Offboarding is one of those processes that no one enjoys, yet it’s one of the most critical security measures a company can implement. In a world where data breaches and insider threats are becoming more common, failing to properly revoke access for departing employees can leave dangerous security gaps, sometimes in unexpected ways.

The mystery of the ghost user

A few weeks ago, while setting up a new AWS user, I stumbled upon an unexpected surprise. An active AWS account belonging to someone who had left the company months ago. Even more alarming? The API key showed daily usage.

I immediately disabled the account and started investigating. Who was using it? What were they accessing? Was this a security breach, or something else entirely?

Almost as if on cue, I received a message from one of our data engineers. "Hey, can we jump on a quick call? Something broke."

It didn’t take long to connect the dots. The "ghost" API key belonged to the deactivated user, but the data engineer had been using it for some automated processes. No one had properly revoked access or reassigned credentials, and everyone assumed someone else had done it.

This raised a bigger question: If this API key was still active, what else had we forgotten?

The ghosts of access past

Offboarding gaps don’t just lead to operational hiccups, they can have legal and compliance implications as well.

During a technical due diligence audit, I saw this play out in an even more concerning way. A company was splitting into two, with one of its products being transferred to the new entity. The audit focused heavily on ensuring there were no operational or technical dependencies between the two, and that the intellectual property transfer was handled correctly.

Everything seemed in order, until I got an unexpected surprise.

As part of the transition, I was invited to the company’s Asana workspace. When the invitation email arrived, it cheerfully announced: "You have been added to a team. Team members are: X, Y, Z." But instead of active employees, the first names staring back at me were offboarded employees. People who had left months ago.

A quick check confirmed that these former employees still had access to the product roadmap and code repositories. That’s not exactly the kind of discovery you want to make during an IP audit. Had this gone unnoticed, it could have led to serious legal and security consequences, with lingering access putting the integrity of the IP transfer at risk.

Once flagged, the company scrambled to revoke the permissions, but the situation underscored a major weakness: offboarding wasn’t being handled systematically.

Offboarding needs more than good intentions

These weren’t just isolated mistakes. Many companies lack a structured offboarding checklist, leaving security vulnerabilities hidden in plain sight. I compiled the top 3 questions I get asked frequently.

Q: How can I tailor the offboarding process to my company

The offboarding process isn’t one-size-fits-all. It needs to be adapted based on company size, industry, compliance requirements, and the complexity of the tech stack. However, every company, no matter how big or small, benefits from a standardised, shared checklist that ensures consistency and accountability.

Why standardisation matters

As companies grow, they inevitably introduce new tools, new permissions, and new workflows. Without a structured process, offboarding quickly becomes a patchwork of manual steps and forgotten accounts.

  • Every necessary action is documented and executed rather than relying on ad hoc decisions.
  • Security risks are minimised by systematically revoking access across all tools and platforms.
  • The process remains scalable; as new tools and workflows are added, they can be seamlessly integrated into the checklist.

Why offboarding must be shared

Offboarding is typically fragmented across multiple systems and teams. Permissions aren’t always neatly documented, and access tends to accumulate over time across cloud platforms, repositories, and third-party tools. As a result, offboarding becomes a chore that multiple people have to help with.

  • HR: Disables corporate email and HR system access, revokes benefits-related accounts.
  • IT/Security: Deactivates Single Sign-On (SSO) accounts, revokes VPN access, and disables cloud accounts.
  • Team Leads: Ensure department-specific tools (e.g., GitHub, Jira, Notion) are deactivated.
  • DevOps & Engineering: Rotate shared credentials, API keys, and remove personal access tokens.

Without a shared, well-documented process, critical revocation steps can easily be missed. What starts as a minor oversight can silently evolve into a serious security liability, remaining unnoticed for months or even years.

Why a checklist is essential

Offboarding is often treated as an afterthought because it doesn’t offer an immediate benefit. When onboarding a new hire, there’s urgency—people need access to start working. Offboarding, on the other hand, feels like a routine task with no visible payoff. However, what seems like a minor oversight today can turn into a major security risk tomorrow. A documented checklist makes the process:

  • Consistent: No steps are skipped due to human error.
  • Scalable: As the company grows, new actions can be added systematically.
  • Auditable: If an incident occurs, you have a record of what was done and by whom.

Where to start?

A simple but effective method is to reverse-engineer your onboarding process:

  1. List every system, tool, and asset provided during onboarding.
  2. Identify who controls access to each (IT, HR, team leads, external providers).
  3. Create a step-by-step revocation process with clear ownership.
  4. Implement tracking (e.g., a ticketing system, automated workflows) to ensure accountability.

By treating offboarding with the same level of structure and urgency as onboarding, you close security gaps, stay compliant, and prevent the lingering access issues that so many companies unknowingly leave behind.

Q: How would you set up an offboarding checklist?

Choose a documentation or ticketing system

Most companies already use documentation tools (e.g., Notion, Confluence, OneNote) or ticketing systems (e.g., Jira, Asana, ServiceNow) for internal processes. These platforms allow you to create templates that ensure every offboarding follows the same structured approach.

  • Documentation tools:
    • Best suited for smaller teams or companies without complex IT workflows.
    • Allows you to track and document every offboarding in a database format.
    • Provides a clear record of completed tasks and outstanding actions.
  • Ticketing systems:
    • Ideal for companies with formal IT helpdesk or HR workflows.
    • Enables automated task assignments and SLA tracking.
    • Integrates with SSO and identity management tools for streamlined access revocation.

