single checklist covering all access types: Active Directory, email, VPN, cloud applications, shared service accounts, physical access badges, building keys, and any role-specific systems.
  • Automated triggers. Integrate your HR system with your identity management platform so that a leaver status change automatically triggers access revocation workflows.
  • Same-day execution. All access must be revoked on the employee’s last working day — or immediately for involuntary departures. “We’ll get to it next week” is not acceptable.
  • Physical asset recovery. Collect laptops, mobile devices, USB drives, access badges, keys, and any other physical assets on the last day. Do not allow former employees to “drop them off later.”
  • Post-departure audit. Run a verification check 48 hours after departure to confirm that all access has been successfully revoked and no residual accounts remain.

Action Steps:

  1. Audit your current leaver process by checking whether access was fully revoked for the last five departures.
  2. Create or update a comprehensive offboarding checklist covering all physical and logical access types.
  3. Integrate your HR system with your identity management platform to automate access revocation triggers.

Quick Knowledge Check

  1. Why should access be revoked simultaneously with dismissal notification for involuntary departures?
    Because employees who are dismissed or made redundant have a heightened motive for retaliation or data theft. Any delay between notification and access revocation provides a window for deliberate harm.
  2. Why is a post-departure audit necessary even when a comprehensive checklist is used?
    Because checklists can be incomplete, steps can be missed under time pressure, and some systems may not integrate with the primary identity management platform. A 48-hour post-departure audit catches anything that was overlooked.