Employee Offboarding Checklist

People ops records the last working day and whether the departure is voluntary, involuntary, or end-of-contract. Involuntary terminations skip the standard two-week wind-down — access is cut on the termination date, not at end of business.

Engineers with prod AWS console, kubectl, or DB write access need a tighter offboarding path — break-glass credential rotation, IAM role review, and SOC 2 access-review evidence. Mark the level so downstream steps branch correctly.

Send the manager the offboarding run link so they can drive knowledge transfer. For involuntary terminations, loop in HR and Legal before any team-wide announcement.

Bulk-reassign in-flight tickets to the tech lead or named owners. Open PRs either get merged, closed, or handed off with a comment naming the new driver. Don't leave a draft PR sitting on a deactivated account — it becomes invisible.

Remove from CODEOWNERS in every repo where they appear (a quick org-wide grep), update PagerDuty/Opsgenie schedules, and reassign Backstage service ownership. A departing on-call who's still in the rotation is a 3am page nobody answers.

For any service where this engineer was the primary owner, capture: deploy quirks, known flaky tests, vendor contacts, and the runbook for the most common alerts. Drop into the service's Confluence/Notion page or the repo README.

Live walkthrough beats written docs for the parts the departing engineer doesn't know they know — local dev quirks, the one customer who always escalates, the vendor whose SDK has an undocumented retry behavior. Record on Loom if the receiver isn't available live.

Any shared secret the engineer could have viewed in 1Password/Vault gets rotated: prod DB passwords, third-party API keys (Stripe, Twilio, SendGrid), webhook signing secrets, break-glass IAM user credentials. Individual SSO sessions don't need rotation — those die with deprovisioning.

Check that the engineer wasn't the sole assumer of any AWS IAM role or k8s ClusterRoleBinding — orphaned roles are SOC 2 access-review findings. Also remove from any Terraform-defined groups; SSO removal alone won't catch IaC-managed memberships.

Suspend the user in Okta/Google Workspace/Azure AD on the last working day. SCIM should propagate to most SaaS apps within 15 minutes — verify in the SSO logs. For apps not behind SCIM (always a few), use the manual list maintained in the offboarding wiki.

Remove from the GitHub/GitLab org and audit their personal access tokens, SSH keys, and OAuth grants. Transfer ownership of any personal repos containing org code. Check if they authored any GitHub Actions workflows that use a PAT — those need a service account replacement.

AWS console + CLI access keys, GCP/Azure equivalents, Datadog, PagerDuty, Sentry, Vercel, Cloudflare, the registry (ECR/Docker Hub), and Terraform Cloud. Each has its own admin path; the offboarding wiki maintains the canonical list.

Deactivate Slack and remove from any external/shared channels with customers or vendors. Forward email to the manager for 30 days, then auto-respond with a redirect. Don't delete the mailbox — retention policy typically requires 90+ days.

For remote employees, send a prepaid return box (most MDM vendors offer this) before the last day. For in-office, schedule a 15-minute desk handoff with IT. Include peripherals, YubiKeys, and any loaned monitors.

Trigger remote wipe through Jamf/Kandji/Intune the moment the device checks in. FileVault/BitLocker keys should already be escrowed; if not, you have an incident. Confirm wipe completion in the MDM audit log before reissuing.

Physical badges, parking passes, and hardware security keys (YubiKey, Titan). Deactivate the badge in the access-control system even if it's not physically returned — lost badges are common.

State law dictates timing — California requires final pay on the termination day for involuntary departures. Include unused PTO per state policy; check the state's specific rules before assuming.

Federal COBRA notice must be sent within 14 days of the qualifying event. Most PEOs (Gusto, Rippling, Justworks) handle this automatically — verify the notice actually went out, don't assume.

Pull the signed PIIA/NDA from the HRIS and confirm it covers post-employment obligations. If a separation agreement is being offered, route through Legal before the last day — post-departure signatures are much harder to collect.

Manager posts the announcement in #engineering and emails any external partners or customers who had a direct relationship. Keep it factual; for involuntary departures, follow the HR-approved language exactly.

People ops (not the direct manager) runs a 30-minute exit conversation. Standard prompts: what worked, what didn't, why now, would you boomerang. Aggregate themes quarterly — single data points are noise, patterns are signal.

HRIS, the public-facing about page (if applicable), and Backstage component owners. Stale ownership in Backstage is a leading cause of unanswered service questions six months later.

Vanta/Drata/Secureframe wants the access-revocation evidence linked to the termination event. Auditors sample offboardings during Type II fieldwork — having the run archive plus the access-revocation screenshots in one place saves hours during audit prep.