Someone leaves the company on a Friday. By Monday, their email is disabled and their laptop is back in the pile. What nobody checks is their login to the project management tool they signed up for in Q3, the cloud storage folder they shared with a contractor, or the CRM access they still have from two roles ago. Three months later, those sessions are still active. This is how zombie accounts form โ€” not through negligence, but through an offboarding process built around corporate IT assets that no longer reflects how people actually use software. The average company now runs more than 100 SaaS applications. Most offboarding checklists were written when there were three. This is a real, underappreciated problem for small businesses across McAllen and the Rio Grande Valley.

What a Zombie Account Actually Is

A zombie account is an active login that belongs to someone who no longer works for you. What makes these accounts particularly dangerous is that they are valid credentials โ€” there is nothing to detect, no failed logins, no unusual activity. The access was granted intentionally, and the system has no reason to question it. Industry research finds that 50% of organizations have discovered former employees still accessing SaaS applications months after their departure date. For most, the discovery was accidental.

The Three Apps Where Access Never Gets Removed

Cloud storage and collaboration tools

Google Drive, OneDrive, and Dropbox are where zombie access causes the most immediate damage. Files may be shared with a departing employee's personal account. Guest permissions granted during a project may never get cleaned up. The departure triggers a license removal in the identity provider โ€” the shared folders, external links, and personal-account shares go untouched.

Project management and CRM platforms

Tools like Asana, Monday.com, HubSpot, and Salesforce are frequently provisioned by team leads rather than IT โ€” which means the offboarding checklist has no visibility into them. A former account executive's Salesforce login can persist for months without anyone noticing.

The tools IT did not know existed

These are the tools employees signed up for using their work email โ€” a survey platform, an AI writing assistant, a data visualization tool โ€” that were never formally provisioned and never formally revoked. When the employee leaves, the account does not get disabled. It sits there, attached to a work email that may now redirect to an IT catch-all.

Running the Zombie SaaS Audit

Step 1: Build your SaaS inventory

Start by pulling a list of all SaaS applications connected to your identity provider โ€” Microsoft Entra ID, Google Workspace Admin, or Okta. Cross-reference with billing records and browser extension installs. For smaller RGV businesses without a dedicated identity platform, a 30-minute review of active subscriptions will surface most high-risk tools.

Step 2: Cross-reference against your offboarding list

Take the last 12 months of departures and check each name against the SaaS inventory. Access that is months old and belongs to someone who has left is a zombie. Flag it for immediate revocation and document what you find.

Step 3: Revoke, document, and set a review cadence

Remove the access, record what was found, then use the audit as the baseline for an offboarding checklist that covers more than the corporate email and laptop. Schedule a SaaS access review every quarter. IT Umbrella Group includes SaaS offboarding review as part of our managed IT service for McAllen-area clients.

Zombie accounts cannot be removed if no one is looking for them. The SaaS offboarding audit costs nothing except the time to run it. The cost of not running it is the silent access your former employees may have right now.

Frequently Asked Questions

How do zombie accounts differ from ordinary inactive accounts?

A zombie account belongs to someone who has left the organization โ€” meaning there is no legitimate reason for the access to continue. An inactive account may belong to a current employee who simply does not log in often.

What is the fastest way to identify zombie accounts?

Start with your identity provider. Microsoft Entra ID, Google Workspace Admin, and Okta all allow you to filter active users and connected applications by account status. Cross-referencing those lists against HR exit records will surface most gaps within a few hours.

How often should a SaaS access audit run?

Quarterly is a reasonable baseline. Any employee exit should also trigger an immediate SaaS access review as part of the offboarding checklist โ€” not just at the next scheduled audit.

Article used with permission from The Technology Press. Shared by IT Umbrella Group โ€” McAllen's managed IT partner for the Rio Grande Valley.

Questions about your cybersecurity posture?

IT Umbrella Group provides free, no-obligation IT security assessments for businesses across McAllen and the Rio Grande Valley.

Get a Free Assessment Managed IT Support