Dormant external collaborator

A dormant external collaborator is an account from outside the organization — a former contractor, an ex-vendor’s project lead, a partner whose deal closed two years ago, a freelancer who delivered and moved on — that still appears as a guest or shared-with identity inside a SaaS workspace. The work that justified the access is over; the access isn’t.

Off-boarding internal employees is now a well-trodden process in most organizations: HR triggers identity provider de-provisioning, SaaS apps de-provision via SCIM, the laptop comes back. Off-boarding external collaborators is rarely automated. Their identity lives in their own employer’s IdP, not yours; you never get a leaver event. The folder, channel, or shared document quietly retains them until someone notices. Defining properties:

• Long tail. A workspace that has been running for five years typically has hundreds of external collaborators, of whom 60-80% are dormant by any reasonable definition (90+ days no activity).
• Account compromise risk inherited. If the dormant collaborator’s own corporate account is breached at their employer, the attacker inherits your data.
• Audit-finding magnet. SOC 2, ISO 27001, and HDS auditors increasingly ask for evidence of external-access reviews.
• Cheap to clean up, expensive to ignore. Each removal is one click; the bulk operation just requires knowing who to remove.
• Often invisible to IAM tools. External guests are typically managed inside each SaaS app, not in the central identity provider — your IAM dashboards do not see them.

The control here is review cadence — quarterly at minimum, ideally continuous. Manual quarterly reviews don’t scale and tend to lapse. Continuously surfacing dormant external collaborators and nudging the owner who invited them is one of the highest-yield uses of SaaS behavior monitoring.