Learn

Guide

The Hidden Cost of Manual Offboarding: What Happens to SaaS Access When Employees Leave a Google Workspace Company

The Hidden Cost of Manual Offboarding: What Happens to SaaS Access When Employees Leave a Google Workspace Company

The Hidden Cost of Manual Offboarding: What Happens to SaaS Access When Employees Leave a Google Workspace Company

Manual offboarding in Google Workspace leaves SaaS access, app permissions, and billable licenses open after people leave. Here's the real cost, and how to close the gap.

Manual offboarding in Google Workspace leaves SaaS access, app permissions, and billable licenses open after people leave. Here's the real cost, and how to close the gap.

Julien Monguillot

Julien Monguillot

Julien Monguillot

Co-Founder

Co-Founder

Co-Founder

Created:

Created:

Created:

Learn

When an employee leaves your company, the first thing you think about is their laptop and their email. The last thing you think about is the dozen or so SaaS apps they quietly accumulated over the years. The average employee actively uses around a dozen cloud apps, and a typical company now runs on roughly 100 BetterCloud. Manual offboarding in a Google Workspace environment almost always handles the obvious and misses the rest, leaving a trail of active credentials, billable licenses, and open data permissions that nobody is managing. The real cost of this gap goes well beyond security: it is ongoing, measurable, and largely invisible until something goes wrong.

TL;DR

  • Manual offboarding in Google Workspace environments routinely leaves SaaS app access, third-party permissions, and billable licenses untouched after employees depart.

  • Shadow IT makes the problem significantly worse: apps your IT process does not know about cannot be included in any offboarding checklist.

  • The operational cost of manual offboarding averages around five hours per employee, and the security exposure can persist indefinitely.

  • Role-based access control and automated provisioning eliminate most of this risk without requiring a dedicated IT hire.

  • One platform consolidates provisioning, de-provisioning, SaaS spend management, app permissions insights, and shadow IT discovery, eliminating what would otherwise be four separate tools and multiple spreadsheets.

About the Author: ShiftControl was built by operators who personally scaled IT from 100 to over 700 employees across 7 global offices at ExpressVPN. The platform is made for Google Workspace companies navigating exactly these access, spend, and security challenges without a dedicated IT team.

What actually happens to SaaS access when someone leaves?

The honest answer is: usually not enough. Manual offboarding typically begins when HR notifies IT of a departure, and IT works through a checklist to revoke access in each application individually. In practice, that checklist almost never reflects the full surface area of what an employee actually had access to. Fewer than half of companies revoke all of a departing employee’s access within 24 hours of their exit Nudge Security, and the apps no one officially sanctioned are exactly the ones nobody remembers to close.

The sequence breaks down like this:

  • Google Workspace account is suspended or deleted. This revokes access to Gmail, Drive, and core Workspace apps.

  • IT manually revokes access to the apps on their radar, typically the ones provisioned during onboarding.

  • Apps connected via OAuth or installed independently by the employee remain untouched because IT has no visibility into them.

  • Licenses keep billing. Permissions remain open. The data exposure continues.

When offboarding is done correctly, access is removed cleanly, data stays protected, and audits are far less painful. The gap between “done correctly” and “done manually” is what this article is about.

Why is shadow IT management so critical to offboarding?

Shadow IT is the category most likely to turn a routine offboarding into a security incident. A departing employee may have connected dozens of third-party tools to their Google account over their tenure, from productivity apps and AI tools to data connectors and storage integrations, none of which appear in any official software registry.

Effective shadow IT management means discovering these apps before someone leaves, not after. Without that visibility, no offboarding checklist can be complete. What you cannot see, you cannot revoke. And the OAuth permissions those shadow apps hold, read access to Drive, access to contacts, ability to send email on the user’s behalf, do not expire automatically when a Google Workspace account is suspended.

