How to automate employee offboarding

Workspace mailbox suspend with ownership transfer. Slack deactivate on Enterprise Grid. GitHub PAT and SSH key revocation plus deploy key rotation. Okta global token revocation. Microsoft 365 sign-in disable plus mailbox handoff. AWS IAM key deactivate plus MFA detach plus console disable. 1Password vault removal. Bitwarden removal. Notion ownership transfer. Linear issue reassignment. Figma seat reclaim. Plus the embedded payroll deactivation, the equipment recovery ticket, and the parent HRIS update. Fourteen systems on one trigger.

Before the agent revokes, each adapter returns a risk summary describing what the user touched recently. Suspicious activity gates on a human approval before revoke fires. The pattern catches the case where the user is leaving under contentious circumstances and the manager wants the revoke to coincide with a forensic snapshot, not run independent of one.

Rehire fires the same fan-out in reverse. New employment record writes, reactivation queue rows fan out across the same fourteen adapters, and the dashboard streams progress on the same surface. The architecture closes both ends of the loop, which is the part the build-your-own-Slack-bot category cannot replicate without owning the system of record.

Fifteen rows. Fourteen adapters plus the trigger. Each row records the timestamp, actor, target system, action, result, and the risk summary. Hash-chained. SOC 2 evidence packs lift these rows directly. The auditor reads them and signs them.