Why is AI offboarding different from normal offboarding?

AI tools introduce access paths ordinary checklists miss — personal API keys baked into scripts, shared chatbot accounts, fine-tuned models trained on company data, and chat histories that retain confidential information. Revoking the SSO login alone often leaves several of these wide open.

What is the single most-missed step?

Rotating API keys the person created or knew. A revoked login does nothing if the leaver memorised, copied, or hard-coded a still-valid API key. Any key the individual could have seen should be rotated, not just the ones in their name.

Should I request data deletion from AI providers?

If the leaver pushed company or personal data into a provider (uploaded files, fine-tuning datasets, retained chat history), you may need to request deletion to meet retention and privacy obligations. The checklist flags this when the data access level is internal or sensitive.

Who owns the AI-generated work they produced?

That depends on your contracts, but operationally you should transfer ownership of any AI-generated assets, custom GPTs, prompt libraries, and fine-tuned models into team-owned accounts before the individual loses access — otherwise the work can become orphaned or deleted.

Is my progress saved?

Yes — your ticks are stored locally in your browser so a refresh does not wipe them, and nothing is sent to a server. The checklist is a template; adapt it to your own security and HR policies.

AI Tool Access Revocation Checklist

AI tool access revocation

When someone leaves — an employee, a contractor, an intern — your standard offboarding flow revokes their email and SSO login, but AI tools open access paths that the standard flow rarely covers. A personal API key hard-coded into a script keeps working after the login is gone. A shared ChatGPT account stays logged in. A fine-tuned model trained on company data sits in someone’s personal workspace. This checklist generates a complete AI deprovisioning list tailored to the tools they used, their role, and how sensitive their data access was.

How it works

You select which AI tools the leaver used (chat assistants, coding assistants, API access, custom GPTs or agents, image tools), their role, and their data access level. The tool assembles the relevant steps and orders them by urgency: rotate any API keys they could have seen, remove them from shared and enterprise accounts, transfer ownership of AI-generated assets and fine-tuned models, and — where sensitive data was involved — request data deletion from the providers. Critical steps are flagged, the readiness bar tracks completion, and you can export the whole record for your offboarding ticket.

Tips and notes

Rotate keys, do not just disable logins. A still-valid API key the leaver knew is a live credential regardless of their account status.
Hunt for shared accounts. Team chatbot logins and shared API keys are the most common orphaned-access path after a departure.
Transfer before you revoke. Move custom GPTs, prompt libraries, and fine-tuned models into team ownership while the person can still hand them over.
Document provider deletion requests. If you asked an AI provider to delete data, keep the confirmation for your privacy and audit records.