How to Offboard an Employee Without Leaving Ghost Access Behind

Disabling an account doesn’t mean access is gone. This step-by-step guide shows how to offboard employees without leaving behind SaaS, OAuth, or cloud access.

Offboarding Is Where Identity Fails Most Often

Most organizations treat offboarding as a checkbox:

• Disable the IdP account

• Revoke VPN access

• Archive email

And on paper, that looks complete.

In reality, former employees often retain access through:

• SaaS accounts not tied to SSO

• OAuth tokens granted months or years earlier

• Third-party integrations they personally authorized

• Shadow cloud accounts created outside IT

These are ghost identities — access paths that remain active long after employment ends.

Why Ghost Access Exists

Identity governance evolved around employees. Modern environments run on ecosystems.

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

• 97% of SaaS applications are unknown to IT

• Less than 1% of SaaS accounts enforce MFA

• 100% of organizations have unauthorized cloud accounts

If offboarding only touches the IdP, it only removes access to the known environment — not the real one.

The 30-Minute Ghost Access Offboarding Checklist

This process can be run during any termination or role change.

Step 1 (5 Minutes): Disable the Primary Identity — But Don’t Stop There

Immediately disable:

• IdP account (Okta, Entra ID, Google Workspace)

• Email and collaboration tools

This cuts off interactive access — but it does not revoke delegated access.

Treat this as containment, not completion.

Step 2 (5 Minutes): Enumerate OAuth Tokens and App Grants

Export all OAuth grants associated with the user from:

• Google Workspace

• Microsoft 365

• SaaS admin consoles

Look for:

• File, inbox, or calendar scopes

• Automation and AI tools

• CRM or ticketing integrations

OAuth tokens often persist after account disablement and operate without MFA.

CISA’s Secure Cloud Business Applications (SCuBA) guidance explicitly warns that OAuth access can survive user termination:https://www.cisa.gov/secure-cloud-business-applications-scuba

Step 3 (5 Minutes): Identify Non-SSO SaaS Accounts

Cross-check SaaS usage against IdP-managed apps.

Flag:

• Local accounts created directly in SaaS platforms

• Accounts tied to personal email addresses

• Department-managed admin users

If an app isn’t governed by SSO, offboarding won’t touch it automatically.

These are some of the most commonly missed access paths.

Step 4 (5 Minutes): Review External & Shared Identities

Check for:

• Shared service accounts

• Departmental admin logins

• Contractor or agency access provisioned by the employee

Ask:

• Who owns this identity now?

• Is it still required?

• Can it be rotated or revoked?

Unowned identities are the most dangerous kind — no one notices when they’re abused.

Step 5 (5 Minutes): Check for Shadow Cloud Access

Finally, verify whether the employee created or accessed:

• AWS, Azure, or GCP accounts

• Cloud projects not registered in central inventory

• API keys or access tokens

The report found 100% of organizations had at least one unauthorized cloud account — and many are tied to former employees.

These environments often persist indefinitely.

What Most Teams Discover

After running this checklist, teams almost always find:

• OAuth tokens still syncing data

• SaaS admin access outside IT

• External collaborators tied to ex-employees

• Cloud resources no one owns

None of this shows up in traditional offboarding workflows — but all of it matters.

Why Compliance Depends on Getting This Right

Frameworks like the NIST Privacy Framework and ISO/IEC 27001 require:

• Complete access revocation

• Accountability across systems

• Evidence of enforcement

Ghost access breaks all three.

• https://www.nist.gov/privacy-framework

• https://www.iso.org/isoiec-27001-information-security.html

Auditors don’t care that the employee left — they care that access didn’t.

From Manual Cleanup to Continuous Offboarding

Manual offboarding works once. Modern environments change too fast for it to scale.

Waldo Security’s SaaS & Cloud Discovery Engine helps teams:

• Discover SaaS and cloud access tied to each identity

• Surface OAuth tokens and delegated permissions

• Identify non-SSO accounts and shadow environments

• Continuously validate that offboarded identities stay revoked

This turns offboarding from a one-time task into a persistent control.

Conclusion: Leaving Is Easy. Leaving Cleanly Is Hard.

Disabling an account feels final — but it rarely is.

In identity-driven environments, access doesn’t disappear unless it’s explicitly revoked everywhere.

👉 See how organizations are eliminating ghost access across SaaS and cloud environments in the 2025 SaaS & Cloud Discovery Report.

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By exposing ghost access, unmanaged OAuth permissions, and shadow environments, Waldo enables security teams to enforce identity-centric controls with confidence.