The Access that Outlived the Employee

A long-tenured employee leaves. IT disables their Active Directory account the same day. But their Salesforce login still works. Their Slack account is still active. They were one of three people who knew the credentials to a shared AWS console account, and nobody changed that password. Six months later, an auditor asks who has access to your CRM. Nobody has a clean answer. That moment is what identity security programs are built to prevent.

Why Identity Is Hard to Manage Now

Identity sprawl mirrors data sprawl. SaaS tools, cloud platforms, and internal systems maintains their own accounts. There is no single place where all of an organization's active identities live, and no automatic process to keep them synchronized.

On-premises Active Directory covers the Windows environment and domain-joined systems. Azure AD (now called Entra ID) covers Microsoft cloud services. AWS has its own IAM. Google Cloud has its own identity layer. Salesforce, GitHub, Slack, and every other SaaS application manages its own users independently. Your identity environment is not one thing; it is a collection of disconnected systems that do not talk to each other by default.

Provisioning happens fast. Someone needs access to do their job, so access gets granted. Deprovisioning is pain-staking and often less consistent, because it’s rare to find a complete list of access granted across all systems. The result is orphaned accounts: former employees, contractors, or vendors whose access was never fully revoked.

Unfortunately, this is not hypothetical. Many organizations find they have active accounts belonging to past employees and contractors who left months or years ago.

Attackers have taken notice. Credential-based attacks have grown precisely because they’re effective. Organizations have strengthened perimeter defenses, so attackers went around them. They log in using compromised credentials, often into accounts that should have been removed long before the breach.

What Identity Security Actually Covers

Organizations that want to get their arms around identity security build a multi-tiered program something like this:

Account inventory: You need a working list of every account that exists across every system. Who created it, when, and why. This is harder than it sounds in a mixed environment of on-premises Active Directory and cloud platforms, but it is the foundation. Without an inventory, you cannot run a meaningful access review, assess your privileged account exposure, or produce evidence for an audit.

Authentication controls: Multi-factor authentication on every external-facing system is a baseline expectation now, not a bonus feature. If staff are accessing systems from outside the network, MFA should be required. Single sign-on reduces the number of independent credential sets in play and makes deprovisioning cleaner. When someone leaves, disabling their SSO identity cascades across connected applications rather than requiring separate action in each one.

Least privilege: Users should have access to what they need to do their job, not everything that might be convenient. In practice, access accumulates over time. Someone gets temporary elevated access for a project and nobody removes it when the project ends. An access review finds and corrects that drift before it creates exposure.

Privileged access management: Administrative accounts in Active Directory, root-level access in AWS, and super-admin accounts in Salesforce or GitHub carry disproportionate risk. A compromise of a standard user account is serious. A compromise of an admin account is a different category of problem. Privileged accounts need tighter controls, separate credentials, and closer monitoring than standard accounts.

Identity lifecycle management: What happens when someone joins, changes roles, or leaves? If that process is informal or incomplete, orphaned and over-privileged accounts are the predictable result. Lifecycle management is not a technical control; it is a process that connects HR events to IT actions.

Each of these is connected. SSO makes account inventory easier. Least privilege policies are only meaningful if lifecycle management keeps them current. The components reinforce each other.

Where to Start

Start with privileged accounts. Admin accounts in Active Directory, root and admin accounts in your cloud environments, and super-admin accounts in your most sensitive SaaS tools are where a compromise causes the most damage. Inventory those first, then audit who has them and whether each one is still warranted. Remove or restrict anything that is not clearly necessary.

Enforce MFA on every external-facing system. Email, VPN, cloud consoles, SaaS applications: if your staff are accessing these systems from outside your network, MFA should be required. This is one of the highest-return actions an organization can take relative to the effort involved.

If you haven’t done so yet, start conducting access reviews. Pull the user list from Active Directory, your primary cloud platform, and your most sensitive SaaS tools, then compare those lists against your current employee roster. The accounts that do not match your active staff are your starting point. If you already have a SOX requirement for access reviews, expand beyond the SOX in-scope systems.

Build an offboarding checklist that reflects reality. When someone leaves, what systems actually need to be touched? Document the list of identity stores. Test it on the next departure and update it when you find gaps. This is the most direct way to reduce orphaned account risk over time.

Connect HR and IT processes. Most identity lifecycle problems happen at the boundary between those two functions. If IT does not hear about a departure or a role change in time, accounts persist. That connection needs to be deliberate. A shared process, a notification trigger, or a regular sync is better than assuming information will flow on its own.

Identities Are the Front Door

Identity is not purely a technical problem. It is an organizational one. Controls only work if the right processes exist around them. Requiring MFA won’t help if shared accounts exist on critical systems. An access review is only useful if action is taken on the findings.

The organizations that manage identity well are not necessarily the ones with the best tools. They are the ones with clear ownership of who can access what, and a reliable process for keeping that current. Identity security is not a one and done game. Access changes every time someone joins, leaves, or moves to a different role. The program has to keep pace with the organization.

Groman Cyber helps organizations assess and improve identity security across on-premises and cloud environments. If you are not sure where your exposure is, or if your offboarding and access review processes have gaps, we can help. Contact us to get started.