Just as important as the notion of provisioning is the idea of deprovisioning : removing identities from the system once they are at the end of their lifecycle. One employee of a company whose identity systems have won some acclaim told me that the company's sophisticated identity management system had ensured he was ready to start work the same day he started. Ironically, two years after he quit, his voicemail still functioned. This company was doing a good job of provisioning, but had fallen down on the deprovisioning task. Leaving a voicemail account active may not be such a big deal, but leaving an employee with access to a sensitive system could be catastrophic.

Failure to properly deprovision an identity can lead to confusion, access to critical data by outsiders, and even fraud or theft. Old accounts, left active long after an employee is gone, are to blame for one of the largest security holes faced by many companies. These are dangerous for two reasons. First, the employee may continue to use company resources after she's quit. More often, however, these accounts represent prime places for hackers to crack into corporate systems, because they are unmonitored and strange activity won't raise any eyebrows.