When someone leaves a job, there is usually a checklist. Turn in your badge. Return your laptop. Sign some paperwork. What most businesses do not have on that list: a complete accounting of every system that person could log into.
The HR offboarding process and the IT offboarding process are two different things, and they rarely happen at the same time. HR closes the employee file. IT, if they get notified at all, might disable the email account within a day or two. Everything else tends to stay active indefinitely.
What stays open after someone walks out
A person who leaves a job typically has access to more systems than anyone realizes. There is the obvious stuff: email, the main company login, a shared drive. Then there is everything else.
Software tools they signed up for using their work email. Admin access to the company website or social media accounts. Shared passwords they knew from working alongside other team members. Vendor portals where they were the primary contact. Cloud services billed to a company card but accessed through individual accounts tied to their email.
Most of those accounts do not automatically close when someone leaves. They stay open until someone specifically goes in and closes them. Which usually means they stay open indefinitely.
How this goes wrong
The most obvious problem: a former employee who left on bad terms still has access to company email or shared files. They can read what is happening, export client lists, or cause disruption without needing to do anything technical. The access is just there.
Less obvious but more common: the accounts sit there as a security liability. Unused accounts with valid credentials are a common entry point for attackers. If a former employee reused their work password on another service and that service gets breached, the attacker now has valid credentials for your systems. Your environment gets compromised because of a breach somewhere else entirely.
The least obvious: you lose continuity. That person was the account owner for a handful of services. When they leave, nobody can access those accounts, reset passwords, or manage billing. You find out six months later when something stops working and nobody knows how to get into it.
What proper IT offboarding covers
It starts with knowing what access each person has. That sounds obvious, but most businesses do not maintain that list. The process should cover disabling email and primary login accounts on the day someone leaves, removing access to shared drives and internal systems, transferring ownership of any accounts where the person was listed as the admin or billing contact, revoking access to third-party tools, and changing any shared passwords or keys that the person knew.
If someone has admin access to anything – website, cloud services, network equipment – that access should be reviewed and removed the day they leave, not whenever someone gets around to it.
The documentation problem
The reason most businesses discover these gaps the hard way is that they do not have a complete picture of their accounts in the first place. Nobody knows what systems exist, who has access to what, or what would happen if a specific person left tomorrow.
An offboarding checklist only works if you have an onboarding record to work from. When someone joins and gets set up, the accounts created and the access granted should be documented. When they leave, that record is what you work through. Without it, you are relying on memory and hoping nothing important gets missed. Something always does.
Starting from where you are
If you do not have a current list of accounts and access, the first step is building one. Go through your main systems and identify who has accounts. Check for anyone no longer with the company. Check for accounts with admin or elevated access. Check for shared logins where the credentials are known to people who have left.
It takes a few hours and usually turns up more than expected. But it is much easier to address before something goes wrong than after.
If any of this feels familiar, we can take a quick look at your setup and tell you what is actually worth fixing.