Back to Personas Hub
Personnel AssuranceWorkforce / Risk Subject Lens
Reviewed: 2026-06-24Reviewer: ITMG® Security Advisory

Departing Employee / Leaver

A person leaving the organization who may retain motivation, access, knowledge, or data that creates elevated exposure.

Strategic Lens Significance

This persona matters because trusted access can create impact when access, motivation, opportunity, weak controls, or external influence converge. The goal is to understand the exposure pattern early enough to reduce harm, support fair treatment, and preserve defensible decisions.

Risk Scenarios & Exposure Patterns

1

Download of customer lists or source code before resignation

Operational baseline scenario indicating elevated potential exposure when controls are weak or uncoordinated.

2

Use of personal cloud storage to retain work product

Operational baseline scenario indicating elevated potential exposure when controls are weak or uncoordinated.

3

Delayed deprovisioning after departure

Operational baseline scenario indicating elevated potential exposure when controls are weak or uncoordinated.

Insider Threat Matrix™ Alignment

Explore ITM Matrix
Motive

leaver risk

Means

authorized access and unrevoked access

Preparation

file exploration or staging

Infringement

exfiltration

Anti-forensics

deletion or concealment.

* The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Legal & Privacy Controls

Use only approved, relevant, and proportionate data sources. Avoid assumptions based on protected characteristics or sensitive personal attributes. Involve Legal, Privacy, HR, and Employee Relations when monitoring, investigation, discipline, evidence preservation, or disclosure obligations may apply.

Programs must evaluate personas based purely on business necessity, authorization scope, and policy guidelines while ensuring employee-relations and data-protection protocols are maintained.

Common Pitfalls to Avoid

  • Treating the persona label as proof of intent or wrongdoing.
  • Overlooking context from HR, role requirements, access approvals, or business exceptions.
  • Relying on one tool or one signal instead of correlated evidence.
  • Waiting until an incident occurs before fixing known access, data, or workflow exposures.

Guidelines & FAQ

Target Assets & Telemetry

Customer dataregulated dataintellectual propertysource codefinancial recordscredentialscollaboration contentstrategic plansoperational systemsfacilitiesdevicesand business process records as applicable.

These represent crown jewels, sensitive logs, or digital workflows requiring proportional protective oversight under approved policies.

Safeguards & Controls Checklist

  • Confirm legitimate business need and appropriate access scope.
  • Use lifecycle controls such as joiner-mover-leaver governance, access review, privileged access management, and timely deprovisioning.
  • Monitor relevant data movement, authentication, repository, endpoint, collaboration, physical-access, and case-management signals within approved policy.
  • Escalate based on evidence, impact, and proportionality rather than assumptions about motive.
  • Coordinate with HR, Legal, Privacy, Security, and business owners when actions may affect employment, privacy, or legal rights.

Recommended Metrics

  • Coverage of relevant high-risk populations and crown-jewel assets.
  • Timeliness of access removal, access review, investigation triage, and containment.
  • Volume and quality of actionable alerts associated with this persona.
  • Evidence completeness and case closure quality.
  • Training completion, policy acknowledgement, and lessons-learned closure for related controls.
View full Metrics Hub

IRCF™ Component Details

Primary Capability:Personnel Assurance
Related Capabilities:
Personnel AssuranceIAMData ProtectionMonitoringInvestigation
Capability Relevance:

Understanding this persona improves the fidelity of indicators, baseline alignments, and workforce protective safeguards.

Ready to Integrate Departing Employee / Leaver Mappings?

Use RiskTKO® or request an ITMG® Guided Exposure Assessment to map this persona to assets, access, safeguards, evidence, and response options.