Why Deprovisioning Fails and How to Fix It

Because Goodbye Shouldn’t Be Hard

In theory, deprovisioning is straightforward: someone leaves the company or changes roles, a contractor goes on to pastures new, and their access is revoked. Boom. Done. In practice, it’s a tangled mess of manual processes, ticket delays, orphaned accounts, legacy systems, multi-cloud shenanigans, and “we’ll get to it later” spreadsheets. It’s not glamorous, but it is essential. And when it fails, it fails harder than Windows Vista.

Deprovisioning isn’t just good hygiene: it’s a frontline defense against insider threats, audit failures, and the kind of privilege creep that gives CISOs the hives. Yet, despite all we know, most organizations still struggle to get it right. 

I live in County Tyrone, and as such, I’m a big proponent of The Irish Goodbye™. However, when I recently booted up an old PC, I discovered that I still have working access to the FTP server for a multinational and multi-billion-dollar company I worked with 20+ years ago. Seriously, someone needs to have a word with themselves.

Here’s why deprovisioning is like a complicated drinking game, and what organizations can do about it.

Why Deprovisioning Fails (almost universally)

The Process Is Manual and Slow

In far too many organizations, deprovisioning starts with a helpdesk ticket, usually filed when someone leaves. The IT team has to manually revoke access across a sprawl of systems: HR platforms, file shares, VPNs, Slack, Salesforce, GitHub, and a dozen shadow IT apps no one wants to own. It’s death by a thousand clicks.

HR and IT Don’t Sync Up

If HR doesn’t immediately flag a departure, IT doesn’t start the offboarding. By the time access is revoked, the user may have had days of unfettered access. Or worse, they’re technically still active, just “forgotten.”

There’s No Visibility into Entitlements

It’s one thing to disable an account. It’s another to know exactly what that account could access. Without centralized visibility into entitlements and roles across cloud environments, deprovisioning is incomplete by default.

Shadow IT and SaaS Creep

When users can sign up for SaaS tools with a company email address, you end up with islands of access outside your official provisioning workflows. AI security isn’t on most people’s radar when creating process orchestration workflows. Good luck revoking that access if no one even knows the account exists.

Privileges Linger Like Gen Z Offspring

Even when users are removed, their elevated permissions or API tokens often persist. Service accounts and integrations are particularly risky; they don’t leave when employees do, but they’re rarely re-evaluated.

The Hidden Cost of Broken Deprovisioning

Let’s be blunt: failed deprovisioning is a security liability with a price tag. 

2025 cybersecurity statistics speak for themselves, and Forbes estimates that up to 74% of data breaches involve privileged access misuse, often by insiders or former employees. A single orphaned account with elevated rights can be a welcome mat for bad actors.

Then there’s the compliance headache. Auditors expect clean offboarding trails, evidence of revoked access, and tight lifecycle management. You won’t get far with “We think someone closed their account… probably.”

And finally, there’s trust. Customers and partners expect you to take access seriously. If an ex-employee still has access to sensitive systems two weeks after leaving, that’s not just bad practice, it’s serious reputational risk.

What Good Deprovisioning Looks Like

Deprovisioning done right isn’t an event. It’s an embedded function of your identity lifecycle. Here’s what that looks like in practice:

1. Automate It End-to-End: Integrate your HR systems (Workday, BambooHR, etc.) with identity platforms and access tools. When HR marks someone as “terminated,” workflows should auto-trigger to disable access across all connected systems, without human intervention.
   

2. Use CIEM to Map Access Entitlements: Cloud Infrastructure Entitlement Management (CIEM) platforms give visibility into who has access to what, across AWS, Azure, GCP, and SaaS. They help spot toxic combinations, over-privileged roles, and dormant accounts before they become risks.
   

3. Implement Just-in-Time Access: If no one has standing privileges, there’s nothing to deprovision. Just-in-time (JIT) access models give users time-bound permissions only when needed, automatically expiring access when the task is done. Goodbye, deprovisioning lag.
   

4. Embrace Identity Lifecycle Management (ILM): Identity Lifecycle Management ensures that from day one to the final log-off, access is tightly aligned with the user’s role, risk profile, and business need. Provisioning and deprovisioning aren’t separate tasks—they’re part of a continuous flow.
   

5. Include Non-Human Accounts in Reviews: Bots, service accounts, integrations, they all need periodic review. Many deprovisioning strategies fail because they focus only on human users. Include everything that can hold a token or credentials.
   

6. Make Access Review Continuous: Quarterly access reviews are better than nothing—but barely. Modern solutions allow for real-time review of access rights, with automated nudges and expiry if access isn’t re-certified. Deprovisioning should be a default, not an exception.

The Role of Context-Aware Access

Modern identity tools don’t just ask, “Who are you?” they ask “Why are you here, and should you still be here?” That context is critical for effective deprovisioning. A contractor who’s inactive for a week? Flag it. An engineer with production access who’s moved to sales engineering? Revoke it.

Add that to integrations with Slack or Zoom, and you’ve got inline access control that lives in the same tools your team does. That means fewer delays, better accountability, and faster deprovisioning when it counts.

Killing Access with Kindness

Deprovisioning isn’t sexy. It’s not going to wow the board. But it’s the quiet backbone of real security maturity. It’s also a brilliant litmus test: if a company can’t remove access cleanly, they likely can’t manage it well either.

So say goodbye like you mean it. Automate the farewell. Track it. Time-stamp it. And if you can’t do that today? You’ve got work to do.

Every forgotten credential is an open door, and in cybersecurity, leaving the door open isn’t just lazy; it’s negligent.