Create an offboarding template

Regardless of the platform, the key is to create a repeatable checklist that standardises every offboarding.

For example, in Notion, you can:

  1. Create a database to store all offboarding entries.
  2. Define a template with required actions, categorised by responsibility:
    1. HR actions: Disable payroll, benefits, and internal HR system accounts.
    2. IT actions: Remove from Active Directory/SSO, disable email, and revoke VPN access.
    3. Security actions: Remove access to AWS, GitHub, or other cloud platforms.
    4. Team-specific actions: Remove from Slack, Notion, and project management tools.
    5. Infrastructure actions (if applicable): Rotate shared API keys, and disable personal SSH keys.
  3. Assign each task to the relevant team or individual.
  4. Track progress with timestamps or status updates for each step.
Example offboarding template for an employee
Example offboarding template for an employee

Q: How do you perform an exit interview?

First, it’s important to note that an exit interview is not the same as a termination meeting. The termination meeting is where the company informs the employee of their layoff or dismissal, discusses severance details, and collects company property. The exit interview happens later, often on the employee’s last day (or even after departure in some cases), and is designed to gather feedback, not deliver bad news.

Voluntary resignation vs. layoff: two different conversations

A voluntary departure is often an opportunity for open, constructive dialogue. These exit interviews tend to feel like a "parting love letter"—a moment for the employee to share insights about their experience, offer praise, and suggest improvements.

  • Approach: keep the tone warm, appreciative, and reflective.
  • Key questions:
    • What motivated your decision to leave?
    • What did you like most about working here?
    • What challenges did you face, and how could they be addressed?
    • Would you consider returning in the future?
  • Key takeaways
    • Employees leaving on good terms are often willing to provide helpful insights that can improve retention strategies.
    • They may also become valuable advocates, or even return as a "boomerang hire" later on.

On the other hand, Layoff exit interviews tend to be awkward and defensive; for both sides. Unlike resignations, layoffs are rarely about performance; they often stem from business decisions, restructuring, or financial difficulties.

  • Approach: The goal is to maintain dignity, empathy, and professionalism.
  • Key considerations:
    • Keep the discussion short, clear, and professional, this is not the time for probing feedback.
    • Focus on providing the necessary logistical support (severance details, references, career assistance).
    • Avoid corporate jargon or sugarcoating, employees appreciate honesty.
    • If an employee was terminated for cause, an exit interview may not even be appropriate. In such cases, it's often better to focus on completing offboarding swiftly and professionally rather than trying to collect feedback.
  • Key takeaways:
    • Laid-off employees may still be valuable contacts in the industry, handle departures with respect.
    • Clear communication prevents misunderstandings and reputational damage.

Best Practices for any exit interview

Regardless of how an employee is leaving, a well-structured exit interview should:

  • Choose a neutral, private setting
    • Conduct the interview in a private meeting room or via a secure video call for remote employees.
    • Avoid group settings or high-traffic areas where the employee may feel uncomfortable sharing honest feedback.
  • Have the right person conduct the interview
    • HR or an unbiased third party is often best, employees may not feel comfortable being fully honest with their direct manager.
    • If the manager must conduct it, they should frame it as a learning opportunity, not a performance review.
    • In cases of layoffs, ensure the interviewer is trained in handling sensitive discussions with empathy.
  • Keep the conversation structured and constructive
    • Use a prepared set of open-ended questions to guide the discussion (e.g., “What could we have done better?” instead of “Were you happy here?”).
    • Avoid making it personal; don’t ask about workplace gossip, specific conflicts, or emotions surrounding their departure.
    • If the employee starts venting, acknowledge their feelings but redirect them toward actionable feedback.
  • Make participation voluntary
    • Give the employee the option to skip or provide feedback later via a survey.
    • If they decline, respect their decision, forcing participation can turn the conversation defensive.
    • Consider offering a follow-up exit survey for sensitive departures (e.g., layoffs, terminations).
  • End on a positive note
    • Thank them for their contributions and wish them well in their next role.
    • If appropriate, offer to stay connected for networking opportunities.
    • Summarise key takeaways and explain how their feedback will be used to improve the company.

Why it matters

Exit interviews aren’t just a formality; they provide critical insights into workplace culture, management, and potential areas for improvement. If done correctly, they can help a company retain employees longer, improve internal processes, and maintain a positive reputation—even when parting ways isn’t ideal.

Closing thoughts: offboarding is a security process, not just an HR task

Offboarding is often seen as a routine HR process, but as we’ve explored, it’s much more than that; it’s a critical security measure, a compliance necessity, and a way to maintain a company’s reputation.

Poor offboarding can lead to lingering access, legal risks, and operational disruptions, as seen in the real-world cases of "ghost" API keys and former employees retaining access to sensitive information. On the flip side, a well-structured offboarding process:

  • Prevents security vulnerabilities by systematically revoking access.
  • Ensures compliance with regulations like GDPR, HIPAA, and SOC 2.
  • Reduces operational risks by preventing breakages from orphaned accounts.
  • Creates a better experience for both departing employees and those who remain.

Ultimately, offboarding is an investment in security and operational efficiency. Whether through a shared checklist, automated access revocation, or structured exit interviews, companies that take offboarding seriously avoid costly mistakes and strengthen their organisation in the long run.

Is your offboarding process truly airtight? If not, now is the time to fix it before you discover a ghost user of your own.