← Back to blog
·6 min read

Your Ex-Employees Probably Still Have Access to Everything

Most companies never fully revoke access when someone leaves. Here's why it happens and how to fix it before it costs you.

Here's a scenario. You laid someone off last month. HR handled the conversation. Their manager said goodbye. Everyone moved on.

But right now, that person can still log into your Notion workspace. They can read every message in your customer Slack channels. They have access to a shared 1Password vault with credentials for your production database. And they're still listed as an editor on your company's Figma files.

Nobody knows. Nobody checked.

This is normal

40% of ex-employees retain access to corporate applications after leaving. That's not a stat from some obscure survey. It's consistent across multiple studies, year after year.

The number is probably higher for remote companies. In an office, the physical act of leaving triggers a process. Badge collected. Laptop returned. Someone in IT gets a ticket. Remote departures have no such trigger. The person closes their laptop at home and, unless someone runs through a checklist, their digital access stays active.

I've audited companies that had ex-employees with active accounts six months, twelve months, even two years after leaving. Not because anyone was malicious. Just because nobody thought to check.

Why it happens

Three reasons, always the same.

No process. There's no offboarding checklist. When someone leaves, whoever is closest to the situation handles it ad hoc. They remember Slack and email. They forget everything else.

No single source of truth. You don't have a list of every tool an employee has access to. Even if you tried to revoke everything, you'd miss tools you didn't know they were using. Shadow IT is real, especially in remote teams.

Tools that don't connect to SSO. Even companies with SSO still have apps that use standalone logins. Figma with a personal account. A Notion workspace invited by email. A Miro board shared via link. These don't get disabled when you suspend the SSO account.

The real risks

"They probably won't do anything" is not a security strategy. Here's what can actually happen.

Data theft. A departing employee downloads your customer list, your pricing strategy, your product roadmap, or your codebase. This happens more often than companies realize, especially in competitive industries.

Competitive intelligence. They join a competitor and still have access to your internal communications. Every strategic decision you discuss is visible to them. You'd never know unless they slip up.

Accidental access. Not everyone with lingering access has bad intentions. But accidental access is still a liability. If a former employee reads a confidential document they shouldn't have access to, you have a data handling problem regardless of intent.

Compliance failure. Regulatory frameworks (SOC 2, HIPAA, GDPR) require timely access revocation when employment ends. Auditors check this. Failing it can mean fines, failed audits, or lost customers who require you to be compliant.

Account compromise. An ex-employee's account is an unmonitored account. If their credentials get compromised through a breach at another service (and credential reuse is extremely common), an attacker could use those credentials to access your tools. Nobody on your team would notice because nobody is watching that account.

The tools that are hardest to catch

The obvious tools get handled: email, Slack, the main project management app. It's the less obvious ones that stay active.

Personal Notion accounts. If someone was invited to your Notion workspace using their personal email, disabling their company account doesn't remove their Notion access. They can still log in with their personal credentials.

Figma. Figma licenses are tied to email addresses, and many teams invite people using personal emails or allow Google SSO with personal accounts. Disabling the company email doesn't necessarily revoke Figma access.

Miro, Whimsical, and other whiteboard tools. Often shared via link or personal account invitations. Not connected to SSO. Easy to forget.

Shared Dropbox or Google Drive folders. External sharing links persist after the person leaves. They bookmarked the link. It still works.

Chrome extensions with company data. A browser extension with access to your CRM, analytics, or internal tools doesn't get revoked when you disable an account. It keeps running until the person manually removes it.

Saved passwords in personal browsers. If an employee saved company passwords in their personal Chrome profile (not in your password manager), those passwords persist on their personal device after departure. You can't remotely remove them.

API keys and tokens. Developer tools, CI/CD pipelines, and third-party integrations often use personal API tokens. These don't expire when an employee leaves unless someone rotates them.

Customer-facing tools. If the departing employee had access to customer environments, partner portals, or vendor dashboards, those usually have separate credentials that need individual revocation.

How to fix it

There's no magic tool that solves this completely. But a combination of three things gets you close.

SSO as the kill switch

Get as many tools as possible behind SSO. When someone leaves, you disable their SSO account and they lose access to every connected app automatically. This doesn't catch everything (see the list above), but it handles the majority of your tools in one action.

For any tool that doesn't support SSO, enforce login through the company email. At least then, disabling the email account blocks the "forgot password" recovery path.

A real offboarding checklist

Build a comprehensive offboarding checklist that covers every tool, every access point, and every credential. Break it into phases: immediate (within 15 minutes), same day, and within one week.

The checklist should be specific. Not "revoke access" but "disable SSO account, remove from Slack, rotate shared credentials in the marketing 1Password vault, transfer ownership of their Google Drive files to their manager."

Assign one person to execute it every time. Don't distribute the responsibility across multiple people. That's how steps get skipped.

Quarterly access reviews

Even with a solid offboarding process, things slip through. Once a quarter, pull the user list from every critical tool and compare it against your current employee roster.

You'll almost certainly find orphaned accounts. Ex-employees. Contractors whose engagement ended months ago. Trial accounts that were never cleaned up.

Fix what you find. Document what you changed. Do it again next quarter.

Start today

Here's the minimum you can do right now, today, in less than an hour:

  1. Pull a list of active users from your top 10 tools. Slack, Google Workspace, Notion, Figma, 1Password, and whatever else your team uses daily.

  2. Compare against your current employee list. Anyone who shows up in the tool list but not the employee list needs to be investigated and likely removed.

  3. Check shared credentials. Open your password manager's shared vaults. Are there entries that a departed employee had access to? Rotate those passwords.

That's it. Three steps. One hour. You'll probably find something.

If you want someone to do this systematically, build the processes, and make sure it never slips again, that's exactly what I do. Book a free call and we'll start with an access audit.

Related posts

·8 min read

Employee Offboarding Checklist for Remote Teams

A complete IT offboarding checklist for remote teams. Revoke access in 15 minutes, not 15 days.

offboardingsecurityremote teamschecklist
·3 min read

Employee Offboarding Checklist for Remote Teams

A step-by-step offboarding process that ensures no access is left behind, no devices go missing, and no licenses go to waste.

offboardingsecurityremote teamschecklist
·9 min read

How to Set Up SSO and MFA for a Small Team

A practical guide to setting up single sign-on and multi-factor authentication for small teams. No enterprise budget required.

ssomfasecuritysmall businessidentity