Small teams often remove a departing teammate from the email account and stop there. The risk lives in the overlooked places: shared admin roles, OAuth grants, browser sessions, API keys, automation owners, billing seats, recovery email addresses, and private files synced to unmanaged devices. This checklist was reviewed on June 13, 2026 against NIST, CISA, and FTC security guidance. It is general operational guidance, not legal, HR, or incident-response advice.
Practical decision table
| Asset | Offboarding action | Evidence to save |
|---|---|---|
| Identity provider | Disable sign-in and revoke sessions | Admin audit log export |
| SaaS admin roles | Transfer owner role before deletion | New owner confirmation |
| API keys and tokens | Rotate or revoke keys owned by user | Key inventory row and date |
| Shared files | Transfer folders and remove personal shares | Folder owner report |
| Devices and sessions | Wipe or disconnect managed devices | MDM or app session log |
Start with an owner map, not a deletion button
Before disabling an account, list the systems where that person owns automations, integrations, billing, domains, repositories, dashboards, shared inboxes, forms, or support queues. If you delete first, scheduled jobs can fail silently and nobody knows which alert belonged to the departed user. A safe offboarding checklist has two columns: access to remove and ownership to transfer.
Revoke sessions and tokens separately
Password resets and account suspension do not always remove every session, app password, OAuth grant, personal access token, webhook secret, or API key. Check the identity provider, each high-risk SaaS app, repository settings, automation platform, analytics account, and cloud console. Rotate shared secrets when the individual could have copied them, especially if the key connects payment, customer, production, or administrative systems.
Treat shared admin accounts as a readiness defect
A shared administrator login may feel convenient, but it makes offboarding impossible to prove. Replace shared accounts with named admins, least-privilege roles, phishing-resistant MFA where available, and emergency break-glass procedures. If a shared account cannot be removed today, record it as a risk exception with a named owner and a retirement date instead of pretending the offboarding is complete.
Audit file sharing and external collaborators
Departing staff often retain access through shared drives, project boards, customer folders, meeting recordings, whiteboards, private channels, and vendor portals. Export a membership list before and after cleanup. Remove personal email shares, transfer ownership of business files, and confirm that customers or vendors still reach a monitored group mailbox rather than an individual address.
Check automation owners and notification routes
No-code workflows, scheduled reports, CRM sequences, payment alerts, lead forms, and monitoring notifications can keep running under a disabled user until the next token refresh. Open each automation platform and confirm the owner, credential, failure notification, and run history. A low-risk test run after transfer is better than discovering the issue during payroll, renewals, or a customer incident.
Keep a defensible evidence folder
The folder should contain the employee or contractor identifier, offboarding date, ticket owner, systems reviewed, before-and-after role exports, token rotations, device actions, exceptions, and unresolved risks. Avoid storing unnecessary personal data. The purpose is not surveillance; it is to prove that business access was reduced in a timely, repeatable, least-privilege way.
A practical 24-hour sequence
In the first hour, disable interactive sign-in for the identity provider and high-risk applications, but preserve the mailbox, files, and audit logs long enough for transfer. Confirm that recovery email addresses and phone numbers no longer point to the departing person. If the account used phishing-resistant MFA or hardware keys, record whether those authenticators were recovered, revoked, or still missing. This first hour is about stopping access without destroying evidence.
During the same business day, open the systems that can affect money, customer data, production availability, or external reputation. That usually includes email, cloud storage, domain registrar, website hosting, analytics, payment processor, CRM, support desk, code hosting, password manager, automation platform, social accounts, and ad accounts. For each one, capture the current role, remove or downgrade access, transfer ownership, and export the admin log if available.
By the next day, review lower-risk systems and exceptions. Some tools are forgotten because they are billed annually, owned by a founder’s card, or used only by one department. Add those to the inventory instead of treating them as one-off cleanup. The next offboarding should be faster because today’s evidence becomes tomorrow’s checklist.
Vendor and contractor edge cases
Contractors, agencies, bookkeepers, designers, and fractional operators often use external identities rather than company-managed accounts. Their access can survive a normal employee offboarding flow. Search by personal email domain, agency email, shared group, and project name. Review guest users, external collaborators, repository teams, shared dashboards, calendar delegation, support-seat access, and billing portals.
If a vendor relationship continues but a specific person leaves, ask the vendor to confirm who now owns the account and whether any shared secrets were known to the departed individual. Rotate credentials when the answer is unclear. Keep the request professional and narrow: the business does not need private employment details, but it does need assurance that access to its systems is still appropriate.
Readiness improvement for small teams
A good offboarding checklist also improves AdSense and trust readiness for a public site because it reduces the chance of unauthorized content changes, broken analytics, exposed customer messages, or abandoned contact forms. Keep editorial, analytics, hosting, and ad-platform access assigned to named roles. Review policy pages and contact routes after high-risk staff changes. If the person managed publishing, verify that deployment secrets, webhooks, and domain access still belong to the business rather than an individual account.
Metrics that prove the process improved
Track a few simple numbers after each offboarding: how many systems were reviewed, how many had named owners, how many tokens were rotated, how many exceptions remained, and how long it took to disable primary access. These metrics should not become a blame exercise. They show whether the company is reducing hidden dependency on individual accounts over time.
Review the exceptions monthly until they close. A lingering exception such as “shared admin account still needed” or “legacy automation still owned by former contractor” is a real security risk. Give each exception an owner, a target date, and a compensating control. If a small team cannot fix everything in one week, it can still avoid pretending the risk disappeared.
Small-team offboarding checklist
- Disable primary sign-in only after critical ownership transfers are known.
- Revoke sessions, OAuth grants, app passwords, API tokens, and recovery methods.
- Transfer dashboards, folders, forms, automations, repositories, and billing seats.
- Remove external shares and personal email collaborators.
- Rotate shared secrets that could have been copied.
- Record exceptions with a responsible owner and review date.
FAQ
Is this guide current for 2026?
It was checked on June 13, 2026 against the listed security resources, but SaaS admin panels and identity-provider features change frequently.
Should we delete accounts immediately?
Usually suspend or disable access first, transfer ownership, preserve required records, then delete only when retention and business continuity needs are clear.
When should we escalate to security or legal help?
Escalate if there is suspected misuse, regulated data, customer data exposure, unmanaged devices, privileged cloud access, or a hostile departure risk.
Offboarding is a repeatable security control. A small team does not need enterprise bureaucracy, but it does need named owners, revoked tokens, transferred automations, and evidence that the work actually happened.