The Agency Contractor Access Audit Checklist (Run It in 20 Minutes)

If your agency has cycled through more than five contractors in the last year, at least one of them still has active access to a tool your team uses today. That's not a guess — it's the baseline. This checklist walks you through a 20-minute audit to find orphaned access, map who still has what, and revoke anything that shouldn't be there. No IT team needed.

Why This Matters for Agencies

Creative studios, dev shops, and design agencies run on contractors. Turnover runs 10–30% per year at most shops. Every time a contractor wraps, they keep access to your tools unless someone manually removes it. According to WorkForImpact, 77% of organizations experienced a cybersecurity incident tied to disconnected apps in 2026. For agencies, the risk isn't abstract: it's an ex-contractor who can still read your Notion strategy docs, push to your GitHub repos, or pull client files from Figma long after their last invoice.

The scary narrative version of this is what happens when a freelancer leaves and nobody checks. This checklist is the fix.

What You're Auditing

Most agencies use some version of this tool stack. Audit all of them — not just the "important" ones. Contractors often slip through on tools that feel low-stakes.

The goal isn't to catalog every seat perfectly — it's to find contractors who should be gone but aren't. Start with the tools that hold the most sensitive material: Figma (client IP), GitHub (source code), Notion (strategy docs), and 1Password (credentials).

Step 1 — Build Your Contractor Roster

Before you can audit access, you need a list of who should and shouldn't have it. Pull from two sources:

Active contractors: Anyone currently on a project or retainer. These people should have access — verify which tools, and make sure it's scoped to what they need.

Past contractors (last 12 months): This is where you'll find the orphans. Pull from your invoicing history (what did you pay out in the last year?), your project management tool (who was assigned to closed projects?), and your email inbox (who were you CCing in client threads?).

Create a simple spreadsheet: Name | Contract end date | Tools they should have had | Tools they definitely should NOT have now.

Don't overthink the format. The point is a single source of truth you can cross-reference in the next steps. Even a rough list of 10–20 names is enough to surface the obvious gaps.

Step 2 — Pull Member Lists Per Tool

Go tool by tool and export or screenshot the full member list. Here's where to find it in the tools agencies use most:

• Figma: Settings → Members → export member list. Also check individual Team member lists if you run multiple teams.
• GitHub: Organization → People tab. Check both Members and Outside Collaborators — contractors often land in "Outside Collaborators" and get forgotten.
• Notion: Settings → Members. Check both Full Members and Guests. Guests in Notion keep page access even when removed from the workspace if they have individual page shares.
• Slack: Admin → Members. Look at deactivated accounts too — Slack keeps message history but active accounts can still authenticate into connected apps.
• 1Password: Admin Console → People. Any contractor with Vault access can view credentials even after the project ends.
• Vercel / Netlify: Team → Members. Check both team-level and project-level members.
• AWS: IAM → Users. If any contractor got IAM credentials, rotate or delete them.
• Linear / Jira: Settings → Members. Project-level membership is separate from workspace membership.

Step 3 — Cross-Reference With Your Contractor Roster

Now match. For each person on your past-contractor list, scan your tool member exports and answer: are they still in any of these tools?

The answer will usually be yes for at least two or three tools. The question is whether that's intentional. Mark each as one of:

• Should have access — currently active on a project, or deliberately retained (e.g., a designer you're bringing back next quarter).
• Access should be revoked — project wrapped, contract ended, no active relationship.
• Unclear — you don't remember if they're coming back. This is the most common bucket. Treat it as "revoke and re-invite if needed." It takes 30 seconds to re-add someone; it takes months to fix a data breach.

Flag any name that appears in your tool lists but doesn't appear on your contractor roster at all. These are the ghosts — people who may have been added by a team member directly, bypassing any onboarding process. They warrant immediate attention.

Step 4 — Revoke Orphaned Access

Work through your "should be revoked" list, tool by tool. A few specifics that agencies get wrong:

Figma: Remove from the team AND check that no individual files were shared directly. Figma file-level shares persist even after removing someone from the team.

GitHub: Remove from the org AND revoke any personal access tokens they may have generated. Check under Settings → Developer Settings on the org level for any OAuth apps with broad scopes.

1Password: Don't just remove from the vault — check if they were ever given the Secret Key. If so, rotate affected vault passwords.

Slack: Deactivate the account rather than just removing from channels. Deactivated Slack accounts can't log in; removed members still have their account and may retain access to connected apps.

Google Workspace: Suspend the account immediately — suspended accounts lose access to Docs, Drive, and Gmail but keep their data. Transfer ownership of any files they created.

AWS IAM: Delete the IAM user or, at minimum, rotate all associated keys and revoke any active sessions.

Once you've revoked everything, run a quick second pass on GitHub and Figma specifically — these two tools have the most complex permission models and the most common audit failures.

What to Do After the Audit

An audit done once is better than never, but it's not a system. The access you cleaned up today will drift again in 90 days unless you fix the root cause: no offboarding process.

The minimum viable fix: create a project-close checklist that fires every time a contractor wraps. Four items — (1) final invoice paid, (2) Figma removed, (3) GitHub removed, (4) Slack deactivated. Assign it to whoever runs project management. Run it within 48 hours of contract end.

The better fix is wiring this into a lifecycle tool that tracks who has access to what across your stack, and lets you revoke everything in one flow when a contractor offboards. That's exactly what automated access revocation does at the platform level — and it's the difference between a 20-minute quarterly audit and a zero-minute automated offboarding.

If you want to understand how to build a broader access inventory for your startup or agency (not just for one-off audits), the who-has-access startup audit guide covers the ongoing approach.

Manual Audit vs. Automated Lifecycle Tool

Run this checklist now to clear the backlog. Then decide if you want to automate ongoing offboarding so you never have to run it again.

FAQ

How often should agencies run a contractor access audit?

Quarterly is a reasonable minimum. If your agency cycles through more than 10 contractors a year, run it monthly or set up automated offboarding so access is revoked at project close instead of three months later.

What if a contractor is on multiple projects — some active, some wrapped?

Scope their access to active projects only. Remove them from tools tied to completed projects, even if they're still working with you. Each project should have its own file structure (Figma projects, GitHub repos, Notion pages) so scoping is possible without cutting off active work.

What's the difference between removing a Slack member and deactivating them?

Removing someone from a channel keeps their account active — they can still log in and see DM history. Deactivating their account prevents login entirely. For former contractors, always deactivate, don't just remove from channels.

Should we notify the contractor when we revoke access?

Only if there's an active relationship or potential for confusion. For contractors who haven't been active for 60+ days, revoke access without notification. If they reach out because they can't access something, that's your confirmation the revocation hit the right target.

Try Optserv

Optserv is the lifecycle + access platform built for agencies and startups with high contractor turnover. When a contractor wraps, one offboarding flow removes them from Figma, GitHub, Slack, Notion, 1Password, and any other connected tool — no manual audit required. Start free at app.optserv.ai/signup.

Sources

• WorkForImpact, 2026 Disconnected App Security Report — 77% of organizations experienced a cybersecurity incident tied to disconnected or orphaned app access.
• Figma Help Center — file-level sharing permissions persist independently of team membership.
• GitHub Docs — Outside Collaborators management in organization settings.
• Slack Help Center — difference between deactivating and removing members.

Byline: Optserv Team