• 484-331-1083
  • info@solve-it-sol.com
SolveIT_Logo_Wide_White2SolveIT_Logo_Wide_White2SolveIT_Logo_Wide_White2SolveIT_Logo_Wide_White2
  • SERVICES
    • Level Up Managed Service Programs
    • Business Recovery Services
    • Complete IT
    • Co-Managed IT Services
    • Managed IT Services for Your Apple Devices
    • Cyber Security
    • Network Solutions
    • Microsoft 365
  • HARDWARE
    • IT Equipment & Software Sales
    • VoIP Phone Systems
  • ABOUT US
    • Our Leadership Team
  • MEDIA
    • Blog
  • CONTACT US
    • REMOTE SUPPORT
  • CLIENT PORTAL
✕

The “Zombie” SaaS Audit: Finding the 3 Apps Your Former Employees Still Access

Published by Website Administrator at June 20, 2026
Free Detailed view of a silver laptop showing keyboard and multiple ports. Stock Photo

Someone leaves the company on a Friday. By Monday, their email account is disabled, and their laptop is back in the pile.

What nobody checks is their login to the project management tool they signed up for in Q3, the cloud storage folder they shared with a contractor, or the CRM access they still have from two roles ago. 

Three months later, those sessions are still active.

This is how zombie accounts form. nNot through negligence, but through an offboarding process built around corporate IT assets that no longer reflects how people actually use software. 

The average company now runs more than 100 SaaS applications. Most offboarding checklists were written when there were three.

What a Zombie Account Actually Is

A zombie account is an active login that belongs to someone who no longer works for you. The name is informal. The risk is not.

What makes zombie accounts particularly dangerous is that they are valid credentials.

There is nothing to detect. The access was granted intentionally, and the system has no reason to question it. If a former employee walks back in through that door, or if their credentials are compromised after they leave, the access is there waiting.

Industry research finds that 50% of organizations have discovered former employees still accessing SaaS applications months after their departure date.

For most of those organizations, the discovery was accidental rather than the result of a deliberate audit.

The Three Apps Where Access Never Gets Removed

Cloud storage and collaboration tools

Google Drive, OneDrive, and Dropbox are where zombie access causes the most immediate damage. 

These platforms are where offboarding gets messy. Files may be shared with a departing employee’s personal account. Guest permissions granted during a project may never get cleaned up. And folders set to “anyone with the link” access may still be bookmarked.

The departure triggers a license removal in the identity provider. The shared folders, external links, and personal-account shares go untouched.

Project management and CRM platforms

Tools like Asana, Monday.com, Notion, Jira, HubSpot, and Salesforce are frequently provisioned by team leads rather than IT. That means the offboarding checklist has no visibility into them. 

A former account executive’s Salesforce login, or a project manager’s Notion workspace with access to company strategy documents, can persist for months without anyone noticing.

The tools IT didn’t know existed

This is the most dangerous category. 

These are the tools employees signed up for using their work email. A survey platform. An AI writing assistant. A data visualisation tool. They were never formally provisioned, and they were never formally revoked.

When the employee leaves, the account does not get disabled. It sits there, attached to a work email address that may now redirect to an IT catch-all.

Running the Zombie SaaS Audit

Step 1: Build your SaaS inventory

Start by pulling a list of all SaaS applications connected to your identity provider: Microsoft Entra ID, Google Workspace Admin, or Okta, if you use one. 

Cross-reference with billing records, browser extension installs, and email domains showing regular login notifications.

Grip Security’s 2025 SaaS Security Risks Report, analyzing 29 million user accounts, identified 23,987 distinct SaaS applications in use across its customer base. That’s far more than any IT team tracks manually.

Of those applications, 90% remained outside IT’s management. 

For smaller teams without a dedicated identity platform, a 30-minute review of active subscriptions and recent login notifications will surface most of the high-risk tools.

Step 2: Cross-reference against your offboarding list

Take the last 12 months of departures and check each name against the SaaS inventory. 

For each application, ask: 

  • Does this platform have an admin console? 
  • Can you see who is still active? 
  • When did this account last log in?

Access that is months old and belongs to someone who has left is a zombie. Flag it for immediate revocation. Document what you find.

Step 3: Revoke, document, and set a review cadence

Remove the access. Record what was found and when. Then use the audit as the baseline for an offboarding checklist that covers more than the corporate email and laptop. 

Going forward, enforce multi-factor authentication on all remaining active accounts and schedule a SaaS access review every quarter. 

That cadence turns a one-time cleanup into a repeatable control.

Making Offboarding a Security Process

Zombie accounts cannot be removed if no one is looking for them. The SaaS offboarding audit is the starting point.

Want to close the gaps in your SaaS offboarding process? 

Contact us or schedule a consultation to run a zombie SaaS audit and build a repeatable process your team can follow on every exit.

—

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Share

Website Administrator

501 N Park Road
Wyomissing, PA 19610

PHONE: 484-331-1083
info@solve-it-sol.com

SUPPORT

Remote Support
Client Portal
Contact Us

PARTNERS

 

FOLLOW US

Facebook
X (Twitter)
LinkedIn
Instagram
TM & © 2024 Solve IT Solutions, LLC
Privacy Policy
Commitment to Security and Privacy
Client Portal
  • Consent
  • Details
  • About Cookies

This website uses cookies

We use cookies to enhance your browsing experience, service personalized ads or content, and analyze our traffic. By clicking "Accept All" you consent to our use of cookies

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Analytics & Performance

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This means that cookies which are categorized as necessary, are processed based on GDPR Art. 6 (1) (f). All other cookies, meaning those from the categories preferences and marketing, are processed based on GDPR Art. 6 (1) (a) GDPR.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please state your consent ID and date when you contact us regarding your consent.

Deny Customize Allow selected Allow all