Someone leaves the company on a Friday. By Monday, their laptop is back on the shelf and their email is disabled. Clean. Done. Right?
Not quite.
Nobody checked the project management tool they signed up for in Q3. Or the cloud storage folder they shared with a contractor. Or the CRM access they’ve had since two roles ago. Three months later? Those sessions are still active.
This is how zombie accounts form. Not through negligence — but through an offboarding process that was built around corporate IT assets, back when that was all there was to worry about. The average company now runs more than 100 SaaS applications. Most offboarding checklists were written when there were three.
If you’re relying on your current IT Support process to catch this automatically, it’s worth checking whether it actually does.
What a Zombie Account Actually Is
A zombie account is an active login that belongs to someone who no longer works for you. The name is informal. The risk absolutely is not.
What makes zombie accounts particularly nasty is that they’re valid credentials. There’s nothing to detect. The access was granted intentionally, and the system has no reason to question it. If a former employee walks back in through that door — or if their credentials are compromised after they leave — the access is sitting there, waiting.
Industry research finds that 50% of organisations have discovered former employees still accessing SaaS applications months after their departure. For most of them, the discovery was accidental — not the result of a deliberate audit.
That’s a coin-flip chance you have this problem right now, and don’t know it yet.
The Three Apps Where Access Never Gets Removed
Cloud Storage and Collaboration Tools
Google Drive, OneDrive, and Dropbox are where zombie access tends to cause the most immediate damage.
These platforms are where offboarding gets messy fast. Files may be shared with a departing employee’s personal account. Guest permissions granted during a project may never get cleaned up. Folders set to “anyone with the link” may still be bookmarked and accessible long after someone walks out the door.
The departure triggers a licence removal in your identity provider. The shared folders, external links, and personal-account shares? Untouched.
Project Management and CRM Platforms
Tools like Asana, Monday.com, Notion, Jira, HubSpot, and Salesforce are frequently provisioned by team leads — not IT. Which means your offboarding checklist has no visibility into them at all.
A former account executive’s Salesforce login, or a project manager’s Notion workspace with access to company strategy documents, can sit active for months without anyone noticing. For businesses in Brisbane and Mackay managing growing teams, this tends to compound fast.
The Tools IT Didn’t Know Existed
This is the most dangerous category of all.
These are tools employees signed up for using their work email — a survey platform, an AI writing assistant, a data visualisation tool. Never formally provisioned, never formally revoked. When the employee leaves, the account doesn’t get disabled. It just sits there, attached to a work email address that may now redirect to an IT catch-all inbox nobody monitors.
Running the Zombie SaaS Audit
Step 1: Build Your SaaS Inventory
Start by pulling a list of all SaaS applications connected to your identity provider — Microsoft Entra ID, Google Workspace Admin, or Okta if you use one. Cross-reference with billing records, browser extension installs, and email domains showing regular login notifications.
To give you a sense of the scale: one 2025 SaaS security report analysed 29 million user accounts and identified nearly 24,000 distinct SaaS applications in use across its customer base — with 90% of those applications sitting outside IT’s management.
For smaller teams without a dedicated identity platform, a focused 30-minute review of active subscriptions and recent login notifications will surface most of the high-risk tools.
Step 2: Cross-Reference Against Your Offboarding List
Take the last 12 months of departures and check each name against your SaaS inventory. For each application, ask:
- Does this platform have an admin console?
- Can you see who is still active?
- When did this account last log in?
Access that’s months old and belongs to someone who has left is a zombie. Flag it for immediate revocation. Document everything you find.
Step 3: Revoke, Document, and Set a Review Cadence
Remove the access. Record what was found and when. Then use the audit as the baseline for an offboarding checklist that covers far more than just the corporate email and laptop.
Going forward, enforce multi-factor authentication across all remaining active accounts — and schedule a SaaS access review every quarter. That cadence is what turns a one-time cleanup into a repeatable, defensible control. It’s the kind of process that good Managed IT or Managed Services providers build in as standard, not an afterthought.
Making Offboarding a Security Process
Zombie accounts can’t be removed if nobody’s looking for them. That’s the whole problem — and the SaaS offboarding audit is where you start fixing it.
Whether you’re running a lean team in Mackay or scaling a business across Brisbane, the goal is the same: every exit should trigger a clean, consistent process that closes access across every tool — not just the ones IT already knew about.
Want to close the gaps in your SaaS offboarding process? Get in touch with us to run a zombie SaaS audit and build a repeatable process your team can follow on every exit.
—
