Offboarding is the security and administrative process of removing access when an employee, contractor, or partner leaves. It includes disabling accounts, revoking tokens and API keys, collecting devices, transferring ownership of assets, and updating permissions, certificates, and secrets tied to the departing person.
It matters because leaving any trust material active creates a path for unauthorized access after the relationship ends. Attackers may exploit stale credentials, abandoned cloud roles, or signing keys that were never revoked. Defenders treat offboarding as a controlled checklist with identity, key management, logging, and approvals. Fast offboarding reduces the window for misuse, while strong audit logs help prove when access was removed and whether anything was used afterward. In mature programs, offboarding is linked to asset inventories and revocation workflows so that no access remains only because one system was forgotten.