What should be on a SaaS offboarding checklist?
Every SaaS tool the departing employee had access to must be either revoked, transferred, or archived within 24 hours of their last day — and the checklist must be sourced from a live inventory, not a static document.
Details
The reason most offboarding checklists fail is that they are static — they list the 15 tools IT knew about when the checklist was written, not the 60 tools the employee actually used. A live inventory sourced from OAuth grants + billing data catches the other 45.
A complete offboarding covers: identity provider suspension, SSO app revokes, per-tool seat reclaim, shared-resource transfer (Drive files, Notion pages, GitHub repos), and API token / SSH key rotation.
The single most-missed step: rotating shared credentials the employee knew (production database passwords, deploy keys, service account passwords). If they knew it, assume it's leaked.
Steps
- 1Disable identity provider account (Google/Microsoft/Okta) — cuts SSO access instantly.
- 2For each SaaS tool: reassign owned resources, then revoke the seat.
- 3Rotate all shared credentials the person had access to (DB passwords, deploy keys, service accounts).
- 4Transfer or archive personal drives (Google Drive, OneDrive, Notion workspace).
- 5Revoke all personal access tokens on GitHub, Slack, and any tool with API access.
- 6Wait 30 days, then run a cleanup pass to catch anything the initial revoke missed.
Automate this with SeatMap.AI
The audit path above works. It also takes hours per month per tool. SeatMap.AI runs it on a schedule, stages the reclaim actions for review, and shows you the annualized savings in real dollars.