We compared fifteen published checklists. Four things appear in none of them.
Not one of the fifteen — from the HR platforms, the IT vendors, or the big software companies — covers the encryption key escrow, the API keys the person created, the SaaS they signed up for outside your systems, or revoking the live session as distinct from disabling the account. Almost none name a verifier. None set a deadline. This one does all six.
- Every row mirrors. Enrolled an authenticator on day one → remove that authenticator at exit. Escrowed a key → check the key before you wipe the laptop.
- Blocking sign-in is not enough. Disabling an account doesn’t always kill a session that’s already logged in. Even Microsoft’s own offboarding doc leaves this open.
- The credentials the human created. Every checklist deprovisions the person. None deprovisions the API keys and app passwords they minted — and killing the account doesn’t kill the token.
- The shadow-IT sweep. One mailbox search reveals every service they ever signed up for in your company’s name.
- A clock, and a signature. Within an hour / same day / seven days — then a named person proves it worked. No competitor does either.
Built around a real, seven-figure failure
A contractor’s credentials still worked after his engagement ended. He used them three times. Nobody was reading the logs, so nobody noticed. The failure wasn’t sophisticated — it was a checklist nobody ran on the day he left.
Get the checklist
It opens immediately on the next screen — read it online, or save it as a PDF. Nothing gets emailed to you.
