Access Revocation Coordinator: Nothing Stays Open After Someone Leaves
Turn a departing employee's access list into a timed revocation plan — immediate lockout for involuntary exits, end-of-day for the rest — with a security owner confirming each account closed and a defensible audit record at the end.
A web tool where you load a departing employee's access list and effective revocation time, AI generates a revocation task per system with target times, owners are notified, each revocation is confirmed done, leftover or shared access is flagged, and the tool produces an audited 'access fully removed' record plus a CSV for your security log.
Before you start
- A Supabase account (free)
- A Vercel account (free)
- A Resend account (free)
- A per-employee access list (from onboarding or an exported access registry)
- Owner contacts per system
- Claude Code or any AI coding agent
The problem this kills
When someone leaves, the security-critical question isn't "did we collect their laptop" — it's "is every account, license, badge, and mailbox they touched actually closed, on the right day, with proof?" In most companies the answer lives in someone's head and a frantic email thread. IT disables the obvious things — email, the VPN, the HR system — and then a long tail of SaaS logins, a shared service account they knew the password to, a delegated mailbox, a building badge, and a contractor portal quietly stay open for weeks.
For a friendly voluntary exit that's sloppy. For an involuntary termination it's a genuine security incident waiting to happen, and when the auditor or the post-breach investigator asks "prove you removed access promptly," nobody can. You don't need a $50k IGA platform to fix this, and you don't need to be a developer.
What you'll build
A simple internal web tool. You load a departing person's access list — every system, license, badge, and account they hold — along with their effective revocation time and the owner responsible for each system. The tool generates one revocation task per system with a target time, splitting the behavior by exit type: immediate, same-hour lockout for involuntary terminations versus end-of-last-day for voluntary departures. It notifies each system owner, tracks each revocation until the owner confirms it's done, and flags anything risky — shared accounts, service accounts, delegated mailboxes, or access nobody has confirmed by its deadline. When every task is confirmed, it stamps an audited "access fully removed" record and exports a clean CSV for your security log.
What's inside the Implementation Plan
The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — how offboarding works today and who does it, where your access registry comes from, exactly how systems and owners are named, your typical and peak departure volumes, your real rules for immediate-vs-end-of-day revocation, and your messy edge cases (shared logins, service accounts, mailboxes that get delegated, contractor access) — and then it tailors the data model, the timing rules, and every later step to your answers. This is not a generic template; the agent reads a short spec back to you and waits for your thumbs-up before building anything. From there it walks the agent through loading the access list, generating timed revocation tasks, notifying owners, the confirm-each-revocation flow, the immediate approve-and-execute gate for involuntary exits, the leftover-access flagging, and the audited final record — each step with a ready-to-copy prompt. There's also a fallback so you can build and use the whole thing today even with no integration to your identity systems.
The governance it includes (this is the point)
This is security-critical tooling, so it ships with the controls a security and compliance team needs: login so only your team can use it, row-level security so you only ever see your own organization's departures, a complete audit trail of who generated, notified, confirmed, and closed each revocation and when, a hard human-in-the-loop gate so immediate lockouts for involuntary terminations require an explicit approve-and-execute step with a logged reason, and duplicate guards keyed on employee ID + system so the same revocation can't be created or confirmed twice. Shared and service accounts and delegated mailboxes are flagged rather than silently checked off, because those are exactly where access quietly survives a departure.
Who it's for
HR partners, IT security, and ops leads who own offboarding and need a defensible record that access was removed promptly — especially for involuntary exits, audits, and anything that might end up in front of a regulator or an incident review. If you can describe how your team decides what to shut off and when, you can build this.
You've got this — start with the plan, paste the first prompt, answer the interview, and you'll watch your first timed revocation plan generate the same afternoon.