The SaaS Zombie Account Audit: Who Still Has Access to Your Business?
Someone leaves your company on a Friday. By Monday their email is disabled, and their laptop is back in the pile. What nobody checks is their login to the project management tool, the cloud storage folder, or the CRM access they’ve had since a previous role. Three months later those sessions are still active. Here’s how to find them and close them.
Most Massachusetts businesses do a reasonable job of removing a departing employee’s email access. The email gets disabled. The laptop comes back. HR updates the records. Done.
What almost nobody checks, and what we find on almost every user review, is the access that isn’t tied to the email account. The project management tool someone signed up for in Q3, the cloud storage folder shared with an external contractor, or even the CRM login that carried over from a previous role two years ago.
Three months later those sessions are still active. The person who holds them no longer works for you. That’s a zombie account and the risk it creates is real.
What is a zombie account?
A zombie account is an active login that belongs to someone who no longer works for your business. What makes them particularly dangerous is that they’re valid credentials. There’s nothing to detect – no suspicious activity, no failed login attempts. The access was granted intentionally, and the system has no reason to question it.
If a former employee walks back in through that door, or if the credentials are compromised after they leave, the access is there waiting.
Industry research finds that 50% of organizations have discovered former employees still accessing SaaS applications months after their departure date. For most of those organizations, the discovery was accidental rather than the result of a deliberate audit.
The Three Platforms Where Access Gets Left Behind
Cloud Storage & Collaboration Tools
Microsoft OneDrive, SharePoint, Google Drive, and Dropbox are where zombie access causes the most immediate exposure. Files may have been shared with a departing employee’s personal account. Guest permissions during a project may have never been cleaned up. Folders set to open link access may still be bookmarked on a personal device. License removal in Microsoft 365 or Google Workspace triggers when IT processes the offboarding – the shared folders, external links, and personal-account shares go untouched.
Project Management & CRM Platforms
Tools like Moday.com, HubSpot, Salesforce, Asana, and Notion are frequently provisioned by team leads rather than IT, which means the offboarding checklist has no visibility into them. A former account manager’s Salesforce login, or a project manager’s Notion workspace containing company strategy documents, can persist for months without anyone noticing.
The Tools IT Didn't Know Existed
This is the most dangerous category. These are the tools employees signed up for using their work email address (a survey platform, an AI writing assistant, a data tool…) that were never formally provisioned by IT and therefore never formally revoked. When the employee leaves, the account sits there attached to a work email address that may now redirect to an IT catch-all.
Running a Zombie Account Audit
Step 1: Build Your SaaS Inventory
Start by pulling a list of all SaaS applications connected to your identity provider (Microsoft Entra ID, Google Workspace Admin) if you use one. Cross-reference with billing records, browser extension installs, and email domains showing regular login notifications. For smaller teams without a dedicated identity platform, a 30-minute review of active subscriptions and recent login notifications will surface most of the high-risk tools.
Step 2: Cross-reference Against Your Offboarding List
Take the last 12 months of departures and check each name against your SaaS inventory. For each application ask: Does this platform have an admin console? Can you see who is still active? When did this account last login? Access that is months old and belongs to someone who has left is a zombie. Flag it for immediate revocation and document what you find.
Step 3: Revoke, Document, and Set a New Review Cadence
Remove the access. Record what was found and when. Then use this audit as a baseline for an offboarding checklist that covers more than the corporate email and laptop. Going forward, enforce multi-factor authentication on all remaining active accounts and schedule a SaaS access review every quarter. That cadence turns a one-time cleanup into a repeatable control.
The Bottom Line for Massachusetts Businesses
Zombie accounts cannot be removed if no one is looking for them. Most businesses in Central Massachusetts and Greater Boston that we work with will have at least some degree of this exposure – not because of carelessness, but because offboarding processes were built for a time when most software was managed centrally by IT.
The average business now runs more than 100 SaaS applications. Most offboarding checklists were written when there were three.
Ready to Close the Gaps in Your Offboarding Process?
At Cleartech Group, we help businesses across Massachusetts identify and close access control gaps – including zombie account audits, SaaS offboarding processes, and ongoing access reviews as part of our managed IT services.
Article adapted from Your Tech Updates.