Engineer Offboarding Checklist

HR confirms the termination category and the precise cutoff timestamp for access revocation. Voluntary departures usually allow a transition runway; involuntary terminations and layoffs require simultaneous access lockdown the moment the meeting starts. Get this in writing before notifying anyone else.

Pull CODEOWNERS, PagerDuty schedules, and service catalog (Backstage or equivalent) to find services where the departing engineer is the sole or primary owner. These are the gaps you'll need to fill before the cutoff — sole-owner services with no documented runbook are the most common offboarding failure.

For involuntary terminations, IT must disable SSO at the exact moment the manager begins the notification meeting — not before (tips off the employee) and not after (window for data exfiltration). Establish a Slack DM between the manager and IT lead with a one-word trigger.

Loop in the direct manager, the engineer's tech lead, and any cross-functional partner (PM, designer) on a need-to-know basis. Do not announce in #engineering or any team channel until the offboarding meeting has happened.

Suspend the user in Okta, Google Workspace, or Azure AD — this cascades to most downstream SaaS via SCIM. Do not delete the account; suspend it so audit history and Slack message attribution remain intact for at least 90 days.

Remove from the GitHub org, revoke any personal access tokens issued under their account, and check for SSH keys registered against shared service accounts. Also remove from any outside-collaborator repos and forks of internal code.

Delete the IAM user (or remove from the SSO permission set), deactivate any access keys, and remove from any GCP/Azure projects. Search CloudTrail for AssumeRole activity in the last 30 days to spot any cross-account roles you might miss.

Remove from every escalation policy and on-call schedule, not just the primary one. Replace with a named backup on each rotation; never leave a schedule with a gap. Confirm next-week's schedule is covered before disabling the user.

Remove from the VPN user directory, revoke SSH CA certificates, and remove from kubeconfig RBAC bindings. If you use Teleport or Boundary, expire active sessions explicitly — SSO suspension alone won't kick existing connections.

Rotate any shared API keys, database passwords, or service-account tokens the engineer had visibility into — Vault, AWS Secrets Manager, 1Password shared vaults. Per SOC 2, document which secrets were rotated and which were intentionally not (and why).

For engineers who held production access, pull CloudTrail / GCP audit logs / kubectl audit logs for their session history. Flag any unusual data exports, credential creations, or access to repos outside their normal scope. Required for SOC 2 access-review evidence.

Move all open PRs to a new owner — close-and-reopen if needed so notifications route correctly. Bulk-reassign Jira tickets to the team's tech lead and triage them in the next sprint planning rather than leaving them assigned to a deactivated user.

Search every repo for the engineer's GitHub handle in CODEOWNERS files and replace with the new owner or team alias. Do not leave a deactivated user as a code owner — branch protection rules will require their review on every PR and silently block merges.

For each service the engineer owned, walk the new owner through the runbook, recent incidents, and known sharp edges. If the runbook is thin or missing, schedule a recording session before the last day — tribal knowledge is the highest-cost thing to lose.

Service accounts in Datadog, Sentry, npm, PyPI, and DockerHub often live under an individual's email. Transfer ownership to a team-shared account or a new owner. Do not skip — these are the credentials that silently break CI six months after offboarding.

For remote employees, ship a prepaid return box with tracking. Confirm FileVault (macOS) or BitLocker (Windows) was active when the laptop left the user's hands — required for breach-notification safe harbor in most state laws if the device goes missing in transit.

YubiKeys, Titan keys, or company-issued TOTP devices need to come back. If they don't, deregister them from every account they were enrolled with — Okta, GitHub, AWS — rather than relying on the SSO suspension to be enough.

Run the full MDM wipe (Jamf, Kandji, Intune) before reassigning. Confirm the device is unenrolled from the previous user's Apple ID / Microsoft account so it doesn't activation-lock the next person who receives it.

California requires the final paycheck on the day of involuntary termination; most other states allow the next regular payday. Include accrued PTO where state law mandates payout (CA, CO, MA, others). Getting the timing wrong triggers waiting-time penalties.

COBRA election notice must go out within 14 days of the qualifying event for groups of 20+. State mini-COBRA applies to smaller groups. Most companies route this through the benefits broker (Justworks, Rippling, Gusto) — confirm it actually went, don't assume.

Document the last vesting date and the post-termination exercise window for any unexercised options (typically 90 days, but check the plan). Coordinate with Carta/Pulley to update the cap table and notify the 401(k) administrator of the separation.

Mark the employee as terminated in BambooHR/Rippling/Gusto with the correct effective date and reason code (this drives unemployment claims). Upload signed separation agreement and any release-of-claims documents to the personnel file.

Run by HR or a skip-level — never by the direct manager. Cover team dynamics, technical roadblocks, tooling pain points, and what would have made them stay. Anonymize before sharing with engineering leadership; attribution kills candor on the next exit interview.

Roll exit interview themes into the quarterly retention review. Single-data-point feedback rarely changes behavior; patterns across three or four exits do. Track follow-through on any process or staffing changes triggered by the feedback.

Confirm every access-revocation step has a timestamp and approver in the audit log. SOC 2 access reviews will sample terminated users and check that revocation happened within the SLA documented in your control matrix (commonly 24 hours for involuntary, 5 business days for voluntary).