Operating Guide: Revoke a Trusted Person Without Breaking Operations

Trusted people accumulate credentials, context, relationships and exception power. Remove authority in the right order without stopping the institution.

The answer

A trusted person is rarely just a user account. They are a bundle of memory, relationships, devices, signatures, informal permissions and workarounds. Removing only the login leaves the bundle intact.

A trusted person is rarely just a user account. They are a bundle of memory, relationships, devices, signatures, informal permissions and workarounds. Removing only the login leaves the bundle intact. Removing everything at once may stop the institution.

Before the meeting

- Name one revocation lead and restrict knowledge to the people required to execute.

- Inventory formal mandates, system roles, devices, keys, shared secrets, delegated mailboxes and recovery contacts.

- List external institutions that recognise the person’s voice or email as authority.

- Identify duties that cannot pause and assign temporary owners.

- Preserve legally required records and relevant activity logs.

Build the revocation sequence

Order actions by consequence and observability. Begin with powers that can move value, destroy evidence or recover other identities. Then close high-sensitivity information access, communications, physical access and ordinary services. Coordinate technical, legal, banking, corporate and physical actions to land inside the same controlled window.

Do not notify a provider before the replacement authority is ready. A frozen relationship with no recognised successor can be worse than a delayed revocation.

During the window

- Issue the formal instruction and record its effective time.

- Revoke sessions, tokens, credentials, recovery methods and delegated authority.

- Rotate shared secrets that cannot be attributed to one user.

- Deliver replacement mandates and verification contacts to institutions.

- Recover assets without turning the process into an argument about personal trust.

After the window

Run a negative test: ask whether the former person could still approve, persuade, recover, enter, receive or infer. Check forwarding rules, archived invitations, vendor portals, emergency lists and staff habits. Tell relevant operators exactly whose instructions are no longer valid and how to verify the replacement.

Continuity ledger

Track each authority as a row: asset or service, old power, revocation evidence, replacement owner, temporary restriction and verification date. Close the event only when operational ownership exists—not when the departing person returns a laptop.

Sources

  1. NIST Cybersecurity Framework 2.0NIST Cybersecurity Framework 2.0

    Primary authority

  2. NIST — Digital Identity GuidelinesNIST

    Primary authority

Ross BelhommePartner, Svperior / Legal

Adam J. De Collibus

Adam co-founded Svperior and leads systems engineering from requirements through implementation. His work connects architecture, implementation, deployment, and operating discipline across complex environments where failure must be anticipated and technical capability must remain dependable under pressure.

Systems engineering / Technical architecture / Production operations / Operating resilience

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry