Offboard a vendor without leaving access behind
The contract ended six months ago. Does that agency's login still work? For most teams the honest answer is: nobody knows. Here is how to make offboarding a single action instead of an archaeology project.
Offboarding is not finished when the invoice stops. It is finished when the access stops.
Model the vendor, not just the password, and offboarding becomes one action that cascades: pending requests denied, access closed, audit trail preserved.
The question nobody can answer
Ask any team this: the agency you stopped working with last year, can they still log into your ad account? The answer is almost never a confident no. It is "probably not", or "let me check", or a long silence.
That is not negligence. It is what happens when credentials live in a password manager that has no concept of a vendor. The tool knows about a login. It does not know that the login belonged to a relationship, that the relationship ended, and that three people were given the password along the way.
Model the vendor, not just the password
The fix is structural. If the vendor is a first-class object, with an owner, a criticality, a renewal date, and the credentials that belong to it, then ending the relationship becomes a single action with consequences that cascade automatically.
When you offboard a vendor here:
- The vendor is marked offboarded, not deleted, so the audit trail keeps its anchor.
- Every pending access request against that vendor's credentials is denied automatically, inside the same transaction, so nothing slips through a half-applied state.
- The people who requested access get an email explaining why it was denied, so they are not left confused.
- The audit log survives, so you can still answer "who revealed this, and when" a year later.
The part most tools will not tell you
Revoking access does not un-see a secret. If a contractor revealed the production database password in March, cutting their access in June does not remove it from their memory or their notes. Anyone who implies otherwise is selling you something.
What a good audit trail buys you is precision. Instead of rotating every credential a departing vendor might have touched, which is expensive enough that teams simply do not do it, you look at the log and see exactly which credentials were actually revealed, by whom, and when. Now the rotation list is three items instead of thirty, and it might actually get done.
Better still: have it expire before you get there
The cleanest offboarding is the one that already happened. If access was granted for four hours in the first place, then by the time the contract ends there is nothing to revoke, because it revoked itself months ago.
That is the argument for time-boxed access: offboarding stops being an event you have to remember and becomes the default state of the system.
Common questions
- What does vendor offboarding actually mean?
- Ending the relationship with a supplier and, critically, ending every path they had into your systems. Most teams cancel the contract and stop the invoice, then forget the credentials, the shared logins, and the contractor accounts that still work. Offboarding is not done when the invoice stops. It is done when the access stops.
- Why is the vendor marked offboarded instead of deleted?
- Because the audit log needs the resource to still exist. If you delete the vendor outright, every historical record that references it, who accessed which credential and when, loses its anchor. Marking it offboarded keeps the trail intact while cutting off access, which is what an auditor (and future you) actually needs.
- What happens to pending access requests when I offboard?
- They are denied automatically, inside the same database transaction that marks the vendor offboarded, so there is no window where a request slips through while the offboarding is half-applied. The people who requested access get an email explaining why it was denied.
- Do I still need to rotate the credentials?
- Yes, if anyone ever revealed them. This is the honest bit: once a human has seen a secret, revoking their access does not un-see it. Offboarding stops any further reveals and closes off pending requests, and the audit log tells you exactly which credentials were actually revealed and by whom, so you know precisely which ones need rotating instead of guessing.
Make offboarding one action, not an investigation
Free while we build. No credit card, no sales call.