How do you deprovision access for a terminated employee?

When a termination occurs, the goal is to cut off all access quickly while preserving needed records and securing assets. The correct approach starts by disabling the user’s account so they cannot log in. Next, remove them from all groups to strip any inherited permissions. After that, revoke tokens and active sessions so there’s no ongoing connection to services, apps, or APIs. Archiving data ensures you keep necessary records for compliance, audits, or business needs without leaving the account active. Finally, collect devices to secure hardware and prevent data leakage. Other options fail because deleting the account and ignoring data retention breaks audit trails and compliance requirements. Reassigning access to another person without revoking tokens leaves active credentials that could be misused. Keeping all access active poses a serious security risk, potentially allowing ongoing unauthorized data access.