Most businesses remove a departing employee’s email access quickly, but leave their SaaS access scattered across other tools. Zombie accounts are the leftover logins, tokens, and permissions that remain active after someone leaves or changes roles. A practical SaaS offboarding audit finds where these accounts hide and closes them before they turn into a security incident.

Someone leaves the company on a Friday. By Monday, their email is disabled and their laptop is back in the stack.

What nobody checks is the project management tool they signed up for last quarter, the cloud storage folder shared with a contractor, or the CRM login they’ve carried through two role changes. Three months later, those sessions are still live.

This is how zombie accounts form — not through negligence, but through an offboarding process built around hardware and email that hasn’t caught up with how modern teams actually use software.

The average business now runs over 100 SaaS applications. Most offboarding checklists were written when there were three.

When “Deactivated” Doesn’t Mean “Gone”

A zombie account is an active login belonging to someone who no longer works for you. The term is informal. The exposure it represents is not.

What makes these accounts especially problematic is that they carry valid credentials. There’s nothing anomalous to flag. The access was granted intentionally, and the system has no reason to question a legitimate login — even if the person behind it left months ago.

Industry research shows that half of all organizations have discovered former employees still accessing SaaS applications well after their departure. In most cases, the discovery was accidental, not the result of a deliberate review.

The Three Places Access Gets Left Behind

File sharing and collaboration platforms

Google Drive, OneDrive, and Dropbox are where zombie access tends to do the most immediate damage. Files shared with a personal account, guest permissions from a finished project, and folders set to open-link access can all survive a license removal in the identity provider. The official account gets deprovisioned; everything attached to it quietly stays open.

Business apps provisioned outside of IT

Tools like Asana, Notion, HubSpot, Jira, and Salesforce are often set up by team leads, not IT. That means they don’t appear on the standard offboarding checklist. A former account executive’s CRM login or a project manager’s workspace containing company strategy can sit untouched for months with no one noticing.

Shadow apps IT never knew existed

This is the highest-risk category. Employees routinely sign up for tools — survey platforms, AI assistants, data tools — using their work email without IT involvement. These accounts are never formally provisioned, so they’re never formally revoked. When the employee leaves, the account remains, attached to an address that may now redirect to an IT catch-all inbox.

How to Run the Audit

Map what you’re actually running

Pull a full list of SaaS applications connected to your identity provider — Microsoft Entra ID, Google Workspace Admin, or Okta. Cross-reference against billing records, browser extensions, and login notification emails.

The scale of shadow IT is larger than most teams expect. A 2025 report analyzing 29 million user accounts found nearly 24,000 distinct SaaS applications in use — with 90% sitting outside IT management. For smaller teams, a focused 30-minute review of subscriptions and recent login activity will surface most of the high-risk tools.

Match departures against active accounts

Take the past 12 months of exits and check each name against your SaaS inventory. For each application: Does it have an admin console? Can you see who’s still active? When did this account last log in? Anything stale that belongs to a former employee is a zombie. Flag it, revoke it, document it.

Build the process so it repeats

Use the audit as a baseline for an offboarding checklist that goes beyond email and hardware. Enforce MFA on all remaining active accounts and schedule a quarterly SaaS access review. That cadence turns a one-time cleanup into a repeatable control.

Offboarding Is a Security Function

Zombie accounts can’t be removed if no one is looking for them. The SaaS audit is the starting point — and the thing that makes every future exit cleaner than the last.

Want to close the gaps in your offboarding process? Contact us to run a zombie SaaS audit and build a checklist your team can follow on every exit.

Common Questions

How is a zombie account different from just an inactive one?

A zombie account belongs to someone who has left the organization entirely — there’s no legitimate reason for that access to exist. An inactive account may still belong to a current employee. Both carry risk, but zombie accounts carry the added exposure of sitting entirely outside the business.

What’s the quickest way to find them?

Start with your identity provider. Entra ID, Google Workspace, and Okta all let you filter active accounts and connected apps by status. Cross-referencing against HR exit records from the last 12 months will surface most gaps in a few hours.

Do shared logins create the same problem?

Yes — and they’re harder to clean up because the access can’t easily be attributed to one person. Shared logins should be replaced with individual accounts wherever a platform allows it, both for the audit trail and for clean offboarding.

How often should this review happen?

Quarterly is a solid baseline. Any employee departure should also trigger an immediate SaaS access review as part of offboarding, rather than waiting for the next scheduled cycle.