In brief: 31–50% of former employees retain access to unmanaged cloud services because these are not linked to central identity systems and are not automatically disabled when employees leave.
Between 31 and 50 percent of former employees retain access to company-owned cloud applications because decentrally procured SaaS solutions are not recorded in central identity management systems. Automated de-provisioning processes can close this control gap.
Classic offboarding follows an established workflow: the human resources department initiates the departure, IT disables the Active Directory account. However, this procedure only captures officially inventoried systems. In larger enterprises, almost one thousand unmanaged applications are added to approximately one hundred known cloud services, up to two-thirds of which were introduced without central IT approval by departments or individuals.
The core problem lies in the technological decoupling of these decentralized accounts from the primary directory service. While centrally bound applications use SAML or System for Cross-domain Identity Management and a central lock cascades across systems, shadow SaaS services use local accounts. Employees register there with their business email address but set their own password, which is stored directly in the cloud provider’s database. When the central account is disabled, the account at the third party remains completely untouched.
The consequences are significant: the former employee can continue to log in from private devices without this being detected by internal monitoring systems. This opens attack vectors for uncontrolled data exfiltration and lateral movement within the enterprise environment. Studies show that organizations often remain unaware of these active accounts for months.
Automated de-provisioning solutions address this gap by continuously discovering shadow SaaS applications and systematically disabling them during offboarding. Such systems must be able to track decentrally created accounts using the business email address and trigger their deactivation, regardless of whether the application is registered in central identity management.
Source: www.it-daily.net · Published 11 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.