This is where permissions insights become operationally important, not just theoretically. Visibility into which third-party apps have access to Google Workspace data, and what scope of access they hold, is the foundation for any offboarding process that actually closes every door.

What does manual offboarding actually cost in time and money?

Building on the security exposure above, there is a parallel operational cost that rarely gets quantified. IT teams are still spending around five hours per departing employee to find and revoke their cloud and SaaS access. For a company that turns over twenty people a year, that is one hundred hours of IT time on a process that should be automated.

The financial side compounds the time cost:

  • Orphaned licenses: Licenses continue billing for users who no longer work at the company. Without active SaaS license management, those costs accumulate unnoticed until someone pulls the invoices.

  • Audit exposure: Incomplete access records create problems in compliance reviews, particularly for companies working toward SOC 2 alignment or operating under data protection requirements.

  • Incident risk: An ex-employee who still holds active credentials to a CRM, a financial tool, or a communication platform is a live, exploitable gap.

Automated offboarding addresses these costs directly. ServiceNow estimates that automating the process reduces the time it takes by around 70% and the cost per offboard by roughly 73% ServiceNow.

Offboarding Approach

Time per Employee

Shadow App Coverage

Orphaned License Risk

Audit Trail Quality

Fully manual

~5 hours

Typically missed

High

Inconsistent

Partial automation (Workspace only)

2-3 hours

Partially missed

Medium

Incomplete

Full automation with HRIS sync

Minutes

Comprehensive

Low

Complete and timestamped

How does role-based access control change the offboarding equation?

Stepping back from the cost detail, the more fundamental question is why offboarding is so labor-intensive in the first place. In most small businesses, access is granted person-by-person as requests come in, without a structured model for what each role actually needs. The result is a patchwork of permissions that no one has a complete map of.

Role-based access control (RBAC) fixes this at the root. When access is assigned based on role, department, or group rather than individual requests, every employee in the same role has the same set of permissions. When they leave, revoking that role revokes everything associated with it, automatically and completely.

This connects directly to employee lifecycle management software. When your HR system triggers a departure, a properly configured RBAC model turns offboarding from a checklist exercise into a single event that cascades through every connected app simultaneously. Every delay, missed permission, or leftover account in a manual process represents a failure point that RBAC eliminates by design.

What specific risks apply to Google Workspace companies?

A related but distinct question is whether Google Workspace companies face unique offboarding risks compared to companies running other identity stacks. The answer is yes, for two reasons.

First, Google Workspace’s openness is part of its appeal. Employees can connect third-party apps with minimal friction, which accelerates work but also means the OAuth permission surface grows faster than most teams realize. Effective Google Workspace user management requires ongoing visibility into those connections, not just point-in-time reviews.

Second, many small businesses treat Google Workspace as their de facto identity provider without any surrounding infrastructure. When someone leaves, if the only action taken is suspending their Google account, everything that was connected via OAuth but authenticated independently, apps that asked the user to “sign in with Google” but stored their own session tokens, may remain accessible.

Small business IT security in a Google Workspace context requires understanding this distinction. Suspending the account is necessary. It is not sufficient.

Can you fix this without a dedicated IT team?

This is the practical question that founders and operators actually need answered. The traditional response was to hire an IT manager or contract an MSP. A thirty-person company needs structure without overhead, and neither option fits that need well.

The answer in 2026 is that the tooling has caught up. ShiftControl is built for operators, not IT teams, and is made for Google Workspace. It connects to your HRIS (HiBob, BambooHR, Gusto, Deel, and others), syncs with Google Workspace, and handles provisioning and de-provisioning automatically when employee status changes. One platform consolidates provisioning, de-provisioning, SaaS spend management, app permissions insights, and shadow IT discovery, replacing what would otherwise be four separate products and a spreadsheet.

“Without a dedicated IT function, I’ve found it challenging to get a clear view of our company’s digital assets. ShiftControl has been a game-changer for me.” - Brendan Laws, COO, Blackpanda

Setup takes about 10 minutes via a single Google Workspace login. There is no implementation project and no IT hire required.

