In offboarding, which action is essential to immediately remove access?

Immediate removal of access during offboarding hinges on stopping authentication and terminating active sessions. Disabling the user’s account blocks any new login attempts, so the person can’t access systems going forward. Revoking all tokens—such as OAuth, API keys, and session tokens—forces any currently valid tokens to become invalid, cutting off ongoing access and active sessions right away. Together, these steps prevent both future and current access, which is crucial the moment someone leaves. Other actions have important roles, but they don’t halt access immediately. Archiving data and removing the user from groups helps with data governance and least-privilege over time, but a user can still sign in if an active session remains or tokens exist. Notifying the user and assigning a successor addresses transition and communication, not access control. Updating HR records is administrative and doesn’t affect system permissions.