Boards and CEOs are asking a sharper question in 2026: not only whether you were breached, but whether you still control who and what can access your systems after people leave, roles change, or AI tools multiply.
Identity is the control plane. Most scale-ups between 50 and 500 employees already run an identity provider and SSO. Many pass a first SOC 2 audit. Yet access reviews and employee offboarding security remain the controls that fail most often-because disabling a login is treated as full revocation.
It is not. API keys, OAuth grants, direct SaaS logins, shared service accounts, and AI tool credentials often survive the leaver workflow. Auditors sample terminated employees. Enterprise buyers ask for evidence. The gap between HR's last day and IT's access removal becomes a liability.
This guide explains the joiner-mover-leaver (JML) model, what SOC 2 auditors test under access control, and how to build an operating model that does not require a twelve-month enterprise IGA program.
Quick summary
Minimum viable access governance
- 24-hour revocation SLA from HR termination event to documented access removal
- JML workflows owned by HR + IT/Security with named approvers for permission granting
- Quarterly user access reviews with manager sign-off and audit trail
- Offboarding checklist that goes beyond IdP disable: keys, OAuth, SaaS, AI tools
- Evidence store auditors can sample: timestamps, tickets, review exports
Disabling SSO is necessary. It is not sufficient for employee offboarding security in a SaaS-heavy, AI-enabled company.
Joiner-mover-leaver explained
Joiner-mover-leaver (JML) is the identity lifecycle model every access governance program implements-whether or not you use that label. Each HR event should trigger defined permission changes.
| Phase | HR trigger | Access action |
|---|---|---|
| Joiner | New hire start date | Provision role-based access; manager approval before elevated permissions |
| Mover | Role, team, or department change | Remove old-role access; grant new-role access; no privilege accumulation |
| Leaver | Termination or last working day | Full revocation: IdP, sessions, keys, SaaS, devices, AI credentials |
Manual JML breaks around 50-150 SaaS applications. That is the identity wall many scale-ups hit: spreadsheets and Slack messages cannot keep pace with hiring velocity.
SOC 2 access control: what auditors sample
Under Trust Services Criteria, SOC 2 access control maps primarily to CC6.2 (registration and authorization) and CC6.3 (removal of access). Auditors routinely test:
- Provisioning evidence - was access approved before grant?
- Deprovisioning evidence - for 5-10 terminated users, was access removed within your documented SLA?
- User access reviews - quarterly certifications with named approvers
- Privileged access - admin accounts with extra controls
Access reviews are among the most commonly failed controls in SOC 2 audits-not because companies lack policy, but because evidence is scattered across spreadsheets, email threads, and tools that were never connected to HR dates.
Write your revocation SLA into policy (typically 24 hours), then prove it with timestamps from IdP logs plus downstream system tickets-not a checklist marked done in a chat channel.
Employee onboarding security checklist
Permission granting deserves the same discipline as removal. The anti-pattern is copy the last hire's access-which imports stale privileges and audit findings.
- Role template per job family (engineering, sales, finance) with least privilege defaults
- Manager approval for any access outside the template
- Time-bound elevation for production or admin access where possible
- Documented start date in HRIS as the provisioning trigger
- No shared accounts for new hires; personal identity only
Onboarding and offboarding should mirror each other: if you cannot explain how access was granted, you cannot defend how it was removed.
Employee offboarding security checklist
Treat leaver events as incident-prevention workflows, not HR paperwork follow-up.
- Identity provider - disable account; terminate active SSO sessions
- VPN and network - revoke certificates and device trust
- Email and collaboration - mailbox handling per policy; transfer ownership of shared drives
- Code and cloud - revoke GitHub/GitLab access, personal access tokens, AWS/GCP/Azure IAM users and keys
- SaaS applications - deprovision via SSO where integrated; manual removal for shadow apps
- Shared credentials - rotate passwords in vaults the employee could access
- Physical and MDM - collect devices; remote wipe if BYOD policy applies
- AI tool credentials - revoke API keys for ChatGPT, Copilot, internal agents, and automation platforms
Run a pre-departure discovery for senior or privileged roles: map non-SSO access before the last day so revocation is same-day, not discovered in an audit sample three months later.
Quarterly user access reviews
A user access review is a periodic certification that each account still needs its permissions. For SOC 2 and ISO 27001, quarterly reviews are the practical standard.
Effective reviews include:
- export of users and roles per critical system (IdP, production cloud, finance, CRM)
- manager or system owner attestation with date and name
- remediation tickets for excessive or orphaned accounts
- retention of signed exports for the audit period
Automated access review tools help at scale, but the operating model matters more than the vendor: who owns the review, who signs, what happens when someone does not respond.
Shadow AI and access control in 2026
AI adoption reframed insider risk. Tools that employees connect with corporate data often sit outside SSO. API keys for models and agents persist after password resets. Retired automations keep service account access.
Shadow AI access control should extend your JML model:
- maintain a registry of sanctioned AI tools and approved use cases
- prohibit static API keys where workload identity is available
- include AI platforms in offboarding and quarterly access reviews
- apply leaver treatment when an agent is decommissioned-credentials revoked, access audited, closure documented
Boards increasingly ask four questions: how many agents run, what credentials they use, who monitors them, and what happens when they are retired. If your team cannot answer with specificity, that is the finding to fix before an enterprise security questionnaire does it for you.
Operating model for 50-500 employees
You do not need SailPoint on day one. You need named ownership and repeatable evidence.
| Function | Owns |
|---|---|
| HR / People | System of record for joiner-mover-leaver dates; triggers workflows |
| IT / Security | IdP, SSO, access policy, review cadence, evidence collection |
| Engineering lead | Production access, API keys, CI/CD, AI tool inventory |
| Managers | Approve grants; certify quarterly reviews for their teams |
| Executive sponsor | Escalation when SLA missed; board-ready summary for audits |
In practice, one overloaded IT manager often holds four of these hats. That is when an enterprise deal, SOC 2 Type II renewal, or post-incident review makes interim IT governance leadership the fastest path to audit-ready operations.
See how controlled access was implemented in production: DataPro case study. For methodology, see the SpecialOps Framework.
FAQ
How quickly must access be revoked for SOC 2?
Auditors typically expect removal within 24 hours of termination. Document the SLA and keep IdP and ticket timestamps that prove compliance for each sampled employee.
What is joiner mover leaver?
JML is the identity lifecycle: Joiner on hire, Mover on role change, Leaver on exit. Each event should trigger defined permission granting or removal tied to HRIS data.
Is disabling the IdP account enough for offboarding?
No. API keys, OAuth tokens, direct SaaS logins, shared accounts, and AI credentials often remain active. Complete employee offboarding security must cover non-SSO paths.
What is a user access review?
A periodic certification-usually quarterly-where owners confirm each account still needs its access. It is a core SOC 2 test and a frequent audit failure point without signed evidence.
How do AI tools change employee offboarding security?
Employees connect sanctioned and shadow AI tools with credentials that survive IdP disable. Offboarding must include AI API key revocation and the same leaver process for retired automation agents.
Audit in six weeks and nobody owns access operations?
When JML, access reviews, and SOC 2 evidence need an executive owner-not another spreadsheet-an interim CIO can operationalize the model in 30-90 days and hand off to your permanent hire.