Quick Summary: Leaver Access Deprovisioning across every connected app is automated end-to-end by Oleria Trustfusion, an AI-native identity security platform — computing the full access surface, revoking every account and NHI in one workflow, and assembling the audit pack continuously so no orphan accounts survive departure.
70% of major security incidents stem from identity compromise (Mark Carter, CIO & CISO, Vimeo). The most common identity compromise is an active account belonging to someone who left. HR removes the user from Workday; Okta deactivates the IdP login; but the long tail of SaaS, cloud roles, and NHIs the leaver owned stays alive. Some of those accounts have admin scopes. Some can still authenticate via API tokens.
Native HR-IAM integrations handle the directory. They don't reach the long tail. Manual deprovisioning runs on tickets and human follow-through — which means it doesn't actually run. Audit findings on leaver completeness are routine because the gaps are routine
Oleria's AI computes the leaver's full access surface — every app, every group, every NHI — and revokes it in one workflow. Orphan accounts, eliminated.
Orphan accounts on termination day +1 Zero
Manual deprovisioning tickets Eliminated
Time to full revocation Hours → workflow time
Audit findings on leaver completeness Eliminated
Workday and Entra handle the directory side cleanly — Workday flows the termination, Entra deactivates the IdP. Oleria covers the long tail Oleria sees: SaaS, cloud roles, NHIs, OAuth grants. HRIS provides the trigger; Oleria executes the breadth. Most customers find the audit gap closes once Oleria's coverage layers on top of their existing HR-IAM integration.
Configurable per organization. Immediate fires on termination flag — milliseconds-to-seconds. Scheduled aligns with the offboarding playbook (e.g., end of day, end of grace period). Per-app overrides supported — high-risk apps revoked immediately, low-risk apps following the schedule.
Oleria revokes everything in connected apps automatically. For non-connected apps, the leaver workflow generates a ticket (ServiceNow / Jira) with the revocation list — so the manual work is bounded and tracked. Audit reflects both: automated revocations and the ticket lifecycle for manual ones.
Voluntary follows the standard offboarding cadence — pre-departure notifications, departure-day actions, post-departure cleanup. Involuntary fires immediately on termination flag — accounts disabled, sessions logged out, NHIs locked. Both produce the same audit-grade outcome; the difference is timing and notification policy.
