Identity Deprovisioning
Identity Deprovisioning is the process of removing user accounts and revoking access rights when someone leaves the organization, changes roles, or no longer needs specific permissions. It is the operational counterpart to provisioning that should undo access as quickly as provisioning grants it.
# WHAT TEAMS RUN INTO
- —
Deprovisioning is slow and incomplete. It can take weeks to revoke all access after someone leaves, and some access is forgotten entirely — creating dormant accounts that become security risks.
- —
Some systems don't support deprovisioning. Legacy applications have no API to remove users, so admins must do it manually or leave the access in place.
- —
Revocation doesn't propagate instantly. An IdP revokes a token, but cached copies of that token keep working for hours. The user thinks they're locked out but still have access.
# WHY IT MATTERS
Deprovisioning is where access control actually gets enforced. Provisioning can be optimistic — grant access generously and clean it up later. But if deprovisioning fails, every departed employee and every role change leaves behind access debt. Every access decision is a security decision — the decision to revoke access is just as important as the decision to grant it.