TL;DR: When someone leaves, you disable their email and collect their laptop, but their logins to cloud storage, project tools, and apps IT never knew about often stay active for months. These zombie accounts are valid credentials with no one watching them. A simple SaaS offboarding audit finds them: build an app inventory, cross-reference recent departures, then revoke access and set a quarterly review.
Someone leaves the company on a Friday. By Monday, their email is disabled and their laptop is back in the pile. What nobody checks is their login to the project tool they signed up for in Q3, the cloud folder they shared with a contractor, or the CRM access left over from two roles ago.
Three months later, those sessions are still live. This is how zombie accounts form, and a weak SaaS offboarding process is almost always the cause. It isn’t negligence. It’s an exit checklist built around company laptops and email, written back when work software meant a handful of apps.
Today, many businesses run dozens, even hundreds, of SaaS tools. Most offboarding checklists never caught up. Closing that gap is one of the most overlooked parts of protecting business data, and it’s a natural fit for proactive managed IT services.
What Is a Zombie Account?
A zombie account is an active login that belongs to someone who no longer works for you. The name is casual. The risk is not. What makes these accounts dangerous is that they’re valid credentials, not a breach.
There’s nothing to detect. The access was granted on purpose, so the system has no reason to question it. If a former employee walks back through that door, or if their old credentials get stolen after they leave, the access is sitting there waiting. That makes solid access control just as important on the way out as it is on the way in.
Which Apps Keep Ex-Employee Access Alive?
Three categories of app are where access almost never gets fully removed: cloud storage, team and CRM platforms, and the tools IT never knew existed. Each one slips through a checklist built only for email and devices.
Cloud storage and collaboration tools. Google Drive, OneDrive, and Dropbox are where zombie access does the most immediate damage. Files get shared with a departing employee’s personal account. Guest permissions from an old project never get cleaned up. Folders set to “anyone with the link” stay bookmarked. Removing the license in your identity provider doesn’t touch any of that.
Project management and CRM platforms. Tools like Asana, Notion, Jira, HubSpot, and Salesforce are often set up by team leads, not IT. That means the offboarding checklist can’t see them. A former rep’s Salesforce login or a manager’s Notion workspace full of strategy documents can sit active for months without anyone noticing.
The tools IT didn’t know existed. This is the most dangerous group. These are apps employees signed up for with their work email: a survey tool, an AI writing assistant, a data tool. They were never formally set up, so they never get formally shut off. Research backs up how big this blind spot is. Grip Security’s 2025 SaaS Security Risks Report found that 90% of the SaaS applications in use across organizations sit outside IT’s management entirely.
Why Are Zombie Accounts So Dangerous?
Zombie accounts are dangerous because they’re invisible, legitimate, and easy to forget. The access looks normal to every security tool you have, so nothing flags it until someone goes looking.
The scale of the problem is striking. Industry research found that 50% of organizations have discovered former employees still getting into SaaS apps months after they left. For most of them, the discovery was an accident, not the result of an audit.
The exposure is real. A former employee with a grudge, or a criminal who buys their reused password, has a quiet way into your data. These accounts also create compliance and cyber insurance problems, since many policies now expect documented offboarding. And every zombie account is often a paid license you’re still funding for no reason.
How Do You Run a Zombie SaaS Audit?
You run a zombie SaaS audit in three steps: build an inventory of your apps, cross-reference it against people who have left, then revoke access and set a review schedule. Even a small team can do a first pass in an afternoon.
Step 1: Build your SaaS inventory. Start with your identity provider, whether that’s Microsoft Entra ID, Google Workspace Admin, or Okta. Pull the list of connected applications, then cross-reference it with billing records, browser extensions, and email login notifications. If you don’t have a dedicated identity platform, a 30-minute review of active subscriptions and recent login alerts will surface most of the high-risk tools.
Step 2: Cross-reference against your departures. Take the last 12 months of people who left and check each name against your app inventory. For each app, ask whether it has an admin console, whether you can see who is still active, and when each account last logged in. Access that is months old and belongs to someone who left is a zombie. Flag it and document it.
Step 3: Revoke, document, and set a cadence. Remove the access and record what you found and when. Then use the audit as the baseline for a real offboarding checklist that covers far more than email and a laptop. Going forward, enforce multi-factor authentication on all remaining accounts and run a SaaS access review every quarter. That cadence turns a one-time cleanup into a repeatable control. Businesses with their own internal team can lean on co-managed IT support to keep it running.
Making Offboarding a Security Process
Zombie accounts can’t be removed if no one is looking for them. The audit is the starting point, but the lasting fix is treating offboarding as a security process rather than an HR formality.
A few things to hold onto. Disabling email and collecting a laptop is not offboarding. The riskiest access lives in apps IT may never have provisioned. And a quarterly review is what keeps the cleanup from becoming a one-time event. Pairing the audit with least-privilege access and a clear written policy closes most of the gap. If you want a repeatable process behind every exit, a dedicated security strategy makes it stick. To run your first zombie SaaS audit, schedule an intro call with our team.
Frequently Asked Questions
What is a zombie account?
A zombie account is an active login that belongs to someone who no longer works for your company. It usually survives because offboarding only covered email and devices, not every SaaS app the person used. Because the credentials are valid, security tools don’t flag them, which makes them a quiet but real risk.
How do zombie accounts differ from inactive accounts?
A zombie account belongs to someone who has left, so there’s no legitimate reason for the access to exist. An inactive account usually belongs to a current employee who just doesn’t log in often. Both carry risk, but zombie accounts are worse because they belong to someone entirely outside the business.
Where are zombie accounts most common?
They show up most in three places: cloud storage like Google Drive, OneDrive, and Dropbox; team and CRM tools like Salesforce, HubSpot, and Notion; and apps employees signed up for with a work email that IT never knew about. The last group is the hardest to find because no one provisioned it in the first place.
How often should we run a SaaS offboarding audit?
Run a full audit once to establish a baseline, then review SaaS access every quarter. Pair that with an offboarding checklist that covers all apps, not just email and laptops. Our cybersecurity essentials guide explains how this fits into a broader security routine.
Can a former employee really cause damage with old access?
Yes. A former employee, or a criminal who steals their reused password, can quietly reach files, customer data, and internal documents. Beyond the security risk, lingering access can create compliance violations and cyber insurance problems, since many policies now require documented offboarding.
Let’s Run Your First Zombie SaaS Audit
You shouldn’t have to wonder who still has a way into your data after they’ve left. If you’re ready to find the zombie accounts hiding in your SaaS tools and build a process that catches them on every exit, we’re glad to help. Reach out to the Z-JAK team here.