How should you differentiate a cancelled user from a terminated employee in access control?

When thinking about access control, the distinction between deactivating an identity and removing it entirely from systems is key. A cancelled user is an identity that is deactivated—access is blocked, but the account and its data may still exist in the system for potential reactivation or record-keeping. A terminated employee, on the other hand, has left the organization and must be deprovisioned immediately from all systems to prevent any post-employment access. The best answer reflects that policies should clearly cover both scenarios and require prompt revocation of credentials and access. This means disabling logins, revoking tokens, removing from groups, terminating sessions, and also addressing any physical access, while ensuring the process is swift and auditable. The other choices fall short because they either treat cancellation and termination as the same event, or describe cancellation as only a temporary pause, which does not capture the need for timely, comprehensive revocation when employment ends.