When an employee departs, IT immediately disables their Google Workspace or Microsoft 365 account. It is the standard operating procedure. It is fast, and it is usually automated. However, that primary identity is only the tip of the iceberg.
The hidden risk lies in the dozens of SaaS tools that the employee was invited to directly over their tenure.
The Shadow Access Problem
Many SaaS applications offer native username and password authentication in addition to SSO. If an employee ever set a password for a tool—even if they usually signed in with SSO—that password often remains valid after their primary email is disabled. They can simply navigate to the tool's login page, enter their email and the password they set, and gain access.
This is not a theoretical risk. It happens constantly.
Local Accounts By Design
Tools like GitHub, Slack (in certain configurations), and countless developer utilities often retain local accounts. If a developer leaves your company, but their GitHub account was added to your organization as an outside collaborator or they used a personal account, disabling their corporate email does nothing to remove them from your GitHub organization.
Beyond direct tool access, ex-employees are closely related to dormant account risk: accounts that slipped through offboarding quietly accumulate privileges and go undetected for months.
How to find it
To properly secure offboarding, security teams must:
- Map every tool the employee ever touched.
- Verify removal from every tool, not just the primary identity provider.
- Audit local authentication methods that might bypass SSO.
Understanding the full scope of your SaaS access risks is the first step toward a systematic offboarding process. Kastrum automates this by correlating your identity provider with the actual user lists in your connected SaaS tools, flagging anyone who no longer exists in your directory but still has active access in a downstream app. Learn more about what Kastrum does.