The Gap Between HR and IT
When an employee leaves an organization, the HR department processes the termination in the HRIS system. The IT department disables the user’s Active Directory or Okta account. The employee’s laptop is collected, their badge is deactivated, and their email forwarding is configured.
The process feels complete. But it’s not.
The problem is that modern enterprises use dozens to hundreds of SaaS applications, and most of them maintain their own user databases, session tokens, and billing relationships that are not automatically terminated when the identity provider account is disabled.
Where the Gaps Hide
The Identity Provider Blind Spot
Disabling a user in Okta or Entra ID prevents new SSO logins. But it does not:
- Revoke existing sessions in applications that use long-lived tokens (Slack, Jira, Figma, Notion)
- Cancel paid subscriptions in applications with direct billing relationships (individual SaaS accounts on corporate cards)
- Remove API tokens the user created for integrations (GitHub personal access tokens, Salesforce connected apps)
- Transfer shared resources the user owned (shared drives, team workspaces, automation workflows)
The Department-Managed SaaS Blind Spot
Many SaaS applications are purchased and managed at the department level, bypassing central IT procurement:
- Marketing manages its own HubSpot, Mailchimp, and design tool subscriptions
- Engineering manages its own GitHub, CircleCI, and monitoring tool licenses
- Sales manages its own Salesforce, Gong, and outreach tool subscriptions
When an employee leaves, the department manager may not remember to revoke access to every tool, especially for infrequently used applications or tools the employee signed up for independently.
The Contractor and Temporary Worker Blind Spot
Contractors and temporary workers are often given access to the same tools as full-time employees but are managed through a different HRIS workflow (or no formal workflow at all). When their engagement ends, their access termination depends on a manual process that is frequently forgotten.
The Financial and Security Cost
Financial Impact
| Organization Size | Annual Turnover | Avg. Ghost Licenses/Leaver | Avg. Monthly Cost/License | Avg. Months Active | Annual Waste |
|---|---|---|---|---|---|
| 1,000 employees | 150 leavers | 3 | $25 | 4 | $45,000 |
| 5,000 employees | 750 leavers | 5 | $30 | 4 | $450,000 |
| 20,000 employees | 3,000 leavers | 7 | $35 | 5 | $3,675,000 |
At enterprise scale, leaver access creep represents one of the largest categories of preventable SaaS waste.
Security Impact
Ghost accounts are not just a cost problem — they’re a security exposure:
- Credential reuse: If the departed employee’s credentials are compromised (via a breach of another service where they reused their password), the attacker gains access to corporate applications that still recognize those credentials.
- Data access: Former employees with active sessions can continue accessing corporate data, intentionally or inadvertently, for months after departure.
- Compliance violations: GDPR, SOC 2, and ISO 27001 all require timely access revocation as part of the identity lifecycle. Persistent ghost accounts create auditable compliance gaps.
The Automated Deprovisioning Workflow
Manual offboarding checklists scale poorly. A 50-item checklist for 750 annual departures requires 37,500 individual actions per year — each dependent on a human remembering to execute it. The error rate is predictable.
The Architecture: Event-Driven Deprovisioning
The solution is an event-driven pipeline triggered by the HR system status change:
1. HR System → Identity Provider (Automated)
When the HRIS (Workday, BambooHR, Personio) updates an employee’s status to “terminated,” the identity provider automatically:
- Disables the SSO account
- Revokes all active sessions across federated applications
- Removes the user from all assigned groups and roles
2. Identity Provider → SaaS Applications (API-Driven)
For each application connected via SCIM provisioning or native API:
- SCIM-supported apps (Slack, Salesforce, Jira, etc.): User is automatically deprovisioned via the SCIM
active: falsesignal - API-integrated apps: Mima calls the application’s admin API to revoke the user’s license, cancel any paid subscription, and transfer ownership of shared resources
- Non-integrated apps: A remediation ticket is created for manual cleanup, assigned to the department admin
3. License Recovery and Reassignment
After deprovisioning:
- Transferable licenses (named-user licenses like M365, Salesforce) are returned to the available pool for reassignment
- Concurrent licenses (FlexLM tokens, AutoCAD seats) are automatically freed
- Non-refundable licenses (annual subscriptions past the cancellation window) are flagged for non-renewal
4. Compliance Evidence Logging
Every action in the pipeline is logged with:
- Timestamp of the termination event
- List of applications deprovisioned
- Method used (SCIM, API, manual ticket)
- Time elapsed between HR termination and application deprovisioning
- Any exceptions or failures that required manual intervention
This audit trail satisfies SOC 2 CC6.1 (logical access), ISO 27001 A.9.2.6 (removal of access rights), and GDPR Article 17 (right to erasure) requirements.
Measuring Deprovisioning Effectiveness
Track these metrics monthly to ensure the offboarding process is working:
Mean Time to Deprovision (MTTD)
The average time between HR termination and complete SaaS deprovisioning. Target: <24 hours for SSO-integrated apps, <72 hours for all apps including manual cleanup.
Deprovisioning Coverage Rate
The percentage of a departing employee’s SaaS applications that are automatically deprovisioned vs. requiring manual intervention. Target: >85% automated coverage.
Ghost License Detection Rate
The number of active SaaS licenses discovered that belong to users who were terminated more than 30 days ago. This metric should trend toward zero as the automated pipeline matures.
Cost Recovery Rate
The total dollar value of licenses reclaimed through automated deprovisioning vs. the total potential recovery. Target: >90% of recoverable license value captured within the first billing cycle after termination.
How Mima Automates Offboarding License Cleanup
Mima integrates with your identity provider and SaaS applications to close the deprovisioning gap:
- Continuous reconciliation — Mima cross-references your identity provider’s user directory against active licenses in every connected SaaS application, flagging any user who is disabled in the IDP but still holds active licenses
- Event-driven deprovisioning — When a user is terminated, Mima automatically initiates license revocation across all connected applications via API, with fallback ticket creation for non-integrated apps
- Ghost license sweeps — Weekly automated scans surface any licenses that slipped through the deprovisioning pipeline, ensuring no ghost accounts persist beyond one billing cycle
- Compliance reporting — Per-leaver deprovisioning reports with timestamps, actions taken, and any exceptions, formatted for SOC 2 and ISO 27001 auditor consumption
Further reading
- How to Find Unused Microsoft 365 Licenses
- Microsoft Copilot License Waste: Are You Paying for AI Nobody Uses?
- JML Automation — Platform Overview
- Agentless Discovery — Platform Overview
Last reviewed on July 18, 2026 by Mima Intelligence