Answer

What should be on a SaaS offboarding checklist?

Short answer

Every SaaS tool the departing employee had access to must be either revoked, transferred, or archived within 24 hours of their last day — and the checklist must be sourced from a live inventory, not a static document.

Details

The reason most offboarding checklists fail is that they are static — they list the 15 tools IT knew about when the checklist was written, not the 60 tools the employee actually used. A live inventory sourced from OAuth grants + billing data catches the other 45.

A complete offboarding covers: identity provider suspension, SSO app revokes, per-tool seat reclaim, shared-resource transfer (Drive files, Notion pages, GitHub repos), and API token / SSH key rotation.

The single most-missed step: rotating shared credentials the employee knew (production database passwords, deploy keys, service account passwords). If they knew it, assume it's leaked.

Steps

  1. 1Disable identity provider account (Google/Microsoft/Okta) — cuts SSO access instantly.
  2. 2For each SaaS tool: reassign owned resources, then revoke the seat.
  3. 3Rotate all shared credentials the person had access to (DB passwords, deploy keys, service accounts).
  4. 4Transfer or archive personal drives (Google Drive, OneDrive, Notion workspace).
  5. 5Revoke all personal access tokens on GitHub, Slack, and any tool with API access.
  6. 6Wait 30 days, then run a cleanup pass to catch anything the initial revoke missed.

Automate this with SeatMap.AI

The audit path above works. It also takes hours per month per tool. SeatMap.AI runs it on a schedule, stages the reclaim actions for review, and shows you the annualized savings in real dollars.

Related answers