Article

Deprovisioning

Home
The Siit Glossary
Deprovisioning
Article Sections

What is Deprovisioning?

Deprovisioning is the process of revoking a user's access rights, credentials, and system permissions when they are no longer authorized. It is the access-removal phase of the identity lifecycle, applied in full when a worker leaves and in part when they change roles, triggered by events such as employee termination, contract completion, or an internal move.

In internal operations, deprovisioning spans IT, HR, and security. IT disables accounts and recovers equipment. HR updates the HRIS and initiates the offboarding workflow. Security verifies that all access points, including SaaS applications, VPNs, and physical badges, have been closed. When these teams coordinate poorly, access gaps persist and create risk.

Deprovisioning is also distinct from deletion. In most environments, an account is first disabled, which immediately cuts off access, then retained in a deactivated state so its activity history stays available for audits and investigations. The record is only deleted later, once any legal hold or data-retention window has passed. This two-step approach is what lets a company prove, months after someone leaves, exactly when their access was cut and by whom.

Key Takeaways

  • Leaver Phase of Identity Lifecycle: Revokes all access rights and credentials when a user departs or a contract ends.
  • Mover Phase Requirement: Role changes require partial deprovisioning to remove prior-role permissions and prevent privilege creep.
  • Cross-Departmental Process: Requires synchronized action across IT, HR, and security teams to execute completely.
  • Distinct from Deletion: Revokes access but may retain the account record for audit and compliance purposes.

Why Deprovisioning Matters

Incomplete deprovisioning leaves former employees or contractors with active credentials, creating security exposure, compliance risk, and unnecessary cost.

  • Unauthorized Access Prevention: Active accounts belonging to departed users become unmonitored entry points into company systems and data.
  • Compliance Accountability: SOC 2, GDPR, and HIPAA require documented, timely access revocation for both terminated and transferred users.
  • License Cost Recovery: SaaS licenses tied to inactive accounts continue generating charges until they are formally reclaimed.
  • Audit Trail Integrity: Without timestamped revocation records, organizations cannot demonstrate access control compliance during external audits.

The danger of incomplete deprovisioning is mostly a function of time. Every hour a departed user's credentials stay live is an hour an orphaned account can be used by the former employee or by an attacker who finds it. Shrinking that window from days to minutes is the difference between a controlled exit and an open door.

Deprovisioning in Action

A 200-person SaaS company terminates an employee who had access to Salesforce, GitHub, and internal HR dashboards. HR marks the employee as terminated in BambooHR. Without automation, IT must manually check each application, revoke access individually, recover the laptop, and rotate shared credentials that the employee knew. The process takes two days across three teams.

With an automated workflow triggered by the HRIS status change, all accounts are disabled within minutes, the laptop is remotely locked, and a complete audit trail is generated without the back-and-forth across teams.

How Siit Supports Deprovisioning

Siit's AI Service Desk connects HRIS status changes to automated access revocation workflows, removing manual handoffs between HR and IT during offboarding.

  • AI Triage routes offboarding requests to the correct team based on the departing employee's role, department, and access profile.
  • AI-Powered Workflows trigger account deactivation, license reclamation, and equipment recovery steps automatically when an HRIS marks an employee as terminated.
  • Power Actions let admins revoke access in Okta, lock devices in Jamf, and disable accounts in Google Workspace directly from a single request, without switching between admin panels.
  • The 360° Employee Profile surfaces the departing user's full access history, assigned equipment, and active permissions, giving IT complete context for thorough deprovisioning.

Native integrations with Okta, Jamf, Microsoft Intune, BambooHR, and other HRIS and IAM platforms ensure deprovisioning actions execute across systems from one place, reducing the gap between an HR event and full access revocation.

Want to automate deprovisioning across IT, HR, and security? Book a demo to see how Siit can help.