Revoke tokens on offboarding
Demonstrate that all authentication tokens associated with departing or role-transitioning personnel are identified and revoked in a timely manner coordinated with offboarding procedures.
Description
What this control does
This control ensures that all authentication tokens (API keys, OAuth tokens, session tokens, personal access tokens, service account credentials) issued to an employee or contractor are systematically revoked or invalidated upon termination or role change. It requires integration between HR offboarding workflows and identity/access management systems to trigger automated or manual token lifecycle actions. Failure to revoke tokens leaves dormant credentials active that former personnel can exploit to access systems, exfiltrate data, or maintain unauthorized persistence.
Control objective
What auditing this proves
Demonstrate that all authentication tokens associated with departing or role-transitioning personnel are identified and revoked in a timely manner coordinated with offboarding procedures.
Associated risks
Risks this control addresses
- Former employees or contractors retain active API keys or personal access tokens that provide continued system access after termination
- Orphaned OAuth tokens in third-party integrations remain valid indefinitely, enabling unauthorized data synchronization or API calls
- Long-lived service account tokens issued to individuals for testing or development are not deprovisioned, creating persistent backdoors
- Session tokens or refresh tokens stored in personal devices or scripts remain functional after account deactivation, bypassing directory-based access controls
- Malicious insiders intentionally generate and exfiltrate tokens prior to departure to maintain covert access for espionage or sabotage
- Delayed or incomplete offboarding allows adversaries who have compromised a departing user's credentials to exploit the window before revocation
- Lack of token inventory during offboarding results in incomplete revocation, leaving shadow access paths through forgotten integrations or automation scripts
Testing procedure
How an auditor verifies this control
- Obtain the organization's offboarding procedure documentation and identify requirements for token revocation across all systems (cloud platforms, SaaS applications, APIs, version control, CI/CD).
- Request a list of all systems and platforms that issue authentication tokens, including API gateways, identity providers, cloud consoles, developer tools, and third-party integrations.
- Select a sample of 10-15 employee or contractor terminations from the past 90 days, ensuring diversity in roles (developers, administrators, external contractors, privileged users).
- For each sampled termination, retrieve the offboarding ticket or workflow record and verify token revocation tasks are documented and completed with timestamps.
- Query token management systems, API platforms, and identity providers to retrieve active token issuance logs and revocation logs for each sampled user during the offboarding period.
- Cross-reference the list of tokens issued to each departed user against revocation records to identify any tokens that remained active beyond the termination date plus grace period.
- Interview IT or security personnel responsible for offboarding to confirm the process for discovering non-standard tokens (personal access tokens, service accounts under user control, developer CLI tokens).
- Review audit logs from at least two critical systems to verify no API or token-based authentication activity occurred under departed users' accounts after the documented termination date.
Where this control is tested