A trusted person is rarely just a user account. They are a bundle of memory, relationships, devices, signatures, informal permissions and workarounds. Removing only the login leaves the bundle intact. Removing everything at once may stop the institution.
Before the meeting
- Name one revocation lead and restrict knowledge to the people required to execute.
- Inventory formal mandates, system roles, devices, keys, shared secrets, delegated mailboxes and recovery contacts.
- List external institutions that recognise the person’s voice or email as authority.
- Identify duties that cannot pause and assign temporary owners.
- Preserve legally required records and relevant activity logs.
Build the revocation sequence
Order actions by consequence and observability. Begin with powers that can move value, destroy evidence or recover other identities. Then close high-sensitivity information access, communications, physical access and ordinary services. Coordinate technical, legal, banking, corporate and physical actions to land inside the same controlled window.
Do not notify a provider before the replacement authority is ready. A frozen relationship with no recognised successor can be worse than a delayed revocation.
During the window
- Issue the formal instruction and record its effective time.
- Revoke sessions, tokens, credentials, recovery methods and delegated authority.
- Rotate shared secrets that cannot be attributed to one user.
- Deliver replacement mandates and verification contacts to institutions.
- Recover assets without turning the process into an argument about personal trust.
After the window
Run a negative test: ask whether the former person could still approve, persuade, recover, enter, receive or infer. Check forwarding rules, archived invitations, vendor portals, emergency lists and staff habits. Tell relevant operators exactly whose instructions are no longer valid and how to verify the replacement.
Continuity ledger
Track each authority as a row: asset or service, old power, revocation evidence, replacement owner, temporary restriction and verification date. Close the event only when operational ownership exists—not when the departing person returns a laptop.
