Mima

Employee Offboarding License Cleanup: Solving Leaver Access Creep

How to prevent and remediate ghost SaaS licenses that persist after employee departure. Covers the JML lifecycle gap, automated deprovisioning workflows, and the compliance audit trail requirements for license reclamation.

Mima Intelligence · 18 July 2026 · 6 min read

The Gap Between HR and IT

When an employee leaves an organization, the HR department processes the termination in the HRIS system. The IT department disables the user’s Active Directory or Okta account. The employee’s laptop is collected, their badge is deactivated, and their email forwarding is configured.

The process feels complete. But it’s not.

The problem is that modern enterprises use dozens to hundreds of SaaS applications, and most of them maintain their own user databases, session tokens, and billing relationships that are not automatically terminated when the identity provider account is disabled.


Where the Gaps Hide

The Identity Provider Blind Spot

Disabling a user in Okta or Entra ID prevents new SSO logins. But it does not:

The Department-Managed SaaS Blind Spot

Many SaaS applications are purchased and managed at the department level, bypassing central IT procurement:

When an employee leaves, the department manager may not remember to revoke access to every tool, especially for infrequently used applications or tools the employee signed up for independently.

The Contractor and Temporary Worker Blind Spot

Contractors and temporary workers are often given access to the same tools as full-time employees but are managed through a different HRIS workflow (or no formal workflow at all). When their engagement ends, their access termination depends on a manual process that is frequently forgotten.


The Financial and Security Cost

Financial Impact

Organization SizeAnnual TurnoverAvg. Ghost Licenses/LeaverAvg. Monthly Cost/LicenseAvg. Months ActiveAnnual Waste
1,000 employees150 leavers3$254$45,000
5,000 employees750 leavers5$304$450,000
20,000 employees3,000 leavers7$355$3,675,000

At enterprise scale, leaver access creep represents one of the largest categories of preventable SaaS waste.

Security Impact

Ghost accounts are not just a cost problem — they’re a security exposure:


The Automated Deprovisioning Workflow

Manual offboarding checklists scale poorly. A 50-item checklist for 750 annual departures requires 37,500 individual actions per year — each dependent on a human remembering to execute it. The error rate is predictable.

The Architecture: Event-Driven Deprovisioning

The solution is an event-driven pipeline triggered by the HR system status change:

1. HR System → Identity Provider (Automated)

When the HRIS (Workday, BambooHR, Personio) updates an employee’s status to “terminated,” the identity provider automatically:

2. Identity Provider → SaaS Applications (API-Driven)

For each application connected via SCIM provisioning or native API:

3. License Recovery and Reassignment

After deprovisioning:

4. Compliance Evidence Logging

Every action in the pipeline is logged with:

This audit trail satisfies SOC 2 CC6.1 (logical access), ISO 27001 A.9.2.6 (removal of access rights), and GDPR Article 17 (right to erasure) requirements.


Measuring Deprovisioning Effectiveness

Track these metrics monthly to ensure the offboarding process is working:

Mean Time to Deprovision (MTTD)

The average time between HR termination and complete SaaS deprovisioning. Target: <24 hours for SSO-integrated apps, <72 hours for all apps including manual cleanup.

Deprovisioning Coverage Rate

The percentage of a departing employee’s SaaS applications that are automatically deprovisioned vs. requiring manual intervention. Target: >85% automated coverage.

Ghost License Detection Rate

The number of active SaaS licenses discovered that belong to users who were terminated more than 30 days ago. This metric should trend toward zero as the automated pipeline matures.

Cost Recovery Rate

The total dollar value of licenses reclaimed through automated deprovisioning vs. the total potential recovery. Target: >90% of recoverable license value captured within the first billing cycle after termination.


How Mima Automates Offboarding License Cleanup

Mima integrates with your identity provider and SaaS applications to close the deprovisioning gap:

  1. Continuous reconciliation — Mima cross-references your identity provider’s user directory against active licenses in every connected SaaS application, flagging any user who is disabled in the IDP but still holds active licenses
  2. Event-driven deprovisioning — When a user is terminated, Mima automatically initiates license revocation across all connected applications via API, with fallback ticket creation for non-integrated apps
  3. Ghost license sweeps — Weekly automated scans surface any licenses that slipped through the deprovisioning pipeline, ensuring no ghost accounts persist beyond one billing cycle
  4. Compliance reporting — Per-leaver deprovisioning reports with timestamps, actions taken, and any exceptions, formatted for SOC 2 and ISO 27001 auditor consumption

Further reading

Last reviewed on July 18, 2026 by Mima Intelligence

Related Reading

See your position before the auditor does.

Mima runs the auditor's methodology against your estate continuously — for every vendor, with every finding grounded in a citable source.

See how Mima works →