Tracking down orphaned accounts: how do you tackle 3 years of sloppy offboarding?

Getting better at offboarding from today onwards does nothing about the 23 active accounts belonging to ex-employees that are already there. Here's how to clean up that backlog without weeks of effort.

Every organisation has them: orphaned accounts. People who left years ago but are still marked as has_access in your CRM, cloud storage, or some random SaaS tool. This is how you run the clean-up operation.

The three main sources

\n
1. M365 / Google Workspace: filter on "last sign-in > 90 days" — that's usually the starting point for your list of ghost accounts.
\n
2. Individual SaaS tools: logs per tool. Trickier, because there isn't always a standard filter available.
\n
3. Shared spaces: Dropbox, SharePoint, Drive — people who are still added as an editor.
\n

The clean-up sprint

\n
1. Day 1: pull a list from each system of accounts you're unsure about.
\n
2. Days 2–3: cross-check with HR — who is still employed and who isn't?
\n
3. Day 4: bulk-disable confirmed ex-employees, then wait 30 days before deleting.
\n
4. Day 5: document everything and create a formal offboarding record, even for employees who left years ago.
\n

Risk flagging as a lasting solution

Implement a recurring check that reports weekly or monthly: "this person is marked inactive in HR but still has access entries on has_access". In AccessGuard, this is called orphan_access risk (sev 5) — the scanner runs this check automatically every night.

See also: offboarding pillar, periodic access reviews.