A true-to-life SaaS security story: how a retired engineer’s cloud access lived on long after offboarding — and what it reveals about unseen identity risks in modern organizations.

The Incident That Started with a Goodbye

When the senior engineer left the company, everything looked clean on paper.HR closed the ticket. IT deactivated the Okta account. A farewell message went out on Slack.

But three months later, the security team noticed something strange: Shared folders in a product-development workspace were still updating. Dozens of confidential design files showed recent activity from an external user.

The username? The same engineer — now retired.

The Invisible Thread

The investigation revealed what many organizations quietly face every day: an identity that never really left.

The engineer had linked several personal tools to corporate data through OAuth and direct integrations — a note-taking app, a project sync service, and an AI code assistant.

When the identity provider account was deleted, those third-party connections remained active, continuing to sync files through persistent tokens.

No password reuse. No intentional wrongdoing. Just a visibility gap that compliance and IAM policies never covered.

Why This Keeps Happening

Identity boundaries used to be simple — one directory, one user, one account. Today, that boundary extends across hundreds of SaaS apps and cloud integrations that rarely report back to IT.

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

• 97 % of SaaS apps are unknown to IT.

• < 1 % of accounts enforce MFA.

• 1 % of SaaS apps use OAuth, and < 0.2 % request high-risk scopes like inbox or file access.

These tokens often outlive the identities that created them, creating silent data pathways long after offboarding.

This problem sits at the intersection of Shadow IT and Shadow Identity — two sides of the same blind spot.

OAuth: The Quiet Link That Never Dies

OAuth tokens are designed for convenience. They allow users to authorize one app to access another without sharing passwords. But that convenience hides risk: Once a token is granted, it persists until explicitly revoked.

In the case of the retired engineer, no internal system tracked third-party OAuth connections. When HR marked the employee as “inactive,” the linked cloud apps didn’t get the memo — because they were never enrolled in the identity provider to begin with.

CISA’s Secure Cloud Business Applications (SCuBA) framework highlights this exact scenario, warning that unmanaged OAuth grants “can persist beyond user tenure and remain active within critical business environments.”

Compliance Isn’t Enough Without Visibility

Security teams often assume compliance frameworks like ISO 27001 or the NIST Privacy Framework cover these risks by requiring account deprovisioning.

But those controls only apply to systems the organization knows about.

OAuth-linked and shadow SaaS accounts typically sit outside official inventories. This makes them invisible to audit evidence, incident response, and even SIEM detection.

An auditor can confirm user accounts were closed. They can’t confirm that every token tied to those users stopped syncing data.

How to Close the Loop

The retired engineer story isn’t a failure of tools — it’s a failure of discovery. You can’t revoke what you don’t know exists.

A mature offboarding process should include:

1. SaaS & OAuth Enumeration: Identify every app with delegated access to corporate tenants.

2. Token Expiration Audits: Regularly expire or rotate API and OAuth tokens.

3. Automated Offboarding Triggers: Integrate HR events with identity systems and SaaS governance platforms.

4. Continuous Monitoring: Track new OAuth connections in real time.

The CISA Zero Trust Maturity Model calls this principle “dynamic identity verification.” Every connection — user, app, or API — must prove it still deserves trust.

Lessons from the “Retired” Engineer

1. Identity governance doesn’t stop at SSO. OAuth and API integrations are part of your identity plane.

2. Offboarding is a process, not an event. Access revocation must cascade through every connected service.

3. Discovery is the foundation of Zero Trust. You can’t validate what you can’t see.

Conclusion: Offboard Once, Verify Forever

The retired engineer wasn’t malicious — but the system’s blind spot was. His story isn’t unique. It’s a preview of how every untracked OAuth connection, unmanaged SaaS account, or forgotten cloud tenant keeps data exposure alive.

👉 See how other organizations are tackling SaaS and Cloud Discovery challenges in the 2025 Waldo Security Report.

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating Shadow IT, unmanaged identities, and OAuth risk, Waldo enables CISOs and security leaders to strengthen compliance and identity governance across their entire SaaS footprint.