Onboarding–offboarding parity: the best test for your IAM

If onboarding does something, offboarding should undo it. When that parity breaks down, orphaned accounts pile up — often going unnoticed for years.

A solid offboarding process is the mirror image of your onboarding. Every step taken when someone joins should have a counterpart when they leave. Where that symmetry is missing, you end up with orphaned accounts.

Parity examples

• Onboarding: create M365 account → Offboarding: disable + delete after 30 days.
• Onboarding: grant access to SharePoint team "Sales" → Offboarding: remove from Sales group.
• Onboarding: assign hardware → Offboarding: return hardware.
• Onboarding: apply access profile "Sales role" → Offboarding: revoke profile.
• Onboarding: add to shared vaults → Offboarding: remove ACL entries, rotate passwords.

The parity test

Go through your onboarding checklist line by line and ask for each item: "What is the offboarding equivalent, and is it explicitly covered in our procedure?" Wherever you hesitate, you have a gap.

Where parity tends to break down

• SaaS tools added along the way that made it into the onboarding checklist but never into the offboarding one.
• Temporary access ("I'll make you admin for just one day") that was never revoked.
• Ad-hoc shared folders set up during onboarding that aren't tied to a group.

How to close the gaps

Run an annual walkthrough: go through the onboarding process as if you're starting from scratch, paying close attention to anything that has no offboarding counterpart. Document the gaps and automate wherever you can.

See also: onboarding IT checklist, offboarding pillar.