Frequently Asked Questions

Does suspending a Google Workspace account automatically revoke access to all connected SaaS apps?

No. Suspending the account revokes access to core Google services but does not automatically revoke OAuth permissions granted to third-party apps, or close sessions in apps that store their own authentication tokens. Each connected app must be addressed separately unless you have an automated offboarding system handling it.

How long do orphaned SaaS licenses typically go undetected?

Without active SaaS spend management tools in place, orphaned licenses often remain undetected until a manual invoice review or audit, which may be months or longer after the employee departed. In companies without a dedicated IT function, this gap is frequently the norm rather than the exception.

What is shadow IT and why does it matter for offboarding?

Shadow IT refers to apps and services employees adopt independently, without IT approval or visibility. Because these tools are not on any official registry, they are almost never included in manual offboarding checklists. They are routinely missed in manual offboarding processes, leaving active access and data exposure after departure.

Is automated offboarding realistic for a company without an IT team?

Yes. Modern platforms built for Google Workspace connect to HRIS systems and handle de-provisioning automatically when HR marks an employee as departed. The process requires initial configuration but no ongoing manual intervention, making it practical for founder-led or operator-led businesses.

What is the difference between suspending and deleting a Google Workspace account during offboarding?

Suspending keeps the account and its data intact but blocks the user from signing in. Deleting removes the account permanently. Best practice is to suspend first to preserve data for handover and compliance, then delete after a defined retention period. Either way, connected third-party app access must be handled separately.

How does role-based access control reduce offboarding risk?

When access is tied to a role rather than assigned individually, revoking the role during offboarding revokes all associated permissions in one action. This eliminates the checklist problem where individual app access is forgotten, and ensures complete coverage without manual effort.

What should a complete SaaS offboarding checklist include?

A complete checklist covers: suspension or deletion of the primary identity provider account, revocation of all OAuth and third-party app permissions, transfer of owned files and data, deactivation of all individual SaaS app accounts, reclamation or cancellation of assigned licenses, removal from shared accounts and password vaults, and documentation of actions taken for audit purposes.

About ShiftControl

ShiftControl is an IT operations and SaaS management platform made for Google Workspace. It gives small and growing businesses the access control, SaaS spend visibility, shadow IT management, and security enforcement that were previously only available to companies with large IT teams, without the complexity or cost. Provisioning, de-provisioning, permissions insights, and incident response (via Blackpanda) are all available in a single platform, set up in about 10 minutes through a single Google Workspace login.

ShiftControl is SOC 2 compliant, ISO-aligned, and has signed the CISA Secure by Design Pledge. It was founded by operators who scaled IT at ExpressVPN from 100 to over 700 employees across 7 global offices, and is built on the conviction that security is a basic right for every business, not a luxury reserved for enterprises.

Every employee departure is a test of your access controls. Most companies find out they failed that test months later, when reviewing an invoice or responding to an incident.

See how ShiftControl automates the entire offboarding process for Google Workspace companies, without an IT team and without the complexity.

Visit shiftcontrol.io to learn more or start a free trial.

References

  1. SaaS Offboarding That Eliminates Orphaned Access (www.reco.ai)

  2. Streamlining SaaS onboarding and offboarding | 1Password (1password.com)

  3. The Hidden Costs of Your Offboarding Process (www.cloudeagle.ai)

  4. 2025 Guide to IT Offboarding & SaaS Automation (www.nudgesecurity.com)

  5. The 5 Most Common Offboarding Failures for Remote Teams (www.deel.com)

  6. SaaS: Automate your employee onboarding and offboarding with these proven steps (www.usu.com)

  7. 2025 State of SaaS Report (bettercloud.com)

  8. Employee Offboarding by the Numbers (nudgesecurity.com)

  9. Automating Employee Offboarding (servicenow.com)

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.